Chapter 3 (Auditing Infrastructure and Operations)

Information Management and AuditingInfrastructure and operations

IS OPERATIONS:IS operations include daily usage of software and hardware resources. IS operations are critical for large business organizations. These functions include the following areas:

a) Management of IS operations.b) Computer operations.c) Technical support/help desk.d) Scheduling.e) Quality assurance.f) Program change control.g) Problem management procedures.

MANAGEMENT OF IS OPERATIONS:IS management has an overall responsibility of all operations within IS department. Operations management functions include the following: Resource allocation – necessary resources are available to perform planned

activities. Standards and procedures – these are to be established for all operations as

per corporate objectives.

CONTROL FUNCTIONS: Management control functions include the following: Detailed scheduling for each operating shift. Ensuring efficient and effective operations. Authorizing changes to operating schedules. Monitoring standard compliances. Reviewing console log activities. Reviewing operator log to identify variance in planned and actual activities. Ensuring timely processing. Monitoring system performance. Anticipating equipment replacement for future acquisitions. Monitoring working environment. Ensuring changes in hardware and software don’t disrupt normal operations. Limiting physical access to authorized users only.

COMPUTER OPERATIONS:Computer operators perform the following tasks: Executing programs. Restarting application once abnormally aborted. Taking timely backup. Observing processing for authorized entry. Monitoring adherence to job scheduled. Participating in disaster recovery plans.

Documentations would include:Operating procedures, failure recovering procedures, output distribution instructions, procedures related to failure reporting, obtaining and returning file from library.

LIGHTS-OUT OPERATIONS – automated unattended operation:

1Prepared by: Muhammad

Umar Munir


These are the automated operations which are performed without human intervention. They include: Job scheduling. Console operations. Return/restart activities. Tape mounting and management. Storage device management. Physical and data security.

Benefits of lights-out are: cost reduction, uninterrupted operations, and reduced errors.

I/O CONTROL FUNCTIONI/O control personnel are responsible for ensuing accurate processing of a batch. Typical tasks performed by I/O control personnel include: Timely and accurate processing. Generating and distributing proper output to right persons. Making output as input of other system in proper manner. Processing of correct files.

DATA ENTRYData entry controls would include: Key verification. Segregation data entry from verification. Log preparation – time, date, initials, and other tasks.

TECHNICAL SUPPORT/HELP DESK:SUPPORTIt provides specialist knowledge to identify change/development and problem resolution. The support function includes the following: Determining source of computer problems and taking appropriate corrective

actions. Initiating problems reports timely. Obtaining detailed knowledge of operating system. Answering queries. Controlling vendor software. Providing technical support for computerized telecommunications processing. Preparing documentation of vendor acquired and in-house developed software.

HELPDESKHelpdesk serves the user by ensuring all problems are documented as per priorities. The basic functions of helpdesk include: Documenting problem and initiating resolution. Prioritizing the issues. Following up on unresolved problems. Closing out resolved problems.

SCHEDULING:Scheduling is vital to ensure optimal use of IS resources as per processing requirements. Scheduling includes the jobs to be executed and their sequence. Scheduling could be performed using software which reduces possibility of errors. High priority jobs should be optimally resourced. Scheduling provides are means of keeping customer demand at a manageable level and permit unexpected or on request jobs to be processed without unnecessary delay.


Umar Munir


QUALITY ASSURANCE:Quality assurance personnel verify that system changes are authorized, tested, and implemented before operation.

PROGRAM CHANGE CONTROL:PCC are established by IS department to control the movement of application as under:

Test environment → Staging Environment → Production departmentIt is called formal job turnover procedures. The procedures associated with this turnover ensure the following: Documentation (system, operations, and program) are complete, updated, and as

per established standards. Job preparation, scheduling, and operating instructions have been established. Test results are reviewed by user and project manager.

PROBLEM MANAGEMENT PROCEDURES:“Detection, documentation, control, resolution, and reporting of abnormal conditions”Since computer resources are quite complex, there is a need to establish mechanism to perform the above mentioned activities related to abnormal conditions so that errors could be identified.

ERRORS in log include Program error, system error, operator error, network error, telecommunication error, and hardware error.

ITEMS IN ERROR LOGError log include date, resolution description, code, source, initials of maintainer closer of log, narration of error resolution etc.

KEY POINTS: Updation, not addition, to error log should be restricted to authorized individuals. Opening and closing error log responsibilities should be segregated. Sometimes vendor has the ability to correct the problem through dial-up without

informing IS management; management should be aware of that.

