JAVIER, Danielle Lois M.

February 22, 2016

MANGALINDAN, Celine Abbey A.

IT6/M46

INFORMATION SYSTEMS AUDIT REPORT

EXECUTIVE SUMMARY
BACKGROUND:
Centrix Bank is a financial institution that operates credit cards, which are distributed by the Reliable bank, for years.
And now after some time, they have decided to ask for an audit report regarding whether their contract is still to be continued for
the next five years or not, whether the Reliable bank is still commendable for supplying the cards.
SCOPE OF AUDIT:
Examine the adequacy and also the effectiveness of the internal control system of Reliable Bank. Review the
application of the risk management procedures and risk assessment practices. To test both the transactions and the functioning
of the specific internal control procedures. Also to engage in study about the systems established to ensure compliance with
legal and regulatory requirements, codes of conduct and the implementation of their policies and procedures.
AUDIT OBJECTIVES AND RESULTS:
After conducting the audit, where our main objective is to gather evidence that Reliable Credit Card is practicing and
the internal control procedures to ensure that they are still worthy to be the supplier of the Centrix Bank for another Five Years.
We have reached the conclusion that Reliable Credit Card is truly ensuring, practicing, and performing majority of the internal
control objectives stated. However, after further evaluation, we have also succeeded in identifying their weakness with regards to
their system, but, it is a good thing that over some time, the Reliable Credit Card managed to amend and improve those
weaknesses.

SUMMARY OF AUDIT FINDINGS:

QUALITY
ASSURANCE
CONTROL

CONTROL
POLICIES &
TECHNIQUES
Reviewing quality
and accuracy of
output

DOCUMENTATION
CONTROL

Documentation
programmer
manuals

INTERNAL
AUDIT

Audit
of
the
companys controls
and compliance with
policies
and
procedures

CONTROL
CATEGORIES

FINDING RESULTS AND ISSUES

GOOD
WEAK CONTROLS/
CONTROL
DEFICIENCIES
Quality
assurance
department does not
review output from each
plastic card production run
for either embossing or
encoding
accuracy.
Incorrectly embossed or
encoded credit cards are
distributed to customers.
Programmer
manuals
containing file layouts,
record layouts, subroutine
calls and other pertinent
information
are
not
consistently prepared. It
results
in
program
modifications
or
enhancements that are
more difficult to perform,
and such changes are
more likely to contain
errors.

RECOMMENDATIONS
Check and verify accuracy of
embossed and encoded credit
cards before distribution to
customers

Documentation of procedures and

manuals of system development
should be kept/ maintained so
that program/ system errors can
be easily detected and corrected.
Documentation is also important
for proper program modification
and maintenance.

Internal audit schedule is

not adhered to and the As an IT Auditor, one should:
areas actually audited are
subjectively determined. Assist in audit engagement
Audit reports are not
planning and reporting

always issued on a timely

basis,
management
activities. Internal audit
responses
are
not
schedule should be followed.
documented and follow-up
audits are not performed. Audit areas should not be
The IA Department does
determined. Areas that are to
not consistently review
be audited should be subject to
system
design,
surprise auditing.
development
and
maintenance control for
Identify critical risks and
program
changes.
recommend corrective steps to
Information Systems Audit
address the risks.
personnel do not attend
routinely meetings of
system
enhancements Develop auditing program to offer
comprehensive audit coverage
and major rewrites of
within the organization.
systems.
Adhere to auditing standards
established by the companys
audit department.
Communicate audit findings and
recommendations to Audit
Manager.
Ensure that previous audit
recommendations are
addressed and implemented.
Develop well-crafted audit reports
including results and
recommendations for
management.
Schedule and attend meetings
with management to clearly
understand the company
processes and policies.
Address auditing and operational
issues in promptly.
Identify best practices to meet
audit requirements in a timely
manner.
Maintain clear and complete IT
audit documentations.

