Вы находитесь на странице: 1из 95

IT AUDITING OF

PROVINCE OF CAVITE
PROVINCIAL ICT OFFICE

Jayson M. Victoriano
Harold R. Lucero
Manuel Luis Delos Santos
Khenilyn P. Lewis
Paquito G. Fernando
CAVITE
Provincial Information and Communications Technology Office

Vision
By 2016, the operation of the Provincial Government of
Cavite shall be full-automated and centralized.

Mission
To provide fast, accurate, quality public service and
timely information.
CAVITE
Provincial Information and Communications Technology Office

Function
PICTO acts as the lead agency in the evaluation and
implementation of Information and Communications
Technology (ICT) and other convergence on ICT in the
province. The office also handles the network and
hardware administration and maintenance which
provide technical support within and outside the
Provincial Government. It also provides free and quality
computer education on basic and advance computer
and information technology courses for all Caviteños
most particularly the out-of-school youths.
CAVITE
Provincial Information and Communications Technology Office

Four Divisions

ADMINISTRATIVE DIVISION

In charge of handling the administrative works of the IT Division.


Provides support on record and services relating to personnel, staff
development, management of supplies & equipment, receiving and
control of requisition forms, official letters and communications.
CAVITE
Provincial Information and Communications Technology Office

INFORMATION SYSTEMS AND DATABASE ADMINISTRATION (ISDA)


DIVISION

Evaluates and monitors the implementation of the different


computerized systems in the Provincial Government. It is responsible
in application software maintenance, customization of existing
system, development of new system based on the need of the
requesting office and data build-up of offices being computerized. It
is also responsible in research, development and maintenance of
the Cavite’s official website (www.cavite.gov.ph).
CAVITE
Provincial Information and Communications Technology Office

INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT)


OPERATION DIVISION

The division handles the maintenance of ICT Software and


Equipment and administration and maintenance of LAN connection
and server. It is also responsible in providing appropriate
specification in the acquisition of information and communications
technology equipment.
CAVITE
Provincial Information and Communications Technology Office

EDUCATION AND TRAINING DIVISION(Cavite Computer Center)

As an integral part of Department of Education Alternative Learning


System – Non Formal Studies, the division provides free and quality
computer education on basic and advance computer and
information technology courses for all Caviteños most particularly the
out-of-school youths and those in the marginal sector of society.
Plans, develops and administers programs and policies for Cavite
Computer Center (CCC).
CAVITE
Provincial Information and Communications Technology Office

Cavite First Class, World Class


The First AJA ISO 9001:2015 Certified Provincial
Government in the Philippines. ISO 9001:2015 is
a set of standards and requirements for the
development of a quality management system
commonly applied by private corporations
and organizations to help ensure that the
needs and expectations of customers are
adequately and consistently met. These
standards also enable organizations to
develop mechanisms for continual
improvement of products and services.
CAVITE
Provincial Information and Communications Technology Office

The good housekeeping seal is given to LGUs


that excelled in the areas of planning,
budgeting, revenue, mobilization, financial
management, budget execution,
procurement and resource mobilization. It also
recognizes local governments that accord
primacy to the principles of transparency and
accountability. Recipients of the award also
received one million pesos each from the
DILG’s Performance Challenge Fund (PCF).
CAVITE
Provincial Information and Communications Technology Office

Cavite was also hailed as one of the Regional


Gawad Pamana ng Lahi 2011 Awardee –
Provincial Category. Exemplary performance
information is drawn from the database of the
on-line LGPMS, Seal of Good Housekeeping,
International Organization or National
Government Agency-bestowed awards and
acknowledged innovations.
CAVITE
Provincial Information and Communications Technology Office
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area A
ORANIZATION AND ADMINISTRATION

Audit Objective -Does the organization of data processing provide for


adequate segregation of duties?

