DOC

IT Core Audit Program

By Frank Dunn,2014-11-13 14:39
10 views 0
IT Core Audit Program

    UC Core Audit Program

    Audit Program and Internal Control Questionnaire

    Disaster Recovery

    I. Audit Approach

    As an element of the University’s core business functions (payroll, financials, student, and medical), Disaster Recovery will be audited every three years using a risk-based approach. The minimum requirements set forth in the “general overview and risk

    assessment” section below must be completed for the audit to qualify for core audit coverage. Following completion of the general overview and risk assessment, the auditor will use professional judgment to select specific areas for additional focus and audit testing.

    Specifically this audit will include consideration of:

    ; Backup Procedures

    ; Insurance Coverage

    ; Restart/Recovery

    ; Disaster Recovery Tests

    Note: The hours and percentages are based on a 240 hour audit

    II. General Overview and Risk Assessment (55 Hrs - 23%)

    For Campus, Medical Center, and Lab central network management; general overview procedures will include interviews of department management and key personnel; a review of available financial reports; evaluation of policies and procedures associated with business processes; inventory of compliance requirements; consideration of key operational aspects; and an assessment of the information systems environment. During the general overview, a detailed understanding of the management structure, significant financial and operational processes, compliance requirements, and information systems will be obtained (or updated).

    As needed, the general overview will incorporate the use of internal control questionnaires process flowcharts, and the examination of how documents are handled for key processes.

     A. The following table summarizes audit objectives and corresponding high-level risks to be considered during the general overview.

    Audit Objective Areas of Risk

    ; Obtain an understanding of significant ; Poor management communication

    processes and practices employed in regarding expectations (standards

    developing, testing, and implementing and policies) may result in

    business resumption plans specifically inappropriate behavior.

    addressing the following components: ; The Disaster Recovery risk

    o Management philosophy, assessment processes may not

    operating style, and risk identify and address key areas of

    Reviewed by Doug Huff/LLNL 10/15/03

    UC Core Audit Program

    Audit Program and Internal Control Questionnaire

    Disaster Recovery

    assessment practices including risk.

    ; Awareness of and ; Inadequate skill level or training

    compliance with to accomplish the necessary tasks

    applicable laws, ; Inadequate separation of

    regulations and policies responsibilities for activities may

    ; Planning and management create opportunities for fraud,

    of disaster recovery misuse and errors or omissions.

    financial resources ; Processes and/or disaster recovery

    ; Efficient and effective systems may not be well designed

    operations or implemented, and may not yield

    desired results, i.e., accuracy of ; Determine if a business resumption plan

    information, operational efficiency exists and was developed using a sound

    and effectiveness, and compliance methodology that includes the following

    with relevant regulations policies elements:

    and procedures. o Identification and prioritization

    of the activities that are essential ; The business resumption plan will

    to continue functioning. not meet the capacity needed for

    o The plan is based upon a business business operations.

    impact analysis that considers the

    impact of the loss of essential

    functions.

    o Operations managers and key

    employees participated in the

    development of the plan.

    o The plan identifies the resources

    that will likely be needed for

    recovery and the location of their

    availability.

    o The plan is simple and easily

    understood so that it will be

    effective when it is needed.

    o The plan is realistic in its

    assumptions.

    ; Determine if information backup

    procedures are sufficient to allow for recovery of critical data.

    ; Determine if a test plan exists and to what extent the business resumption plan has been tested.

    ; Determine if financial resources have

    been made available to maintain the

    business resumption plan and keep it

    current.

    ; Determine if business resumption plan

    Reviewed by Doug Huff/LLNL 10/15/03

    UC Core Audit Program

    Audit Program and Internal Control Questionnaire

    Disaster Recovery

has the capacity to meet operating

    requirements.

    ; Determine if the IT business resumption

    plan is a part of the overall disaster

    recovery plan.

    B. The following procedures will be completed as part of the general overview

    whenever the core audit is conducted.

    General Control Environment

    1. For the department(s) responsible for the business recovery plan, disaster

    recovery plan, and emergency/crisis response plan, interview the department

    director and key managers to identify and assess their philosophy and operating

    style, regular channels of communication, and risk assessment processes. 2. Obtain the department’s organization chart, delegations of authority, and

    management reports.

    3. Interview select staff members to obtain the staff perspective. During all

    interviews, solicit input on concerns or areas of risk.

    4. Evaluate the adequacy of the organizational structure and various reporting

    processes to provide reasonable assurance that accountability for

    programmatic and financial results is clearly demonstrated.

    5. If the organizational structure and various reporting processes do not appear

    adequate, consider alternative structures or reporting processes to provide

    additional assurance. Comparison to similar local departments, or

    corresponding departments on other locations, may provide value in this regard.

