ALFON, HAZEL JOY I.

BALBONTIN, MARY JOY B.

IT6-A
M36

PROF. GONZAGA

INFORMATION SYSTEMS AUDIT REPORT

EXECUTIVE SUMMARY
BACKGROUND:
SCOPE OF AUDIT:
AUDIT OBJECTIVES AND RESULTS:
Audit was undertaken with a view to assess:
the efficacy of the banks IT planning and implementation;
whether sufficient controls are in place to obtain reliable and accurate information from the IT system;
whether the system security measures are in place to ensure confidentiality, integrity and continued
availability of IT assets; and
adequacy of internal controls in information systems.
whether identify information security risks and their management
whether communicate the responsibilities for the protection of information
prioritize information and information systems that are to be protected
procedure for periodic review of the policy and security measures
The Bank should take steps to following the :

A quality assurance function should exist to ensurethe quality of service provided to clients.
Output information to other application systems should be complete and accurate.
The data center and client fuctions should be structured to maintain adequate segregation of duties.
Appropriate administrative policies and procedures should be documented.
Data transmissions between the service organization and clients should be complete, accurate, and secure.
Internal audit should provide a review and verification of electronic data processing operations.
Data transmissions between the service organizations data centers should be complete, accurate, and
secure.
New programs being developed and changes to existing programs should be authorized, tested, approved,
properly implemented, and documented.
Changes to existing software should be authorized, tested, approved, and implemented properly.
Logical access to production programs and data in the mainframe environment should be granted only to
appropriately authorized individuals.
Physical access to computer equipment and storage media should be limited to properly authorized
individuals.
Input should be completetly and accurately received from authorized sources.
Interchange transactions should be completely and accurately processed in accordance with client and
association specification.
Access to blank cards should be limited to authorized personnel, and inventory should be accounted for
properly.
Credit card application information should be recorded completely, accurately, and in compliance with client
specifications.
Output information should be complete, accurate, and distributed in accordance with client specification.
The data center should be organized to provide adequate segregation of duties and functions.
Output to other application systems at the service organization should be complete and accurate.

SUMMARY OF AUDIT FINDINGS

CONTROL
CATEGORIES
Physical
Security
Control

CONTROL
POLICIES &
TECHNIQUES
All physical
security systems
must comply with
applicable all
applicable

FINDING RESULTS AND ISSUES

GOOD CONTROL

WEAK CONTROLS OR
DEFICIENCIES
1. The quality assurance
department does not
review output from each
plastic card production run
for either embossing or

RECOMMENDATIONS

A quality assurance
function should exist to
ensurethe quality of
service provided to
clients.

ALFON, HAZEL JOY I.

BALBONTIN, MARY JOY B.
regulations .
User awareness is
by far the most
important aspect to
security.

Processing
Control

All high and

medium
risk
PCNs must be
firewalled
or
disconnected
from any external
network
(LAN,
WAN, Internet).

Logical
Security
Control

Limiting programs
or utilities
available to only
those needed by
the position.

System
Development
and
Maintenance
Control

Maintaining of
audit trails (logs)

IT6-A
M36

PROF. GONZAGA

encoding accuracy.
Without quality assurance
or other review, incorrectly
embossed or encoded
credit cards could be
distributed to user
institution customers. A
possible ramification of an
encoding error is that the
daily withdrawal limit
located on track 3 of the
cards magnetic strip could
be greater than the amount
intended.
2. Programmer manuals
describing file layouts,
record layouts, subroutine
calls, and other pertinent
information are not
consistently prepared.
After initial development,
program modifications or
enhancements are more
difficult and prone to eerror
without detailed program
documentation.
3. Although the service
organization has a policy
that authorizes only
appropriate individuals to
make program or other
modification, only
rudimentary password
protection exists to ensure
that the policy is followed.
System security
application software, such
as RACF or ACF, is not
installed to help prevent
unauthorized modifications
to application software,
data files, or system
software.
4. The internal audit
schedule is not adhered to
and the areas actually
audited are subjectively
determined. Audit reports
are not always issued on a
timely basis, management
responses are not
documented, and followup
audits to determine the
implementation status of
recommendations are not
performed. The internal
audit department does not
consistently review system
design, development, and
maintenance controls for

Output information to
other application
systems should be
complete and
accurate.

The data center and

client fuctions should
be structured to
maintain adequate
segregation of duties.
Appropriate
administrative policies
and procedures should
be documented.

Data transmissions
between the service
organization and
clients should be
complete, accurate,
and secure.

Internal audit should

provide a review and
verification of
electronic data
processing operations.

ALFON, HAZEL JOY I.

BALBONTIN, MARY JOY B.

System
Development
Control

Close
management of
any changes,
additions and
deletions to data
held in a
database made
by any other
means than the
appropriate
business
application; e.g.
the use of enduser tools to
directly modify
databases must
be limited to
authorized
support and
administrative
personnel.

Processing
Control

All high and

medium
risk
PCNs must be
firewalled
or
disconnected
from any external
network
(LAN,
WAN, Internet).