Audit Procedure - Review the company organization chart, and the data
processing department organization chart.
Area A
ORANIZATION AND ADMINISTRATION
NO. DESCRIPTION YES NO N/A
1 Is there a separate EDP department within the company?
Is there a steering committee where the duties and
2
responsibilities for managing MIS are clearly defined?
Has the company developed an IT strategy linked with the
3
long and medium term plans?
Is the EDP Department independent of the user
4 department and in particular the accounting
department?
Are there written job descriptions for all jobs within EDP
5 department and these job descriptions are
communicated to designated employees?
Are EDP personnel prohibited from having incompatible
6 responsibilities or duties in user departments and vice
versa
Are there written specifications for all jobs in the EDP
7
Department?
Area A
ORANIZATION AND ADMINISTRATION
NO. DESCRIPTION YES NO N/A
Are the following functions within the EDP Department
8
performed by separate sections
= System Design

= Application Programming

= Computer Operations

= Database Administration

= System programming

= Data Entry and Control


Area A
ORANIZATION AND ADMINISTRATION
NO. DESCRIPTION YES NO N/A
Are the data processing personnel prohibited from duties
9
relating to:
= Initiating Transactions
= Recording of Transactions
= Master Files Changes

= Correction of Error
Are all processing pre-scheduled and authorized by
10
appropriate personnel?
Are there procedures to evaluate and establish who has
11
access to the data in the database?
Area A
ORANIZATION AND ADMINISTRATION
NO. DESCRIPTION YES NO N/A
12 Are the EDP personnel adequately trained?
Are systems analysts programmers denied access to the
13
computer room and limited in their operation of the computer?
Are operators barred from making changes to programs and
14 from creating or amending data before, during, or after
processing?
Is the custody of assets restricted to personnel outside the EDP
15
department?
Is strategic data processing plan developed by the company
16
for the achievement of long-term business plan?
Are there any key personnel within IT department whose
17
absence can leave the company within limited expertise?
18 Are there any key personnel who are being over-relied?
Is EDP audit being carried by internal audit or an external consultant to
19 ensure compliance of policies and controls established by
management?
Area A
ORANIZATION AND ADMINISTRATION
RECOMMENDATIONS

•It is recommended that the administrator and trusted personnel have the
sole authority to make necessary changes on master files and provide
correction on any erroneous entries.

•Restriction on some confidential files should be set and only authorized


personnel should be prohibited to enter the EDP department

•Reliability check should be conducted by the administrator

•The provincial ICT council should create or assign an external auditor


specifically with those who have experience in ISO procedures and policies
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area B
PROGRAM MAINTENANCE AND SYSTEM
DEVELOPMENT

Audit Objective -Development and changes to programs are authorized,


tested, and approved, prior to being placed in production

Audit Procedure - Review details of the program library structure, and note
controls- which allow only authorized individuals to access each library.
Area B
PROGRAM MAINTENANCE & SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
1Are there written standards for program maintenance?
2Are these standards adhered to and enforced?
3Are these standards reviewed regularly and approved?
Are there procedures to ensure that all programs required for
4
maintenance are kept in a separate program test library?
Are programmers denied access to all libraries other than the
5
test library?
Are changes to programs initiated by written request from
6
user department and approved?
Are changes initiated by Data Processing Department
7
communicated to users and approved by them?
Are there adequate controls over the transfer of programs
8
from production into the programmers test library?
Are all systems developed or changes to existing system
9
tested according to user approved test plans and standards?
Area B
PROGRAM MAINTENANCE & SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
Are tests performed for system acceptance and test data
10
documented?
Are transfers from the development library to the production
11 library carried out by persons independent of the
programmers?
Do procedures ensure that no such transfer can take place
12 without the change having been properly tested and
approved?
Is a report of program transfers into production reviewed on a
13 daily basis by a senior official to ensure only authorized
transfers have been made?
Are all program changes properly documented?15 Are all
14
changed programs immediately backed up?
15 Is a copy of the previous version of the program retained?
Area B
PROGRAM MAINTENANCE & SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
Are there standards for emergency changes to be made to
16
application programs?
17Are there adequate controls over program recompilation?
Are all major amendments notified to Internal audit for
18
comment?
Are there adequate controls over authorization,
19 implementation, approval and documentation of changes to
operating systems?
Area B
PROGRAM DEVELOPMENT & SYSTEM MAINTENANCE
RECOMMENDATIONS