DISASTER
RECOVERY
PLAN

Maintaining back-up
of important data
and files in case of
data loss due to
unfortunate events
by
creating
a
disaster recovery
team that will be
responsible
for
creating a back-up
plan
and
procedures as well
as establishing and

System and production System and production tapes

should always be updated
tapes required in the
(either real-time updates or
recovery
of
data
batch updates). Assign a
processing service are
personnel who will maintain and
not always maintained
update system and production
in the offsite storage
tapes periodically at the off-site
facilities.
storage
The service organizations
disaster recovery plan Create a disaster recovery team
who will be responsible for
has been developed to
planning, establishing and
address
only
the
maintaining a disaster recovery
destruction of the main
plan. They will also be
data center and the IBM

maintaining an offsite storage facility

mainframe computers.
responsible for the following:
Network
recovery 1. Ensuring that compliance
procedures are not
requirements are covered,
addressed, nor are
risks
are
adequately
procedures defined in
managed and outlays are
the Card Production
kept in line with potential
Department
and
losses.
Statement Production 2. Identifying communications
Department. Also, the
and networking capabilities
existing plan was not
necessary for recovery
tested for a 20- month 3. Assigning system experts
period.
who will be responsible for
bringing
systems
and
services back into operation
during recovery

AUTHORIZATION
CONTROL

Access to system Service

program,
organization
confidential
data
has a policy
and other sensitive
that authorizes
areas should be
only
allowed only to
appropriate
authorize users.
individuals to
make program
or
other
modifications.

Only
rudimentary Install RACF or ACF2 and test
password
protection
for effectiveness to prevent
exists to ensure that the
unauthorized personnel from
policy is followed.
gaining access and modifying
System
security
software, data files or system
application
software,
software.
such as RACF or Assign a authorized and qualified
ACF2, is not installed
system programmer to make
to
help
prevent
changes to the system.
unauthorized
Documentation
for
the
modifications
to
procedures and modifications
application
software,
made should be kept and
data files, or system
maintained for data recording
software.
and back-up purposes as well
No method exists to
as to be able to perform proper
authorize or document
maintenance.
changes made by
systems programmers
to sensitive areas such
as
the
System
Parameter
Library
(SPL), which contains
key information for the
audit,
control
and
security of the MVS,
operating system

SEGREGATION
OF DUTIES

Ensuring that at
least two individuals
are responsible for
the separate parts
of any task to
prevent error and
fraud

Programmers are able to The management should approve

write and authorize their
and authorize programmers to
own program changes
make changes in the system.
to be placed into
Review of changes made
production
without
should also be done by the
consistent review or
management or the authorized
approval.
The
supervisory personnel. Proper
completion of testing is
documentation of the changes
generally
at
the
made should be kept.
Testing of the modified system
programmers
discretion. Test plans
should be assigned to other
are not consistently
authorized personnel and not
prepared, and test
by the programmer himself.
results are not always
Testing procedures done and
reviewed by supervisory
results of testing should be
personnel.
These
properly documented and
weaknesses increase
reviewed
by
supervisory
the risk that source
personnel.
code
could
be
accidentally deleted or
otherwise
improperly
modified.

SECURITY
CONTROL

ACCESS
CONTROL

Protecting
information system
from attacks against
the confidentiality,
integrity
and
availability
of
computer systems,
networks and data.

