IBM AS400 Security Procedures(2)

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

D.

Standards

1.

Document who is responsible for creating and updating policies and procedures for the EDP Standards Manual.

2.

Verify that the EDP Standards Manual contains an adequate explanation of the policies for EDP procedures.

3.

Verify that the EDP Standards Manual contains: a.

Detailed procedures regarding the preparation of documentation for application systems.

b.

Conventions to be used in the development of programs.

c.

Standard forms, illustrations and their use.

d.

Security requirements for both the applications and the computer itself.

e.

Operational standards for the EDP department and surrounding areas.

STANDARDS

D/PROG

5

Page 1 of 1

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

E.

Documentation

1.

Document who is responsible for creating, maintaining and distributing application documentation.

2.

Verify that there is a formal, signed approval of each element of documentation at an appropriate management level.

3.

Verify that the documentation is maintained in secure on-site and off-site storage facilities.

4.

Verify that all major applications processed on the computer system have appropriate levels of corresponding documentation.

5.

Review selected application documentation against corresponding software programs to ensure that documentation is accurate, complete and current.

6.

For each application, verify that corresponding System Documentation contains an overview that includes: a.

The general nature and purpose of the system.

b.

The functional requirements of the system.

c.

The logical flow of the system or flow charts.

7.

For each application, verify that corresponding Program Documentation contains:

a.

Descriptions of each program and system interfaces.

b.

Input and output description.

c. Description of program logic and flow. d.

Record layouts and file descriptions.

DOCUMENTATION

E/PROG

6

Page 1of 2

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

E.

Documentation (continued)

8.

For each application, verify that corresponding User Manuals are developed, which describe the operations performed and contain: a.

Application description.

b.

Procedural requirements.

c.

Sample reports and input screens.

d.

Source documents required.

e.

Description of screens, edits, etc.

9.

Verify that current computer Operating Instructions contain:

a.

Set-up instructions.

b.

Operating system requirements.

c.

Restart and recovery procedures.

d.

Emergency procedures.

e.

Listing of program messages, responses, etc.

DOCUMENTATION

E/PROG

7

Page 2 of 2

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

F.

Physical Security 1. 2.

Verify that the building is protected by an automatic fire extinguishing system, appropriate to the environment.

Verify that the computer room is equipped with appropriate classes and sufficient number of clearly visible fire extinguishers. Determine whether there are sufficient fire and smoke alarms appropriate to the environment.

Ensure that all exits and evacuation routes are clearly marked. Ensure that smoking is prohibited in the computer room. Document the provisions made to detect and report fires on a timely basis.

Review provisions for preventing water damage to the equipment. Verify that the computer room is accessible to only authorized personnel.

Document computer room layout and location of all major hard- ware components.

Document the procedures in place for notifying security when an employee is no longer allowed access to the building.