•As for quality policy and standards, the ICT council should formulate
procedures on maintenance of system and programs

•The ICT council should formulate policies on proper transfer of programs


from production into the programmers test library

• Programmer can be given access to libraries only on materials related to


their current project
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area C
SYSTEM DEVELOPMENT

Audit Objective -Development and changes to programs are authorized,


tested, and approved, prior to being placed in production

Audit Procedure - Review details of the program library structure, and note
controls- which allow only authorized individuals to access each library.
Area C
SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
Are there formalized standards for system development life
1
cycle procedure?
Do they require authorization at the various stages of
2 development – feasibility study, system specification, testing,
parallel running, post implementation review, etc.?
Do the standards provide a framework for the development
3
of controlled applications?
4 Are standards regularly reviewed and updated?

5Do the adequate system documentation exist for:

= Programmers to maintain and modify programs?

= Users to satisfactorily operate the system?


Area C
SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
Have the internal audit department been involved in the
6
design stage to ensure adequate controls exist?
7Testing of programs - see Program Maintenance.
Procedures for authorizing new applications to production -
8
see Program Maintenance.
Are user and data processing personnel adequately trained
9
to use the new applications?
Is system implementation properly planned and implemented
10
by either parallel run or pilot run?
Are any differences and deficiencies during the
11
implementation phase noted and properly resolved?
Are there adequate controls over the setting up of the
12
standing data and opening balances?
Area C
SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
13Is a post implementation review carried out?
Are user manuals prepared for all new systems developed
14
and revised for subsequent changes?
Is there a Quality Assurance Function to verify the integrity
15
and acceptance of applications developed?
Area C
SYSTEM DEVELOPMENT
RECOMMENDATIONS

• Internal audit department should be involved in the design stage


CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area D
PURCHASED SOFTWARE
Area D
PURCHASED SOFTWARE
NO. DESCRIPTION YES NO N/A
Are there procedures addressing controls over selection,
1
testing and acceptance of packaged softwares?
Is adequate documentation maintained for all softwares
2
purchased?
3Are vendor warranties (if any) still in force?
4 Is the software purchased, held in escrow?

5Are backup copies of user/operations manual kept off-site?


Area D
PURCHASED SOFTWARE
RECOMMENDATIONS

•The EDP department conduct testing of software first before the software
will be purchased

•Copies of user/operations manual should be properly keep

• The purchased software should be in the custody of the institution and not
with the vendor
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area E
ACCESS TO DATA FILES

Audit Objective -Is access to data files restricted to authorized users and
programs?
Area E
ACCESS TO DA FILES
NO. DESCRIPTION YES NO N/A
Is there any formal written data security policy? Consider
1 whether the policy addresses data ownership, confidentiality
of information, and use of password.
Is the security policy communicated to individuals in the
2
organization?
3 Is physical access to off-line data files controlled in:
= Computer room?
= On-site library?

= Off-site library?
Does the company employ a full-time librarian who is
4
independent of the operators and programmers?
5Are libraries locked during the absence of the librarian?
Area E
ACCESS TO DA FILES
NO. DESCRIPTION YES NO N/A
6 Are requests for on-line access to off line files approved?
Are requests checked with the actual files issued and initialed
7
by the librarian?
Are sensitive applications e.g. payroll, maintained on
8
machines in physically restricted areas?
Are encryption techniques used to protect against
9 unauthorized disclosure or undetected modification of
sensitive data?
Are returns followed up and non returns investigated and
10
adequately documented?
Area E
ACCESS TO DA FILES
RECOMMENDATIONS

