DOC

Core IT Audit Program

By Jerome Bailey,2014-11-13 13:37
5 views 0
Core IT Audit Program

    UC Core Audit Program

    Data Center Operations & OS Software

    I. Audit Approach

    As an element of the University’s core business functions, Data Center Operations will be audited every three years using a risk based approach. The IT Data Center Operations is usually responsible for the management, physical controls, and processing of production IT systems. The Data Center is also normally responsible for the installation and maintenance of the operating systems for the computers used to process production IT systems.

    The minimum requirements set forth in the “general overview and risk assessment” section below must be completed for the audit to qualify for core audit coverage. Following completion of the general overview and risk assessment, the auditor should use their professional judgment to select areas for additional focus and audit testing.

    II. General Overview and Risk Assessment (70 hrs 23%)

    The general overview will include interviews of department management and key personnel; evaluation of policies and procedures associated with business processes and mission; inventory of compliance requirements; consideration of key operational aspects; and an assessment of the information systems environment. Prior audits should be reviewed to determine impact, if any. During the overview, a general understanding of the management structure, compliance requirements, financial issues, daily and routine operations, and efficiency and effectiveness of the operation will be obtained (or updated).

    As needed, the general overview will incorporate the use of internal control questionnaires, process flowcharts, and the examination of how documents are handled for key processes.

    A. The following table summarizes audit objectives and corresponding high-level risks

    to be considered during the general overview.

    Audit Objective Areas of Risk

    Obtain an understanding of significant ; Data Center management systems

    processes and practices employed, may be ineffective and inefficient

    implementing, and supporting the Data due to misalignment with their

    Center operations specifically addressing mission and not capable of meeting

    the following components: the business objectives

    ; Management philosophy, operating ; Organizational structure may be

    style, and risk assessment practices inappropriate for achieving business

    including: objectives

    o Awareness of and compliance ; Lack of accountability could also

    with applicable laws, lead to improper segregate of duties

    regulations and policies, ; Internal controls could be assessed

    o Planning and management of as not reliable where process

    Data Center Operations weaknesses are substantial

    97065767.doc, November 13, 2010, JDHJr Page 1 of 8

    UC Core Audit Program

    Data Center Operations & OS Software

    financial resources, ; Information systems, applications,

    o Efficient and effective database, and limited electronic

    operations interfaces may be inappropriate for

    ; Organizational structure, achieving the business objectives

    governance and delegations of ; Operating systems may not be

    authority and responsibility properly configured or maintained

    ; Positions of accountability for (patched) thus resulting in insecure

    financial and operational results systems.

     ; Process strengths (best practices),

    weaknesses, and mitigating

    controls

    B. The following procedures should be considered as part of the General Overview whenever the core audit is conducted.

    General Control Environment

    1. Interview the department director and key managers to identify and assess their

    philosophy and operating style, regular channels of communication, and risk

    assessment processes.

    2. Obtain the department’s organization chart, delegations of authority, and

    management reports.

    3. Interview select staff members to obtain the staff perspective. During all

    interviews, solicit input on concerns or areas of risk.

    4. Evaluate the adequacy of the organizational structure and reporting processes

    to assure the proper accountability of the data center’s operations.

    5. If the organizational structure and various reporting processes do not appear

    adequate, consider alternative structures or reporting. Comparison to

    corresponding departments at other locations, may provide value.

Business Processes

    6. For the Data Center, identify the key department activities and controls. Gain

    an understanding of the corresponding processes, and positions of

    responsibilities. The data center’s responsibilities usually include:

    a. Processing controls, including batch, the use of control totals, and input

    output controls

    b. Security of the data center including physical security and controls, and

    environmental controls

    c. System software operations, including the controls to separate system

    programming from application programming and data base operations

    d. Administrative planning and support including capacity planning,

    preventative maintenance and insurance.

    97065767.doc, November 13, 2010, JDHJr Page 2 of 8

    UC Core Audit Program

    Data Center Operations & OS Software

    e. Backup and Recovery processes including routine backups and storage

    and recovery planning and testing.

    7. For financial systems, such as the recharge system, identify positions with

    responsibility for initiating, reviewing, approving, and reconciling financial

    transactions. Gain an understanding of processes by examining flowchart or

    narratives identifying process strengths, weaknesses, and mitigating controls. 8. Evaluate processes for adequate separation of responsibilities or proper

    management review. Evaluate the adequacy of the processes to provide

    reasonable assurance that University/Lab resources are properly safeguarded. 9. Evaluate the adequacy of the operations practices to provide for availability,

    integrity, and confidentiality of the University/Lab information resources. 10. Develop detailed test objectives and procedures, and conduct detailed testing

    with specific test criteria.

Information Systems

    11. Interview department personnel to identify department information systems,

    including monitoring systems, escalation systems, command and control

    systems, notification systems and any other systems used to process the data

    center’s information.

    12. Review systems documentation, logs and other documentation, as needed to

    gain an understanding of the data centers information processes.. 13. Review management’s monitoring and supervision of the data center

    operations.