Business Processes

    6. Identify all key department activities. Gain an understanding of the

    corresponding business processes, and positions with process responsibilities. 7. For financial processes, document positions with responsibility for initiating,

    reviewing, approving, and reconciling financial transactions types. Document

    processes via flowchart or narratives identifying process strengths, weaknesses,

    and mitigating controls.

    8. Evaluate processes for adequate separation of responsibilities. Evaluate the

    adequacy of the processes to provide reasonable assurance that University/Lab

    resources are properly safeguarded.

    9. Develop detailed test objectives and procedures, and conduct detailed

    transaction testing with specific test criteria. Consider whether statistical

    (versus judgmental) sampling would be appropriate for purposes of projecting

    on the population as whole or for providing a confidence interval.

Information Systems

    Reviewed by Doug Huff/LLNL 10/15/03

    UC Core Audit Program

    Audit Program and Internal Control Questionnaire

    Disaster Recovery

    10. Interview department personnel to identify all department information systems,

    including escalation systems, command and control systems, notification

    systems and other systems to process information during a disaster.

    11. Obtain and review systems documentation, if available.

    12. Review the information flow including flowcharts and narratives and interfaces

    with other systems. Consider two-way test of data through systems from

    source document to final reports, and from reports to original source

    documents.

    13. Evaluate the adequacy of the information systems to provide for availability,

    integrity, and confidentiality of the University/Lab information resources.

    14. Develop detailed test objectives and procedures, and conduct detailed testing

    with specific test criteria

     C. Following completion of the general overview steps outlined above, a high-level risk assessment should be performed and documented in a standardized working paper (e.g., a risk and controls matrix). To the extent necessary, as determined by the auditor, this risk assessment may address aspects of other areas outlined below (financial reporting, compliance, operational efficiency and effectiveness; and information systems). In addition to the evaluations conducted in the general objectives section, the risk assessment should consider the following: annual expenditures; time since last review, recent audit findings; organizational change; regulatory requirements, etc.

    III. Financial (17 Hrs - 7%)

    A. The following table summarizes audit objectives and corresponding high-level risks regarding financial network management processes.

    Audit Objective Areas of Risk

    Evaluate the adequacy of financial ; Processes may not adequately align

    resources, and appropriate financial resources with key business

    planning consistent with the objectives of objectives

    Disaster Recovery Management. Include ; Poor systems performance,

    the following components: ; Inadequate capacity

    ; Appropriate level of investment in ; Inefficiency use of resources

    recovery planning (hot site vs. ; Inadequate funding of key positions

    cold site) ; Budget variances not adequately

    ; Appropriate investment in capital monitored and evaluated may result

    equipment, in department budget overdrafts, or

    ; Appropriate investment in human project cost overruns.

    resources. ; Improper classification of costs may

    ; Appropriate management of cause regulatory compliance

    contracts concerns (A-21, cost accounting

    ; Appropriate data back up standards).

    facilities ; Recharge methodologies and

    ; Appropriate insurance coverage overhead rate calculations may not

    Reviewed by Doug Huff/LLNL 10/15/03

    UC Core Audit Program

    Audit Program and Internal Control Questionnaire

    Disaster Recovery

    provide adequate funding for ; Does IT governance provide

    continued level of service. adequate consideration of

     financial needs

    ; A process to capture required

    financial information.

     B. The following procedures should be considered whenever the core audit is

    conducted.

    1. Identify all financial reporting methods in use by the department for

    departmental activities. Obtain and review copies of recent financial reports. 2. Identify all budgetary reporting methods in use by the department. Obtain and

    review copies for recent budgetary reports.

    3. Document through spreadsheets, narratives, or flowcharts the budget

    processes costing practices (i.e., actual vs. standard costs; capitalization). 4. Gain an understanding of the different methods implemented to monitor

    department, fund, and project budget variances. Validate on a test basis. 5. Interview department staff to document the process of classifying cost as either,

    direct charges or overhead charge. Gain an understanding of the overhead rate

    calculation and review process. Validate on a test basis.

    6. On a test basis, evaluate the accuracy and reliability of financial reporting.

    Conduct detailed testing as need to determine the impact of financial reporting

    issues.

    Reviewed by Doug Huff/LLNL 10/15/03

    UC Core Audit Program

    Audit Program and Internal Control Questionnaire

    Disaster Recovery

    IV. Compliance (48 Hrs - 20%)

    A. The following table summarizes audit objectives and corresponding high-level risks regarding compliance with policies and procedures, and regulatory requirements.