• Even in the absence of the librarian, libraries shoUld not be locked to


support the operations of the institution

•There should be a proper protocol and proper documentation for the


request of transfer of online files to offline.
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area F
COMPUTER PROCESSING
Area F
COMPUTER PROCESSING
NO. DESCRIPTION YES NO N/A
1Does a scheduled system exist for the execution of programs?
2Are non-scheduled jobs approved prior to being run?
Is the use of utility programs controlled (in particular those that
3
can change executable code or data)?
4Are program tests restricted to copies of live files?
Is access to computer room restricted to only authorized
5
personnel?
6Are internal and external labels used on files?

7Are overrides of system checks by operators controlled?


Are exception reports for such overrides pointed and
8
reviewed by appropriate personnel?
Area F
COMPUTER PROCESSING
NO. DESCRIPTION YES NO N/A
Are sufficient operating instructions exist covering procedures
9
to be followed at operation?
10If so, are these independently reviewed?
Is integrity checking programs run periodically for checking
11
the accuracy and correctness of linkages between records?
Area F
COMPUTER PROCESSING
RECOMMENDATIONS

• Testing should be conducted first and make a proper scheduling of system


maintenance

•There should be a regular monitoring, checking and maintenance of


programs
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area G
ACCESS CONTROL
Area G
ACCESS CONTROL
NO. DESCRIPTION YES NO N/A
Is there any proper password syntax in-force ie minimum 5
1 and maximum 8 characters and include alphanumeric
characters?
Are there satisfactory procedures for reissuing passwords to
2
users who have forgotten theirs?
Are procedures in place to ensure the compliance of removal
3
of terminated employee passwords?
Are system access compatibilities properly changed with
4
regard to personnel status change?
Are individual job responsibilities considered when granting
5
users access privileges?
6 Is each user allocated a unique password and user account?
Are there procedures in place to ensure forced change of
7
password after every 30 days?
Area G
ACCESS CONTROL
NO. DESCRIPTION YES NO N/A
8 Is application level security violations logged?
Do standards and procedures exist for follow up of security
9
violations?
Do formal and documented procedures exist for use and
10
monitoring of dial up access facility?
11Is use made of passwords to restrict access to specific files?
12Do terminals automatically log off after a set period of time?
Is there a limit of the number of invalid passwords before the
13
terminal closes down?
Are there any administrative regulations limiting physical
14
access to terminals?
Are invalid password attempts reported to user department
15
managers?
Area G
ACCESS CONTROL
NO. DESCRIPTION YES NO N/A
Are restrictions placed on which applications terminals can
16
access?
Are keys, locks, cards or other physical devises used to restrict
17
access to only authorized user?
Area G
ACCESS CONTROL
RECOMMENDATIONS

• All users should be forced to change their passwords every 30 days to


ensure security of data and the system.

•Logs regardless if the user creates security violations or not should be made
for tighter security and control.

•The system should only allow the maximum of three attempts of invalid
login. If these attempts were committed by the user the account will be
locked and will require the system administrator to reactivate the account.
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area H
APPLICATION CONTROLS - INPUT

Audit Objective -Do controls provide reasonable assurance that for each
transaction- type, input is authorized, complete and accurate, and that errors are
promptly corrected?
Area H
APPLICATION CONTROLS – INPUT
NO. DESCRIPTION YES NO N/A
Are all transactions properly authorized before being
1
processed by computers?
2Are all batches of transactions authorized?
Do controls ensure unauthorized batches or transactions are
3
prevented from being accepted ie they are detected?
Is significant standing data input verified against the master
4
file?
Is maximum use made of edit checking e.g. check digits,
5
range and feasibility checks, limit tests, etc.?
Are there procedures to ensure all vouchers have been
6 processed e.g. batch totals, document counts, sequence
reports, etc.?
Are there procedures established to ensure that transactions
7
or batches are not lost, duplicated or improperly changed?
Area H
APPLICATION CONTROLS – INPUT
NO. DESCRIPTION YES NO N/A
8Are all errors reported for checking and correction?
9Are errors returned to the user department for correction?
10 Do procedures ensure these are resubmitted for processing?
Is an error log maintained and reviewed to identify recurring
11
errors?
Are persons responsible for data preparation and data entry
12
independent of the output checking and balancing process?
Are persons responsible for data entry prevented from
13
amending master file data?
Area H
APPLICATION CONTROLS – INPUT
RECOMMENDATIONS