The
service The service organization Develop a security policy and
organization has
does not have a
assign an authorized personnel
recently
designated person who
to administer security
implemented an
has responsibility for Key cards should only be
access
control
administering security.
assigned to persons who are
facility program to 1. No
formalized,
authorized to access critical
control access to
documented security
operating areas.
programs
and
procedures exist for Security violations should be
data in the batch
the assignment of key
reviewed and violators should
and time-sharing
cards allowing access
be
given
warnings
or
environments
to critical operational
punishments
areas: access to Password security policy should
application systems
be established. Immediately
by
service
delete
passwords
and
organization
invalidate
keycards
of
employees through
terminated employees to avoid
the in-house security
unauthorized access.
system, or control of Each employee should have
programmer access
different and unique user IDs
through the ACF2
and passwords and should not
access
control
be shared with others
software.
Install access control facility to the
2. Security
violation
test computer to keep track of
reports
are
not
who are authorize to access the
routinely reviewed
computer and to keep a log of
3. Passwords are not
access in the computer.
routinely
changed.
Terminated
and
transferred employee
passwords and key
cards are not always
removed or modified
on the appropriate
systems on a timely
basis,
and
an
excessive number of
individuals
are
capable of performing
password
maintenance.
4. Groups
of
programmers share
the same user IDs
and passwords for
time-sharing
functions,
thus
decreasing
the
personal
accountability for the
use of the system.
5. The access control
facility
was
not
installed on the test
computer, which was
connected to the
production computer
and all disk files.
Systems programmers are System programmers should not
given
unrestricted
be given unrestricted access to
access to the System
the System Management
Management
Facility
Facility. Restrict their access to
(SMF), which is the
the facility and assign a
primary audit trail in the
personnel who can supervise
MVS operating system
the facility. Create logs of who

PASSWORD
CONTROL

used at the service

access the facility, what
organization.
This
document/data they retrieved
facility is used to journal
and review and check if any
a wide variety of system
data is loss or changed when
events, including ACF2
returned.
access control software Programs not used in the
information.
organization
should
be
The
base
Program
uninstalled or deleted to avoid
Properties
Table
creation
of
unauthorized
containing the names of
programs that can access the
several programs that
system undetected
are not used at the Utilize the security function of the
service organization is
ACF2 to restrict access to the
authorized to bypass
tape files, production source,
certain functions, such
parameter,
cataloged
as dataset integrity or
procedure, and macro libraries
MVS passwords, and to
and also to protect it from any
access main storage
unauthorized modification or
owned
by
other
changes in records. Access of
programs. Since these
programmers to the source
programs do not exist at
code should be logged for
the service organization,
documentation purposes and to
it would be possible for
keep a trace/record for audit
someone to create an
purposes.
unauthorized program,
assign it the name of
one of the programs not
being used in the
Program
Properties
Table, and then run it
without being subject to
standard
security
controls.
ACF2 has the capability to
protect tape files from
unauthorized access.
However, this feature
was not being utilized
by
the
service
organization. Thus, it is
possible
for
a
programmer to read a
production tape, create
a copy of it with certain
records changed, and
substitute it for the
production tape.
Application programmers
have write access to a
variety of production
source,
parameter,
cataloged procedure,
and macro libraries.
This access is not
logged by ACF2. Thus,
programmers
could
make
unauthorized
changes to the source
code, which might be
placed into production
at a later time.
No policy existed to Establish password policy that
require
users
to
requires the following:
periodically change their
passwords.
1. Review password file to

SYSTEM
DEVELOPMEN
T CONTROL

determine
that
weak
passwords are identified are
disallowed.
2. Verify that users are
changing their passwords
regularly.
3. Verify that password file is
encrypted and that the
encryption key is properly
secured.
The service organization Develop a system development
does
not
have
a
plan/documentation. This is
consistently
applied
important to make sure that the
systems
development
system is in line with the
methodology in place.
strategic objectives of the firm.
during
system
Client organization sign-off Supervision
on systems prior to
development should be done to
implementation is not
ensure that system is properly
solicited by the service
implemented
and
no
organization.
Program
modifications are made.
documentation is not Testing of system should be
consistently
prepared.
assigned to personnel other
Program modifications are
that the programmer/developer/
often
placed
into Review of the test results should
production
without
also be done and should be
supervisory review or user
assigned to personnel other
approval.
than the programmer and
tester.

AUDIT OPINION:
In our opinion, Reliable Credit Card Inc. has a few specific control weaknesses. However, Reliable Credit Card Inc.
control weaknesses are fairly general and controls evaluated are adequate, appropriate, and effective to provide reasonable
assurance that risks are being managed and objectives are met. Also, a majority of the control objectives were achieved by
Reliable Card Inc.