Академический Документы
Профессиональный Документы
Культура Документы
PROVINCE OF CAVITE
PROVINCIAL ICT OFFICE
Jayson M. Victoriano
Harold R. Lucero
Manuel Luis Delos Santos
Khenilyn P. Lewis
Paquito G. Fernando
CAVITE
Provincial Information and Communications Technology Office
Vision
By 2016, the operation of the Provincial Government of
Cavite shall be full-automated and centralized.
Mission
To provide fast, accurate, quality public service and
timely information.
CAVITE
Provincial Information and Communications Technology Office
Function
PICTO acts as the lead agency in the evaluation and
implementation of Information and Communications
Technology (ICT) and other convergence on ICT in the
province. The office also handles the network and
hardware administration and maintenance which
provide technical support within and outside the
Provincial Government. It also provides free and quality
computer education on basic and advance computer
and information technology courses for all Caviteños
most particularly the out-of-school youths.
CAVITE
Provincial Information and Communications Technology Office
Four Divisions
ADMINISTRATIVE DIVISION
AUDIT RESULT
Area A
ORANIZATION AND ADMINISTRATION
Audit Procedure - Review the company organization chart, and the data
processing department organization chart.
Area A
ORANIZATION AND ADMINISTRATION
NO. DESCRIPTION YES NO N/A
1 Is there a separate EDP department within the company?
Is there a steering committee where the duties and
2
responsibilities for managing MIS are clearly defined?
Has the company developed an IT strategy linked with the
3
long and medium term plans?
Is the EDP Department independent of the user
4 department and in particular the accounting
department?
Are there written job descriptions for all jobs within EDP
5 department and these job descriptions are
communicated to designated employees?
Are EDP personnel prohibited from having incompatible
6 responsibilities or duties in user departments and vice
versa
Are there written specifications for all jobs in the EDP
7
Department?
Area A
ORANIZATION AND ADMINISTRATION
NO. DESCRIPTION YES NO N/A
Are the following functions within the EDP Department
8
performed by separate sections
= System Design
= Application Programming
= Computer Operations
= Database Administration
= System programming
= Correction of Error
Are all processing pre-scheduled and authorized by
10
appropriate personnel?
Are there procedures to evaluate and establish who has
11
access to the data in the database?
Area A
ORANIZATION AND ADMINISTRATION
NO. DESCRIPTION YES NO N/A
12 Are the EDP personnel adequately trained?
Are systems analysts programmers denied access to the
13
computer room and limited in their operation of the computer?
Are operators barred from making changes to programs and
14 from creating or amending data before, during, or after
processing?
Is the custody of assets restricted to personnel outside the EDP
15
department?
Is strategic data processing plan developed by the company
16
for the achievement of long-term business plan?
Are there any key personnel within IT department whose
17
absence can leave the company within limited expertise?
18 Are there any key personnel who are being over-relied?
Is EDP audit being carried by internal audit or an external consultant to
19 ensure compliance of policies and controls established by
management?
Area A
ORANIZATION AND ADMINISTRATION
RECOMMENDATIONS
•It is recommended that the administrator and trusted personnel have the
sole authority to make necessary changes on master files and provide
correction on any erroneous entries.
AUDIT RESULT
Area B
PROGRAM MAINTENANCE AND SYSTEM
DEVELOPMENT
Audit Procedure - Review details of the program library structure, and note
controls- which allow only authorized individuals to access each library.
Area B
PROGRAM MAINTENANCE & SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
1Are there written standards for program maintenance?
2Are these standards adhered to and enforced?
3Are these standards reviewed regularly and approved?
Are there procedures to ensure that all programs required for
4
maintenance are kept in a separate program test library?
Are programmers denied access to all libraries other than the
5
test library?
Are changes to programs initiated by written request from
6
user department and approved?
Are changes initiated by Data Processing Department
7
communicated to users and approved by them?
Are there adequate controls over the transfer of programs
8
from production into the programmers test library?
Are all systems developed or changes to existing system
9
tested according to user approved test plans and standards?
Area B
PROGRAM MAINTENANCE & SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
Are tests performed for system acceptance and test data
10
documented?
Are transfers from the development library to the production
11 library carried out by persons independent of the
programmers?