• Verification of the authenticity of the information system user entering or


consuming information as well as determination of their access rights and
privileges to performs input operations in the information system
• Verify that the inputs provided are in the format or manner accepted.
• Implement proper error reporting and handling. This is the determination of
errors at the point of input to ensure that data accepted into the
Information System is as error free as possible. However, this does not stop at
identifying errors in input only. It encompasses handling such errors and
pointing them out to users so that they can correct them.
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area I
OUTPUT AND PROCESSING

Audit Objective -The controls provide reasonable assurance that


transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area I
OUTPUT PROCESSING
NO. DESCRIPTION YES NO N/A
Where output from one system is input to another, are run to
1 run totals, or similar checks, used to ensure no data is lost or
corrupted?
Are there adequate controls over forms that have monetary
2
value?
Is maximum use made of programmed checks on limits,
3 ranges reasonableness, etc. and items that are detected
reported for investigation?
Where calculations can be forced i.e. bypass a programmed
4
check, are such items reported for investigation?
Where errors in processing are detected, is there a formal
5
procedure for reporting and investigation?
Is reconciliation between input, output and brought forward
6
figures carried out and differences investigated?
Area I
OUTPUT PROCESSING
NO. DESCRIPTION YES NO N/A
Are suspense accounts checked and cleared on a timely
7
basis?
Are key exception reports reviewed and acted upon on a
8
timely basis?
Area I
OUTPUT PROCESSING
RECOMMENDATIONS

• There should be an adequate controls on forms that have monetary


values.
• There should be no way any calculations on the information system can be
forced.
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area J
VIRUSES

Audit Objective -The controls provide reasonable assurance that


transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area J
VIRUSES
NO. DESCRIPTION YES NO N/A
1 Is there any formal written anti-virus policy?
Is the policy effectively communicated to individuals in the
2
organization?
3Is there a list of approved software and suppliers?
4 Is only authorized software installed on microcomputers?
5Is there a master library of such software?
6Are directories periodically reviewed for suspicious files?
7Are files on the system regularly checked for size changes?
8 Is anti-virus software installed on all microcomputers/laptops?
Is anti-virus software regularly updated for new virus
9
definitions?
Are suspicious files quarantined and deleted from the
10
terminal’s hard drive and network drive on regular basis?
Area J
VIRUSES
NO. DESCRIPTION YES NO N/A
11Are diskettes formatted before re-use?
Have procedures been developed to restrict or oversee the
12
transfer of data between machines?
13Is staff prohibited from sharing machines (laptops/desktops)?
Is software reloaded from the master diskettes after machine
14
maintenance?
15Has all staff been advised of the virus prevention procedures?
Are downloads from internet controlled by locking the hard-
16 drive and routing it through network drive to prevent the virus
(if any) from spreading?
Area J
VIRUSES
RECOMMENDATIONS

• There should be an accreditation of suppliers that supplies software


needed by the institution

• Important files should be checked for file size change.

• Regular checkup on terminal’s computer should be scheduled.