    14. Develop detailed test objectives and procedures, and conduct detailed testing

    with specific test criteria

    C. Following completion of the general overview steps outlined above, a high-level risk assessment should be performed and documented in a standardized working paper (e.g., a risk and controls matrix). To the extent necessary, as determined by the auditor, this risk assessment may address aspects of other areas outlined below (financial reporting, compliance, operational efficiency and effectiveness; and information systems). In addition to the evaluations conducted in the general objectives section, the risk assessment should consider the following: annual expenditures; time since last review, recent audit findings; organizational change; regulatory requirements, etc.

    97065767.doc, November 13, 2010, JDHJr Page 3 of 8

    UC Core Audit Program

    Data Center Operations & OS Software

    III. Financial (20 hrs 7%)

    A. The following table summarizes audit objectives and corresponding high-level risk

    regarding financial network management processes.

    Audit Objective Areas of Risk

    Evaluate the adequacy of financial ; Servers and IT equipment may be

    resources, and appropriate financial acquired that are inadequate for the

    planning consistent with the objectives of needs of its customers.

    the Data Center. Include the following ; Acquisitions of IT equipment may

    components: be made that have not been through

    ; Compliance with the budgeting and the budget and approval process.

    approval process for the funding ; Funding shortages may prevent the

    major equipment upgrades and Data Center from achieving its

    replacement business objective.

    ; Recharge for Data Centers services ; Funding may be used to purchase

    are consistent and appropriate. resources that were inappropriate

    ; Recharge rates are documented for the intended purposes

    and approved ; Purchase versus lease decision may

    ; IT governance appropriate for be flawed due to incorrect financial

    adequate consideration of financial assumptions

    needs ; IT governance may not provide

    ; Evaluate the cost benefit of lease adequate considerations of the

    vs. buy of capital assets financial needs

    ; Evaluate the cost benefit of

    software purchases

    B. The following procedures should be considered as part of the financial review

    whenever the core audit is conducted.

    1. Identify all financial processes used by the department. Review of recent

    financial reports or other operational financial information.

    2. Identify budgetary processes used by the department. Obtain and review

    recent budgetary reports.

    3. Document through spreadsheets, narratives, or flowcharts the budget and

    recharge costing practices (i.e., actual vs. standard costs; capitalization).

    4. Gain an understanding of the different methods used to monitor department

    funds, and budget variances.

    5. Identify the processes for classifying cost as either, direct charges or overhead

    charge. Gain an understanding of the overhead rate calculation and review

    process.

    6. Determine if the department is funded sufficiently to adequately provide the

    services at an appropriate level.

    97065767.doc, November 13, 2010, JDHJr Page 4 of 8

    UC Core Audit Program

    Data Center Operations & OS Software

    7. Determine if the financial processes used are appropriate to provide

    management both inside and outside the department with the proper

    information.

    IV. Compliance (60 hrs 20%)

    A. The following table summarizes audit objectives and corresponding high-level risks

    regarding compliance with policies and procedures, and regulatory requirements.

    Audit Objective Areas of Risk

    Evaluate compliance with the following ; Non-compliance could result in the

    requirements: fines, penalties, and sanctions

    ; UCOP Policies ; Poor security or poor performance,

    IS3 from lack of adequate guidance

    IS10 policy.

    Other Business and Financial ; Delegations of authority may be

    Bulletins and other University inappropriate.

    policies ; Non-compliance of local processes

    Electronic communications with University requirements may

    policy negatively impact reliability and

    ; Applicable State and Federal laws security of the systems.

    and regulations including:

    FERPA

    Gramm Leach Bliley (GLBA)

    HIPAA

    SB 1392

    Evaluate adequacy and compliance with

    local policies, standards, and guidelines

    B. The following procedures should be considered as part of the Compliance review

    whenever the core audit is conducted.

    1. Obtain an understanding of all applicable state or federal regulations. 2. Determine whether state or federal regulations apply to application development

    and review for compliance (e.g., HIPAA, FERPA, SB 1392, GLBA). 3. Validate compliance with applicable state or federal regulations. 4. Obtain an understanding of all applicable University Office of the President and

    Campus/Lab policies.

    5. Determine whether any University Office of the President and Campus/Lab policies

    apply to the application development process (e.g., IS-3, IS-10, etc.) 6. Validate compliance with applicable University Office of the President and

    Campus/Lab policies.

    97065767.doc, November 13, 2010, JDHJr Page 5 of 8

    UC Core Audit Program

    Data Center Operations & OS Software

    V. Operational Effectiveness and Efficiency (50 hrs 17%)

    A. The following table summarizes audit objectives and corresponding high-level risks

    regarding operational effectiveness and efficiency.