Do procedures ensure that no such transfer can take place
12 without the change having been properly tested and
approved?
Is a report of program transfers into production reviewed on a
13 daily basis by a senior official to ensure only authorized
transfers have been made?
Are all program changes properly documented?15 Are all
14
changed programs immediately backed up?
15 Is a copy of the previous version of the program retained?
Area B
PROGRAM MAINTENANCE & SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
Are there standards for emergency changes to be made to
16
application programs?
17Are there adequate controls over program recompilation?
Are all major amendments notified to Internal audit for
18
comment?
Are there adequate controls over authorization,
19 implementation, approval and documentation of changes to
operating systems?
Area B
PROGRAM DEVELOPMENT & SYSTEM MAINTENANCE
RECOMMENDATIONS
•As for quality policy and standards, the ICT council should formulate
procedures on maintenance of system and programs
AUDIT RESULT
Area C
SYSTEM DEVELOPMENT
Audit Procedure - Review details of the program library structure, and note
controls- which allow only authorized individuals to access each library.
Area C
SYSTEM DEVELOPMENT
NO. DESCRIPTION YES NO N/A
Are there formalized standards for system development life
1
cycle procedure?
Do they require authorization at the various stages of
2 development – feasibility study, system specification, testing,
parallel running, post implementation review, etc.?
Do the standards provide a framework for the development
3
of controlled applications?
4 Are standards regularly reviewed and updated?
AUDIT RESULT
Area D
PURCHASED SOFTWARE
Area D
PURCHASED SOFTWARE
NO. DESCRIPTION YES NO N/A
Are there procedures addressing controls over selection,
1
testing and acceptance of packaged softwares?
Is adequate documentation maintained for all softwares
2
purchased?
3Are vendor warranties (if any) still in force?
4 Is the software purchased, held in escrow?
•The EDP department conduct testing of software first before the software
will be purchased
• The purchased software should be in the custody of the institution and not
with the vendor
CAVITE
Provincial Information and Communications Technology Office
AUDIT RESULT
Area E
ACCESS TO DATA FILES
Audit Objective -Is access to data files restricted to authorized users and
programs?
Area E
ACCESS TO DA FILES
NO. DESCRIPTION YES NO N/A
Is there any formal written data security policy? Consider
1 whether the policy addresses data ownership, confidentiality
of information, and use of password.
Is the security policy communicated to individuals in the
2
organization?
3 Is physical access to off-line data files controlled in:
= Computer room?
= On-site library?
= Off-site library?
Does the company employ a full-time librarian who is
4
independent of the operators and programmers?
5Are libraries locked during the absence of the librarian?
Area E
ACCESS TO DA FILES
NO. DESCRIPTION YES NO N/A
6 Are requests for on-line access to off line files approved?
Are requests checked with the actual files issued and initialed
7
by the librarian?
Are sensitive applications e.g. payroll, maintained on
8
machines in physically restricted areas?
Are encryption techniques used to protect against
9 unauthorized disclosure or undetected modification of
sensitive data?
Are returns followed up and non returns investigated and
10
adequately documented?
Area E
ACCESS TO DA FILES
RECOMMENDATIONS
AUDIT RESULT
Area F
COMPUTER PROCESSING
Area F
COMPUTER PROCESSING
NO. DESCRIPTION YES NO N/A
1Does a scheduled system exist for the execution of programs?
2Are non-scheduled jobs approved prior to being run?
Is the use of utility programs controlled (in particular those that
3
can change executable code or data)?
4Are program tests restricted to copies of live files?
Is access to computer room restricted to only authorized
5
personnel?
6Are internal and external labels used on files?
AUDIT RESULT
Area G
ACCESS CONTROL
Area G
ACCESS CONTROL
NO. DESCRIPTION YES NO N/A
Is there any proper password syntax in-force ie minimum 5
1 and maximum 8 characters and include alphanumeric
characters?
Are there satisfactory procedures for reissuing passwords to
2
users who have forgotten theirs?
Are procedures in place to ensure the compliance of removal
3
of terminated employee passwords?
Are system access compatibilities properly changed with
4
regard to personnel status change?
Are individual job responsibilities considered when granting
5
users access privileges?