• There should be a licensed anti-virus installed in each computers as well as


on servers.
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area K
INTERNET

Audit Objective -The controls provide reasonable assurance that


transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area K
INTERNET
NO. DESCRIPTION YES NO N/A
Is there any proper policy regarding the use of internet by the
1
employees?
Does the policy identify the specific assets that the firewall is
2
intended to protect and the objectives of that protection?
Does the policy support the legitimate use and flow of data
3
and information?
4 Is information passing through firewall is properly monitored?
Determine whether management approval of the policy has
5 been sought and granted and the date of the most recent
review of the policy by the management?
Is the policy properly communicated to the users and
6
awareness is maintained?
7 Have the company employed a Firewall Administrator?
8Is firewall configured as per security policy?
Area K
INTERNET
NO. DESCRIPTION YES NO N/A
8Is firewall configured as per security policy?
9Is URL screening being performed by Firewall?
Is anti-virus inspection enabled? Are packets screened for the
10
presence of prohibited words?
If so, determine how the list of words is administered and
11
maintained.
Are access logs regularly reviewed and any action is taken on
12
questionable entries?
Area K
INTERNET
RECOMMENDATIONS

• There should be a firewall administrator.

• Access logs should be regularly reviewed in order to identify if there’s any


questionable entries on system.

• Anti-virus should be enabled and updated at all times.


CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area L
CONTINUITY OF OPERATIONS
Physical Protection

Audit Objective -The controls provide reasonable assurance that


transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area L
CONTINUITY OF OPERATIONS –Fire Hazard
NO. DESCRIPTION YES NO N/A
1 Check the safety against fire in the following ways:
= Building materials fire resistant?
= Wall and floor coverings non-combustible?
= Separation from hazardous areas (e.g. fire doors)?
= Separation from combustible materials (e.g. paper, fuel)
= Smoking restriction?
= Fire resistant safes (for tapes, disks and documentation)?
Check the appropriate arrangements of fire detection
2
devices:
= Smoke/ Heat-rise detectors?
= Detectors located on ceiling and under floor?
= Detectors located in all key EDP areas?
= Linked to fire alarm system?
Area L
CONTINUITY OF OPERATIONS –Fire Hazard
NO. DESCRIPTION YES NO N/A
3Check the appropriate arrangements for fire fighting:
= Halon gas system (for key EDP areas)
= Automatic sprinkler system
= Portable CO2, extinguishers (electrical fires)
= Ease of access for fire services
4Check appropriate arrangements in case of fire emergency:
= Fire instructions clearly posted
= Fire alarm buttons clearly visible
= Emergency power-off procedures posted
= Evacuation plan, with assignment of roles and
responsibilities
Area L
CONTINUITY OF OPERATIONS –Fire Hazard
NO. DESCRIPTION YES NO N/A
5Check if there is training to avoid fire emergecny:
= Regular fire drill and training
= Regular inspection/testing of all computing equipment
Area L
CONTINUITY OF OPERATIONS –Air Conditioning
NO. DESCRIPTION YES NO N/A
1Monitoring of temperature and humidity in EDP area.
= Heat, fire and access protection of sensitive air-
conditioning parts (eg. cooling tower)
= Air intakes located to avoid undesirable pollution
= Back-up air conditioning equipment
Area L
CONTINUITY OF OPERATIONS –Power Supply
NO. DESCRIPTION YES NO N/A
= Reliable local power supply
= Separate computer power supply
= Line voltage monitored
= Power supply regulated (For voltage fluctuation)
= Uninterrupted power supply (eg. Battery system) available
= Alternative power supply (eg. Generator) Emergency
lighting system
Area L
CONTINUITY OF OPERATIONS –Comm. Network
NO. DESCRIPTION YES NO N/A
= Physical protection of communications lines modems,
multiplexors and processors
= Location of communication equipment separate from
main EDP equipment
= Back-up and dial-up lines for direct lines
Area L
CONTINUITY OF OPERATIONS –Machine Rm Layout
NO. DESCRIPTION YES NO N/A
= Printers, plotters located in separate area
= Printout preparation (eg. bursting) located in separate
area
= Tape/Disk library in separate area Machine room kept tidy
= Practical location of security devices
= Emergency power off switches
= Alarms
= Extinguishers
= Environment monitoring equipment
Area L
CONTINUITY OF OPERATIONS –Access Control
Entrance Routes
NO. DESCRIPTION YES NO N/A
=No unnecessary entrances to the computer room
= Non-essential doors always shut and locked to the outside
(eg, Fire exits)
= Air vent and daylight access location
= Protected and controlled use of all open doors
Area L
CONTINUITY OF OPERATIONS –Access Control
Entrance Routes
RECOMMENDATIONS