    Audit Objective Areas of Risk

    Evaluate the adequacy of operational ; Operation effectiveness and

    effectiveness and efficiency consistent with efficiency could be compromised

    the objectives of Data Center due to poor system performance

    Management. Include the following ; Lack of proper planning could allow

    components: the condition of inadequate capacity

    ; Appropriate investment in human to develop

    resources and equipment ; Self-evaluation and improvement

    ; Adequacy of Data Center processes may not be aligned with

    personnel for skill and training the directives of management

    ; Self evaluation and improvement ; Service levels may not satisfy the

    process needs/requirements of the Data

    ; Personnel management Center and its customers

    ; Specialization of work ; Paying more for services when less

    centralized vs. decentralized expensive alternatives are available.

    ; Appropriate management of

    contracts

    ; Software and equipment changes

    review and approval processes

    ; Patch vs. permanent fix problems

    ; Process in evaluating the needs

    for new and/or upgrades to

    hardware, software, and facilities

    B. The following procedures should be considered as part of Operational Effectiveness

    and Efficiency review whenever the core audit is conducted. 1. Evaluate appropriateness of mix of use of employees and contractors. 2. Determine if when contractors are used, adequate knowledge transfer is performed

    prior to termination of contracts.

    3. Evaluate use of specialists/ subject matter experts in areas where appropriate in-

    house expertise does not exist.

    4. Review relevant strategic plans to determine whether major system changes are

    planned.

    5. Evaluate the cost benefit of lease vs. buy of equipment.

    6. Determine if root cause analyses are performed for system problems. Evaluate

    whether symptoms of problems are addressed or if system fixes resolve the root of

    the problem.

    97065767.doc, November 13, 2010, JDHJr Page 6 of 8

    UC Core Audit Program

    Data Center Operations & OS Software

7. Review service level agreements for adequacy of coverage. Determine if historical

    performance has been adequate and in accordance with service level agreement.

    8. Determine if timelines appear adequate to address new system objectives. Review

    any projects plan to ensure data center milestones are identified and adequately

    budgeted for time and resources.

    VI. Information and Communication (100 hrs 33%)

A. The following table summarizes audit objectives and corresponding high-level risks

    regarding daily and routine operations processes.

    Audit Objective Areas of Risk

    Evaluate the following routine operational ; Development and implementation of activities regarding processing, daily processes for the Data Center

    applications and systems recovery, and Operations may be inappropriate for system interfaces performance. achieving the management ; Logging, maintenance, and objectives

    monitoring review of operational ; Recovery processes may be too

    (daily computer processing) complicated for operational

    work. purposes and, therefore, not used

    ; Output controls and distribution ; Output distribution may be ; Scheduling, preparing, and inappropriately distributed resulting

    running assigned processes in inefficiencies and possible

    compromise of sensitive data ; Incident handling, escalation and

    reporting as it pertains to ; Lack of proper traffic monitoring

    recovery processes, hardware, tools may not achieve the results

    software, or any operational originally intended

    failure ; Lack standard procedures in ; Work order process for assigning logging, maintenance, and review of

    and monitoring non-operational operational reports making the

    work. processes ineffective

    ; Process to communicate to ; Improper defined backup

    management and users hardware procedures and standards may result

    and software system updates, in data unrecoverable

    changes prior to implementation. ; Non-operations work may not be ; Process to communicate to done properly or on a timely basis

    management and users any ; Management and users may be

    emergency hardware or software unprepared for system changes

    changes.

    ; Process to communicate to

    management and users the status

    of all systems.

    97065767.doc, November 13, 2010, JDHJr Page 7 of 8

    UC Core Audit Program

    Data Center Operations & OS Software

    B. The following procedures should be considered as part of the Information and Communication review whenever the core audit is conducted:

    1. Evaluate the monitoring of the logging, maintenance of the daily computer

    processing.

    2. Determine the controls and communication of used to assure proper delivery of

    processed output. Give attention to any sensitive forms are used, such as

    checks.

    3. Gain an understanding of the process to communicate system software and

    hardware changes to users and management. Evaluate the adequacy of the

    communication.

    4. Determine the procedure for escalating problems to appropriate levels of

    management. Review the documentation of recent problems that had been

    escalated and evaluate the timeliness and adequacy of the process. 5. Determine if root cause analyses are performed for system problems. Evaluate

    whether symptoms of problems are addressed or if system fixes resolve the

    root of the problem.

    6. Review service level agreements for adequacy of coverage. Determine the

    process to communicate status of the systems (up time percent) to users.

    Determine if the process to gather the status will likely provide accurate

    information. Determine if historical performance has been adequate and in

    accordance with service level agreement.

    7. Identify the process to declare a disaster including who must make that

    decision.

    8. Gain an understanding of how all the data center staff receive information

    regarding a disaster and how they receive their instructions for any alternate

    processing locations to which they must report.

    9. Evaluate the systems programmers source of information on fixes, patches and

    other known causes of failure. Determine how they evaluate these repairs and

    the process to apply the fixes.

    97065767.doc, November 13, 2010, JDHJr Page 8 of 8

Report this document

For any questions or suggestions please email
cust-service@docsford.com