6 Is each user allocated a unique password and user account?
Are there procedures in place to ensure forced change of
7
password after every 30 days?
Area G
ACCESS CONTROL
NO. DESCRIPTION YES NO N/A
8 Is application level security violations logged?
Do standards and procedures exist for follow up of security
9
violations?
Do formal and documented procedures exist for use and
10
monitoring of dial up access facility?
11Is use made of passwords to restrict access to specific files?
12Do terminals automatically log off after a set period of time?
Is there a limit of the number of invalid passwords before the
13
terminal closes down?
Are there any administrative regulations limiting physical
14
access to terminals?
Are invalid password attempts reported to user department
15
managers?
Area G
ACCESS CONTROL
NO. DESCRIPTION YES NO N/A
Are restrictions placed on which applications terminals can
16
access?
Are keys, locks, cards or other physical devises used to restrict
17
access to only authorized user?
Area G
ACCESS CONTROL
RECOMMENDATIONS
•Logs regardless if the user creates security violations or not should be made
for tighter security and control.
•The system should only allow the maximum of three attempts of invalid
login. If these attempts were committed by the user the account will be
locked and will require the system administrator to reactivate the account.
CAVITE
Provincial Information and Communications Technology Office
AUDIT RESULT
Area H
APPLICATION CONTROLS - INPUT
Audit Objective -Do controls provide reasonable assurance that for each
transaction- type, input is authorized, complete and accurate, and that errors are
promptly corrected?
Area H
APPLICATION CONTROLS – INPUT
NO. DESCRIPTION YES NO N/A
Are all transactions properly authorized before being
1
processed by computers?
2Are all batches of transactions authorized?
Do controls ensure unauthorized batches or transactions are
3
prevented from being accepted ie they are detected?
Is significant standing data input verified against the master
4
file?
Is maximum use made of edit checking e.g. check digits,
5
range and feasibility checks, limit tests, etc.?
Are there procedures to ensure all vouchers have been
6 processed e.g. batch totals, document counts, sequence
reports, etc.?
Are there procedures established to ensure that transactions
7
or batches are not lost, duplicated or improperly changed?
Area H
APPLICATION CONTROLS – INPUT
NO. DESCRIPTION YES NO N/A
8Are all errors reported for checking and correction?
9Are errors returned to the user department for correction?
10 Do procedures ensure these are resubmitted for processing?
Is an error log maintained and reviewed to identify recurring
11
errors?
Are persons responsible for data preparation and data entry
12
independent of the output checking and balancing process?
Are persons responsible for data entry prevented from
13
amending master file data?
Area H
APPLICATION CONTROLS – INPUT
RECOMMENDATIONS
AUDIT RESULT
Area I
OUTPUT AND PROCESSING
AUDIT RESULT
Area J
VIRUSES
AUDIT RESULT
Area K
INTERNET
AUDIT RESULT
Area L
CONTINUITY OF OPERATIONS
Physical Protection
AUDIT RESULT
Area M
ACCESS CONTROL
AUDIT RESULT
Area N
PERSONNEL POLICIES – MIS STAFF
Audit Objective -The controls provide reasonable assurance that
transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area N
PERSONNEL POLICIES – MIS STAFF
NO. DESCRIPTION YES NO N/A
New employees recruited according to job description and
1
job specification.
2Employee identity cards issued.
3 Performance evaluation and regular counseling.
4Continuing education program.
5Training in security, privacy and recovery procedures.
6All functions covered by cross training.
Critical jobs rotated periodically (e.g. operators, program
7
maintenance).
8Clean desk policy enforced.
9Fidelity insurance for key personnel.
10Contract service personnel vetted (e.g. cleaners)
Area N
PERSONNEL POLICIES – MIS STAFF
RECOMMENDATIONS
AUDIT RESULT
Area O
INSURANCE
Audit Objective -The controls provide reasonable assurance that
transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area O
INSURANCE
NO. DESCRIPTION YES NO N/A
1 Does adequate insurance exist to cover:
= Equipment?
= Software and documentation?
= Storage media?
= Replacement/ re-creation cost?
= Loss of data/assets (eg. Accounts receivable)?
= Business loss or interruption (business critical
systems)?
Is adequate consideration given to cover additional
2
cost of working and consequential losses?