• Continuous preventive maintenance of the facilities


CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area M
ACCESS CONTROL

Audit Objective -The controls provide reasonable assurance that


transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area M
ACCESS CONTROL
NO. DESCRIPTION YES NO N/A
1Access restricted to selected employees
2Prior approval required for all other employees
3Entrance door controlled by:
= Screening by a guard
= Locks/combinations
= Electronic badge/key
= Other - biological identification devices
Positive identification of all employees (eg. identification
4
card)
Verification of all items taken into and out of the computer
5
room
Access controlled on 24 hours basis including weekends (eg,
6
automatic control mechanism)
7Locks, combinations, badge codes changed periodically
Area M
ACCESS CONTROL – VISITOR CONTROL
NO. DESCRIPTION YES NO N/A
1Positive identification always required
2Badges issued, controlled and returned on departure
3All visits logged in and out
4Visitors accompanied and observed at all times
Area M
ACCESS CONTROL – TERMINAL SECURITY
NO. DESCRIPTION YES NO N/A
1All terminals located in secure areas.
Alarm system used to control microcomputers from being
2
disconnected or moved from its location.
Sensitive applications eg payroll, maintained on machines in
3
physically restricted area.
4Terminal keys/locks used Passwords changed regularly
5Identification labels been placed on each terminal
6Passwords changed regularly
Area M
ACCESS CONTROL – GENERAL SECURITY
NO. DESCRIPTION YES NO N/A
Waste regularly removed from EDP area and sensitive data
1
shredded.
2Window and door alarm system.
3Closed circuit television monitoring ie CCTV cameras.
Area M
ACCESS CONTROL
RECOMMENDATIONS

• Clearance and requisition on any movement of the microcomputers for


proper documentation.
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area N
PERSONNEL POLICIES – MIS STAFF
Audit Objective -The controls provide reasonable assurance that
transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area N
PERSONNEL POLICIES – MIS STAFF
NO. DESCRIPTION YES NO N/A
New employees recruited according to job description and
1
job specification.
2Employee identity cards issued.
3 Performance evaluation and regular counseling.
4Continuing education program.
5Training in security, privacy and recovery procedures.
6All functions covered by cross training.
Critical jobs rotated periodically (e.g. operators, program
7
maintenance).
8Clean desk policy enforced.
9Fidelity insurance for key personnel.
10Contract service personnel vetted (e.g. cleaners)
Area N
PERSONNEL POLICIES – MIS STAFF
RECOMMENDATIONS

• Job rotation can only be applied on minor positions.


CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area O
INSURANCE
Audit Objective -The controls provide reasonable assurance that
transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area O
INSURANCE
NO. DESCRIPTION YES NO N/A
1 Does adequate insurance exist to cover:
= Equipment?
= Software and documentation?
= Storage media?
= Replacement/ re-creation cost?
= Loss of data/assets (eg. Accounts receivable)?
= Business loss or interruption (business critical
systems)?
Is adequate consideration given to cover additional
2
cost of working and consequential losses?
Area O
INSURANCE
RECOMMENDATIONS