Logical
Security
Control

Ensure that
software patches
and updates are
applied in a timely
fashion.

IT6-A
M36

PROF. GONZAGA

program changes.
Information systems audit
personnel do not routinely
attend meetings in which
system enhancements and
major rewrites of the
systems affecting all user
institutions are determined.
5. The service organization
does not have a
consistently applied
systems development
methodology in place.
Client organization sign-off
on systems prior to
implementation is not
solicited by the service
organization. Program
documentation is not
consistently prepared.
Program modification are
often placed into
production without
supervisory review or user
approval.

6. Programmer manuals
describing file layouts,
record layouts, subroutine
calls, and other pertinent
information are not
consistently prepared.
After initial development,
program modications or
enhancements are more
difficult and prone to error
without detailed program
documentation.
7. Programmers are able
to write and authorize their
own program changes to
be placed into production
without consistent review
or approval. Once a
program is assigned to a
programmer for
modification, the
completion of testing is
generally at the
programmers discretion.
System validation tests are
not routinely performed to
ensure that no source
code was accidentally
deleted or otherwise
improperly modified.

Data transmissions
between the service
organizations data
centers should be
complete, accurate,
and secure.

The data center and

client fuctions should
be structured to
maintain adequate
segregation of duties.
Appropriate
administrative policies
and procedures should
be documented.

New programs being

developed and
changes to existing
programs should be
authorized, tested,
approved, properly
implemented, and
documented.
Changes to existing
software should be
authorized, tested,
approved, and
implemented properly.

ALFON, HAZEL JOY I.

BALBONTIN, MARY JOY B.
Organizational
Structure
Controls

Contingency &
Recovery Plan
Control

Develop and
maintain corporate
security
operational
policies,
processes,
procedures and
tools for
components of the
Security Strategy

Performing a risk
assessment

IT6-A
M36
8. The service
organization does not
have a designated person
who has responsibility for
administering security. No
formalized, documented
security procedures exist
for the assignment of key
cards allowing access to
critical operational areas,
access to application
systems by service
organization employees
through the inhouse
security system, or
control of programmer
access through the ACF2
access control software.
Security violation reports
are not routinely
reviewed, passwords are
not routinely changed,
terminated and
transferred employee
passwords and key cards
are not always removed
or modified on the
appropriate systems on a
tmely basis, and an
excessive number of
individuals are capable of
performing password
maintenance. Groups of
programmers share the
same user Ids and
passwords for timesharing functions, thus
decreasing the personal
accountability for the use
of the system. The
service organization has
recently implemented an
access control facility
program to control access
to programs and data in
the batch and timesharing environments.
However, the access
control facility was not
installed on the test
computer, which was
connected to the
production computer and
all disk files.
9. System and production
tapes, which would be
required in the event of a
recovery of data
processing service, are
not always maintained in

PROF. GONZAGA

ALFON, HAZEL JOY I.

BALBONTIN, MARY JOY B.

IT6-A
M36

PROF. GONZAGA

the offsite storage

facilities. The service
organization disaster
recovery plan is
incomplets and lacking in
detail in a number of
areas.
Access
Controls

Resticting Access
to Production
Programs

Logical
Security
Control

Increasing
controls on key
system
directories.

System
Maintenance
Control

Internal
procedures for
information
resource
maintenance must
include
requirements for
approval of area
head for any
information
resource removal
for
maintenance/repai
r activities

Input Control

The re-key
must use original
source
documents and

10. Systems programmers

are given unrestrited
access to the System
Management Facility
(SMF), which is the
primary audit trail in the
MVS operating system
used at the service
organization. This facility is
used to journal a wide
variety of system events,
including ACF2 access
control software
information.
11. No method exists to
authorize or document
changes made by the
systems programmers to
sensitive areas such as the
System Parameter Library
(SPL), which contains key
information for the audit,
control, and security of the
MVS operating system.

Logical access to
production programs
and data in the
mainframe
environment should be
granted only to
appropriately
authorized individuals.

13. The production library

for application programs is
APF authorized and
contained 25 APF

Input should be
completetly and
accurately received
from authorized

Physical access to
computer equipment
and storage media
should be limited to
properly authorized
individuals.

12. The Authorized

Program Facility (APF) is
provided by IBM to
control access to libraries
of programs that can
circumvent all security
mechanisms of the
operating system,
including the access
control software. Most
APF authorized libraries
can be accessed only by
systems programmers
whose job it is to maintain
the programs in those
libraries. However, one
test library was APF
authorized and also
allowed application
programmers unrestricted
access to it. As a result,
the possibility existed that
an application
programmer could run an
unauthorized program.

ALFON, HAZEL JOY I.

BALBONTIN, MARY JOY B.

Operating
Control

IT6-A
M36

not the system

printout provided
by the first data
entry operator.
The re-key should
not display the
data that was
keyed originally.
Any
discrepancies
should be routed
(by the system) to
a supervisor or
manager for
resolution.

authorized programs,
some of which were old
and undocumented. During
our review, all 25 of these
programs were either
deleted or moved to a
more appropriate library.

sources.
Interchange
transactions should be
completely and
accurately processed
in accordance with
client and association
specification.