Area O
INSURANCE
RECOMMENDATIONS
• --
CAVITE
Provincial Information and Communications Technology Office
AUDIT RESULT
Area P
BACKUP AND PROCEDURES
Audit Objective -The controls provide reasonable assurance that
transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area P1
BACKUP AND PROCEDURES - EQUIPMENT
NO. DESCRIPTION YES NO N/A
1 Regular preventive maintenance
Reliable manufacturer service Arrangements for back-up
2
installation Formal written agreement
3Compatibility regularly checked
4Sufficient computer time available at back-up
5Testing at back-up regularly performed
Area P2
BACKUP AND PROCEDURES – OUTSIDE SUPPLIERS
NO. DESCRIPTION YES NO N/A
1Alternative sources of supply/ maintenance/ service available
Adequate and secure documentation/ back-up of data and
2
programs
Are backup copies of system documentation kept in a secure
3
location?
Area P3
BACKUP AND PROCEDURES – OFFSITE STORAGE
NO. DESCRIPTION YES NO N/A
1Secure separate location
Adequate physical protection. Log maintained of off-site
2
materials.
3Off- site Inventory regularly reviewed
4File transportation under adequate physical protection
5Back-up files periodically tested
Area P4
BACKUP AND PROCEDURES – DATA FILES
NO. DESCRIPTION YES NO N/A
1File criticality and retention procedure regularly reviewed
Area P5
BACKUP AND PROCEDURES - TAPE
NO. DESCRIPTION YES NO N/A
1At least three generations of important tape files retained
2Copies of all updating transactions for above retained
At least one generation and all necessary updating
3
transactions in 3 off-site storage
Area P6
DISK
NO. DESCRIPTION YES NO N/A
1Checkpoint/restart procedures provided for
Audit trail (log file) of transactions updating on-line files
2
(database) maintained
3Regular tape dumps of all disc files stored off-site
4 Audit trail (log file) regularly dumped and stored off-site
Area P7
BACKUP AND PROCEDURES - SOFTWARE
NO. DESCRIPTION YES NO N/A
Copies of following maintained at off-site storage: Production
1
application programs
= Major programs under development
= System and program documentation
= Operating procedures
= Operation and system software
= All copies regularly updated
= Back-up copies regularly tested
Area P8
BACKUP AND PROCEDURES - OPERATION
NO. DESCRIPTION YES NO N/A
1Back-up procedure manual
Priority assignments for all applications Procedures for
2
restoring data files and software
3Procedures for back-up installation
4 Audit trail (log file) regularly dumped and stored off-site
Area P
BACKUP AND PROCEDURES
RECOMMENDATIONS
AUDIT RESULT
Area Q
DISASTER RECOVERY PLAN
Audit Objective -The controls provide reasonable assurance that
transactions are properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have been
accurately computed:
Area Q
DISASTER RECOVER PLAN
NO. DESCRIPTION YES NO N/A
Is a comprehensive contingency plan developed,
1 documented and periodically tested to ensure continuity in
data processing services?
Does the contingency plan provide for recovery and
2 extended processing of critical applications in the event of
catastrophic disaster?
Has any Business Impact Analysis carried out by the
3
company?
Are all recovery plans approved and tested to ensure their
4
adequacy in the event of disaster?
Communicated to all management and personnel
5
concerned
Critical processing priorities identified (eg. Significant
6
accounting applications)
Area Q
DISASTER RECOVER PLAN
NO. DESCRIPTION YES NO N/A
Are disaster recovery teams established to support disaster
7
recovery plan?
Are responsibilities of individuals within disaster recovery team
8
defined and time allocated for completion of their task?
Operations procedures for use of equipment and software
9
back-up
Has the company developed and implemented adequate
10
plan maintenance procedures?
11 Are priorities set for the development of critical systems?
Does a hardware maintenance contract exist with a
12
reputable supplier?
Area Q
DISASTER RECOVER PLAN
NO. DESCRIPTION YES NO N/A
13 Does the recovery plan ensure, in the event of failure:
= No loss of data received but not processed
= No reprocessing of data already processed
= Files not corrupted by partially completed processing
14Are recovery plans regularly tested?
Area Q
DISASTER RECOVER PLAN
RECOMMENDATIONS