• --
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area P
BACKUP AND PROCEDURES
Audit Objective -The controls provide reasonable assurance that
transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area P1
BACKUP AND PROCEDURES - EQUIPMENT
NO. DESCRIPTION YES NO N/A
1 Regular preventive maintenance
Reliable manufacturer service Arrangements for back-up
2
installation Formal written agreement
3Compatibility regularly checked
4Sufficient computer time available at back-up
5Testing at back-up regularly performed
Area P2
BACKUP AND PROCEDURES – OUTSIDE SUPPLIERS
NO. DESCRIPTION YES NO N/A
1Alternative sources of supply/ maintenance/ service available
Adequate and secure documentation/ back-up of data and
2
programs
Are backup copies of system documentation kept in a secure
3
location?
Area P3
BACKUP AND PROCEDURES – OFFSITE STORAGE
NO. DESCRIPTION YES NO N/A
1Secure separate location
Adequate physical protection. Log maintained of off-site
2
materials.
3Off- site Inventory regularly reviewed
4File transportation under adequate physical protection
5Back-up files periodically tested

Area P4
BACKUP AND PROCEDURES – DATA FILES
NO. DESCRIPTION YES NO N/A
1File criticality and retention procedure regularly reviewed
Area P5
BACKUP AND PROCEDURES - TAPE
NO. DESCRIPTION YES NO N/A
1At least three generations of important tape files retained
2Copies of all updating transactions for above retained
At least one generation and all necessary updating
3
transactions in 3 off-site storage

Area P6
DISK
NO. DESCRIPTION YES NO N/A
1Checkpoint/restart procedures provided for
Audit trail (log file) of transactions updating on-line files
2
(database) maintained
3Regular tape dumps of all disc files stored off-site
4 Audit trail (log file) regularly dumped and stored off-site
Area P7
BACKUP AND PROCEDURES - SOFTWARE
NO. DESCRIPTION YES NO N/A
Copies of following maintained at off-site storage: Production
1
application programs
= Major programs under development
= System and program documentation
= Operating procedures
= Operation and system software
= All copies regularly updated
= Back-up copies regularly tested
Area P8
BACKUP AND PROCEDURES - OPERATION
NO. DESCRIPTION YES NO N/A
1Back-up procedure manual
Priority assignments for all applications Procedures for
2
restoring data files and software
3Procedures for back-up installation
4 Audit trail (log file) regularly dumped and stored off-site
Area P
BACKUP AND PROCEDURES
RECOMMENDATIONS

• Continuously seek for further improvement in backup and procedures of


the institution
CAVITE
Provincial Information and Communications Technology Office

AUDIT RESULT
Area Q
DISASTER RECOVERY PLAN
Audit Objective -The controls provide reasonable assurance that
transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area Q
DISASTER RECOVER PLAN
NO. DESCRIPTION YES NO N/A
Is a comprehensive contingency plan developed,
1 documented and periodically tested to ensure continuity in
data processing services?
Does the contingency plan provide for recovery and
2 extended processing of critical applications in the event of
catastrophic disaster?
Has any Business Impact Analysis carried out by the
3
company?
Are all recovery plans approved and tested to ensure their
4
adequacy in the event of disaster?
Communicated to all management and personnel
5
concerned
Critical processing priorities identified (eg. Significant
6
accounting applications)
Area Q
DISASTER RECOVER PLAN
NO. DESCRIPTION YES NO N/A
Are disaster recovery teams established to support disaster
7
recovery plan?
Are responsibilities of individuals within disaster recovery team
8
defined and time allocated for completion of their task?
Operations procedures for use of equipment and software
9
back-up
Has the company developed and implemented adequate
10
plan maintenance procedures?
11 Are priorities set for the development of critical systems?
Does a hardware maintenance contract exist with a
12
reputable supplier?
Area Q
DISASTER RECOVER PLAN
NO. DESCRIPTION YES NO N/A
13 Does the recovery plan ensure, in the event of failure:
= No loss of data received but not processed
= No reprocessing of data already processed
= Files not corrupted by partially completed processing
14Are recovery plans regularly tested?
Area Q
DISASTER RECOVER PLAN
RECOMMENDATIONS

• There should be a disaster recovery team who will be in charge of the


planning and implementation of disaster recovery plan.
THANK YOU!

Вам также может понравиться