It is up to the

14. For performance or

other reasons, the
mainframe was designed
to allow certain programs
to bypass standard MVS
security and control
mechanisms. The base
Program Properties Table
contains the name of
several programs that are
not used at the service
organization. These
program names are
authorized to bypass
certain functions, such as
dataset integrity or MVS
passwords, and to access
main storage owned by
other programs. Since
these programs do not
exist at the service
organization, it would be
possible for someone to
create an unauthorized
program, assign it the
name of one of the
programs not being used
in the Program Properties
Tbale, and then run it
without being subject to
standard security controls.

Access to blank cards

should be limited to
authorized personnel,
and inventory should
be accounted for
properly.

installation to
determine what
security is
required for the
system.

Logical
Security
Controls

Physical
Security
Control

PROF. GONZAGA

Passwords shall
be changed on a
regular basis (at
least once every
60 days).
Physical access to
all
Information
Resources
restricted facilities
must
be
documented and

15. No policy existed to

require users to
periodically change their
passwords.

16. ACF2 has the

capability to protect tape
files from unauthorized
access. However, this
feature was not being
utilized by the service
organization. Thus, it is

ALFON, HAZEL JOY I.

BALBONTIN, MARY JOY B.
managed.

System
Development
Control

Roll back at the

database if
transactions are
not fully
completed.

System
Development
Control

Processes for
appropriate action
if validation errors
occur.

Computer
Center Security
Control

You must make

yourself familiar
with applicable
health and safety
rules for working
within a data
centre

IT6-A
M36

PROF. GONZAGA

possible for a
programmer to read a
production tape, create a
copy of it with certain
records changed, and
substitute it for the
production tape.
17. The service
organization does not have
a consistently applied
formal systems
development methodology
in place. Furthermore,
written user approval of the
systems prior to
implementation is not
always obtained by the
service organization,
program documentation is
not routinely prepared, and
program modifications are
sometimes placed into
production without
supervisory review or user
approval. As a result, there
is an increased risk that
areas of user concern
could be bypassed,
important control features
could be overlooked, and
programs may not be
properly tested or
designed to meet user
specifications.
18. Programmer
documentation describing
file layouts, record layouts,
subroutine calls, and other
data are not routinely
prepared. As a result, after
a system is developed,
program modifications or
enhancements are more
difficult to perform, and
such changes are more
likely to contain errors.
19. Programmers are able
to write and authorize their
own program changes to
be placed into production
without consistent review
or approval. Once a
program is assigned to a
programmer for
modification, the
comlpetion of testing is
generally at the
programmers discretion.
Test plans are not
consistently prepared, and

Credit card application

information should be
recorded completely,
accurately, and in
compliance with client
specifications.
Output information
should be complete,
accurate, and
distributed in
accordance with client
specification.

The data center should

be organized to
provide adequate
segregation of duties
and functions.

Output to other
application systems at
the service
organization should be
complete and
accurate.

ALFON, HAZEL JOY I.

BALBONTIN, MARY JOY B.

IT6-A
M36

PROF. GONZAGA

test results are not always

reviewed by supervisory
personnel. These
weaknesses increase the
risk that source code could
be accidentally deleted or
otherwise improperly
modified.
Output Control

Preventive security
controls are put
into place to
prevent intentional
or unintentional
disclosure,
alteration, or
destruction
(D.A.D.) of
sensitive
information.

Contingency
and Recovery
Plan Control

Processing and
operations are
analyzed to
determine the
maximum amount
of time that the
department and
organization can
operate without
each critical
system.

20. Application
programmer have write
access to a variety of
production source,
parameter, cataloged
procedure, and macro
libraries. This access is
not logged by ACF2.
Thus, programmers could
make unauthorized
changes to the source
code, which might be
placed into production at
a later time. 20.
Application programmer
have write access to a
variety of production
source, parameter,
cataloged procedure, and
macro libraries. This
access is not logged by
ACF2. Thus,
programmers could make
unauthorized changes to
the source code, which
might be placed into
production at a later time.
21. The service
organizations disaster
recovery plan has been
developed to address
only the destruction of the
main data center and the
IBM mainframe
computers. Network
recovery procedures are
not addressed, nor are
procedures defined in the
Card Production
Department and
Statement Production
Department. Also, the
existing plan was not
tested for a 20- month
period. When a service
auditors report does not
express an opinion as to
the operating
effectiveness of the
policies and procedures
in place at a service
service organization, an

ALFON, HAZEL JOY I.

BALBONTIN, MARY JOY B.

IT6-A
M36
internal auditor should
recommend to the
process owner at the
client organization that
they ask the service
organization why the
service auditor did not
perform tests of operating
effectiveness. The most
common reason is that
the service organization
was avoiding the
additional fee that would
be charged by the service
auditor to perform
additional testing.

AUDIT OPINION:
In our opinion,

PROF. GONZAGA