    Audit Objective Areas of Risk

    Evaluate compliance with the following

    requirements:

    ; UCOP Policies. ; Non-compliance with laws and

    IS3 regulations may put the

    IS10 University at risk with law

    Other Business and Finance enforcement or regulatory

    Bulletins and other University agencies.

    policies ; Poor security, Poor

    Electronic communications policy; performance, from lack of

    ; Applicable State and Federal laws and adequate guidance policy

    regulations including; ; Delegations of authority may be

    HIPAA inappropriate.

    FERPA ; Non-compliance of local

    SB 1386 processes with University

    FEMA requirements may negatively

    GLBA impact reliability and security of

    SEMS the systems.

    Evaluate adequacy and compliance with local

    policies, standards and guidelines

    B. The following procedures should be considered whenever the review is conducted.

    1. Determine if recovery plans and off site data storage comply with laws,

    regulations and policies.

    2. Determine whether state or federal regulations (SB1386, GLBA, etc.) apply to

    data that may be stored for disaster recovery and review for compliance.

    3. Determine whether any office of the president or university policies apply to

    the data that may be stored for disaster recovery and review for compliance

    Reviewed by Doug Huff/LLNL 10/15/03

    UC Core Audit Program

    Audit Program and Internal Control Questionnaire

    Disaster Recovery

    V. Operational Effectiveness and Efficiency (36 Hrs - 15%)

    A. The following table summarizes audit objectives and corresponding high-level risks

    regarding operational effectiveness and efficiency.

    Audit Objective Areas of Risk

    ; Evaluate management processes, ; Paying more for services when less

    specifically addressing the expensive alternatives are available

    following areas: ; Loss of control of IT security (if

    o Personnel management contractors are used)

    (The use of employees vs.

    contractors);

    o Specialization of work -

    centralized vs.

    decentralized

    o Granting physical access

    (keys or electronic access)

    and issuing security badges

    o IT physical security and

    equipment changes

    affecting IT physical

    security. Consider planned

    vs. ad hoc changes.

    ; Hot site vs. Cold site

    B. Determine if:

    1. There is an individual or team responsibility to routinely ensure the alternate

    processing facility has the necessary hardware, supplies, and documentation to

    resume processing?

    2. Management has reviewed the adequacy of recovery team coverage for the

    Disaster Recovery and Business Continuation plan and the frequency of such

    reviews?

    3. Management has considered outside resources for their Disaster Recovery

    efforts, if outside resources are used, ascertain whether central assets were

    considered before obtaining the outside resources.

    4. Management has plans for recovery from short-term computer interruptions?

    5. Complete audit trails are maintained during the recovery period?

    Reviewed by Doug Huff/LLNL 10/15/03

    UC Core Audit Program

    Audit Program and Internal Control Questionnaire

    Disaster Recovery

    6. Any emergency restarts occurred recently that would test the reliability of the

    back up media.

     7. The action taken to the restarts was appropriate and minimized down time?

    VI. Information and Communication (84 Hrs - 35%)

    A. The following table summarizes audit objectives and corresponding high-level risks regarding information systems.

    Audit Objective Areas of Risk

    ; Determine if the plan reflects the ; Plan is outdated or does not meet

    current IT environment business requirements

    ; Determine if the plan includes ; Key critical applications and system

    prioritization of critical may not be identified and increase

    applications and systems. the risk of business resumption

    ; Determine if the plan includes time ; The timing of bring key systems on-

    requirements for line may increase the risk of

    recovery/availability of each business resumption

    critical system, and that they are

    reasonable.

     ; Does the business resumption plan

    include arrangements for

    emergency telecommunications

    o Is there a plan for alternate

    means of data transmission

    of the computer network is

    interrupted

    B. Based on the information obtained during the information and communication overview, conduct observations and evaluate whether any operations should be evaluated further via detailed testing. For example, detailed testing could include observations at the

    Campus/Medical Center level to determine:

    1. What actions start the master Disaster Recovery Plan (DRP), Business

    Recovery Plan (BRP), and Emergency Recovery Plan (ERP)?

    2. What actions stop the ERP?

    3. How Departmental (e.g. Payroll, Financials, Student and Medical) Disaster

    Recovery Plan (DRP) correlate with the overall ERP?

    4. How data captured during the emergency?

    5. What done with the data captured?

    Reviewed by Doug Huff/LLNL 10/15/03

    UC Core Audit Program

    Audit Program and Internal Control Questionnaire

    Disaster Recovery

    At the departmental level to determine:

    1. What actions start the DRP?

    2. What actions stop the DRP?

    3. How the DRP ties into the ERP?

    4. How data captured during the emergency?

    5. What done with the data captured?

    Reviewed by Doug Huff/LLNL 10/15/03

Report this document

For any questions or suggestions please email
cust-service@docsford.com