IBM AS400 Security Procedures(4)

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

Testing (Implementation/Change Controls)

Select a representative number of completed program changes or new programs and trace from the initial request to the completion phase, performing or reviewing the following steps:

1. Ensure that user management has evidenced their approval on

the initial project request form.

2. Describe the method of prioritizing requests submitted to steering

committee or management for major projects.

3. Review log or method used to control all requests to ensure they

are being followed up.

4. Determine if cost for purchase versus in-house development was

considered.

5. Document method of assigning programmers to the project.

6. Review procedures for approval and progress reporting.

7. Examine project progress reports for evidence that systems

development is controlled in accordance with established procedures.

8. Detail method used to create test data.

9. Ensure that EDP and user management evidence their review

and approval of test results.

10. Review evidence of programmer having completed all necessary

steps:

a. File specifications. b. Program specifications. c. Files created. d. Test results filed.

CHANGE CONTROL I/TEST

15

Page 1 of 1

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

J.

Operations/Processing

1.

Obtain a copy of the EDP department work schedules for computer processing to ensure:

a. There is adequate staffing for each area of work.

b.

All tasks are accomplished in a timely manner to meet user requirements.

2.

Ensure schedules are periodically reviewed to determine if they are current.

3.

Review the computer activity log, which is maintained for all work performed and any errors that occur, and compare it to the workload schedules to determine if schedules are satisfactorily met.

4.

Describe how frequently the computer activity utilization reports are reviewed.

5.

Review the operator’s manual, which should include job control procedures, operating instructions and computer facility maintenance requirements.

6.

Document the procedures in place for the periodic review and update of the operator’s manual.

7.

Describe the times the computer is operational and the various shifts that are maintained.

8.

Ensure adequate cross training of EDP personnel has occurred for continued functioning of the computer if the operator is absent.

9.

Determine if a concentration of duties exists and if compensating controls are in place.

OPERATIONS/PROCESSING

J/PROG

16

Page 1 of 3

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

J. Operations/Processing (continued)

10. Review procedures in place which would allow management to detect if operators process unauthorized jobs.

11.

Review procedures to control access to and usage of production files stored on diskette or tape.

12.

Review procedures for the proper handling of diskettes or tapes, which include:

a. External labeling requirements. b. Internal labeling requirements.

c.

Provisions to ensure only the correct diskettes or tapes are used.

13.

Describe the transmittal form used to control the movement of each batch of source documents or input forms between the users and data entry.

14.

Ensure that batches are identified by a serial number or sequence number to provide subsequent accountability and for reference purposes.

15.

Review completed batches for specially marked indicators to prevent duplication or omissions.

16.

Obtain a copy of the log maintained in the data entry area to record the flow of batches. Is a similar log maintained in user departments.

17.

Review procedures for requirement of data entry personnel to contact users if there are any errors in batches prior to input.

18.

Describe the method of storing the source documents while they are in the custody of the EDP department.

OPERATIONS/PROCESSING

J/PROG

17

Page 2 of 3

Auditor(s) Assigned Audit Date …… 此处隐藏：5077字，全部文档内容请下载后查看。喜欢就下载吧 ……