INFRASTRUCTURE

Introduction:Computer hardware include physical component of computer system. Technically, any machinery that assists in the input, processing, storage, and output activities of an information system is called hardware.

HARDWARE ACQUISITION:Invitation to tender (ITT)


Umar Munir


Organizational description indicating whether the computer facilities are centralized or decentralized

Information processing requirements. Hardware requirements. System software requirements. Support requirements (maintenance, training, backup) Adaptability requirements (upgrade capabilities) Constraints (staff levels, dates) Conversion requirements.

Acquisition steps: Testimonials/visits to other users. Analysis of bids. Review of delivery schedules. Evaluation of performance against requirements. Preparation of contract terms etc.

HARDWARE MAINTENANCE PROGRAM: Reputable Service Company. The maintenance schedule. Maintenance cost. Maintenance performance history, planned and exceptional.

HARDWARE MONITORING:Following are the reports that help in hardware monitoring: Error reports:

These reports present information about hardware failure. IS manager reviews this report so as to be assure of the effectiveness and efficiency of hardware components. They also help initiate corrective actions.

Availability reports:These reports highlight the time span over which the hardware was available to use. It helps identify IS downtime (inactivity). It also helps make important operational decisions relating to hardware.

Utilization reports:These documents report the use of hardware (processor and media).

CAPACITY MANAGEMENT:Capacity management is the planning and monitoring of the computer resources to ensure that the available resources are being used efficiently and effectively. This


Umar Munir


requires that the expansion or reduction of resources takes place in parallel with overall business growth or reduction. The capacity plan should be developed based on input from both user and IS management to ensure that business goals are achieved in the most efficient and effective way. This plan should be reviewed and updated at least annually. CPU utilization Computer storage utilization Telecommunications and WAN bandwidth utilization Terminal utilization I/O channel utilization Number of users New technologies New applications Service-level agreements

HARDWARE REVIEWSHardware reviews include the following:

OPERATING SYSTEMS REVIEWS Interviews personnel to determine implementation and documentation issues. System software selection procedures to determine whether they are as per

plans and requirements. Feasibility study reviews to determine consistency and cost-effectiveness. Cost/benefit analysis. Installation reviews to ensure that it is properly installed, documented, tested,

troubleshooted, and reviewed. Maintenance reviews to ensure that it is supported by vendor and

documented. System software change controls reviews to ensure that access is

authorized, changes are documented tested, and approved. Documentation reviews of logs etc. System software implementation reviews to determine change,

authorization, access, and audit procedures. Authorization documentation reviews to ensure that all changes, violations,

and follow ups are documented. Security reviews to determine access rights, adequacy of security level etc.

DATABASE REVIEWS


Umar Munir


1) Design:Verify the existence of a database model, that all entities have a significant name and identified primary and foreign keys. Verify that the relations have explicit cardinality and coherent and significant names and that the business rules are expressed in the diagram.

2) Access:Analyze the main accesses to the database, stored procedures and triggers, verify that the use of indexes minimizes access time and that open searches, if not based in indexes, are justified. If the DBMS allows the selection of the methods or types of indexes, the correct use should be verified.

3) Administration:Security levels for all users and their roles should be identified within the database and access rights for all users and/or groups of users should be justified.

4) Interfaces:To ensure the security and confidentiality of data, information import and export procedures with other systems should be verified.

5) Portability:Verify that, whenever possible, Structured Query Language (SQL) is used.

LAN REVIEWSAUDITING LAN:Due to the potentially unique nature of each LAN makes it difficult to define standard audit procedures; however, certain general related to LAN are as under:

These reviews enable an IS auditor to assess significant threats to LAN and their potential probability so that he could plan to reduce them.

AUDITING PHYSICAL CONTROLS:Physical controls should limit access authorized individuals. However, unlike most mainframes, the computers in a LAN are usually decentralized. A file server containing critical company data is much easier to damage or steal and should be physically protected. Therefore, physical protection is vital. Following are the required reviews: LAN hardware devices (file server and documentation) should be physically

restricted. Keys should be controlled. File server housing should be locked.

AUDITING LAN ENVIRONMENTAL CONTROLS:Environmental controls are similar to those considered in the mainframe environment. However, the equipment may not require as extensive atmospheric controls as a mainframe. Following controls should be reviewed: Protection from static electricity. Air-conditioning. Power supply. UPS. Dust and smoke free.


Umar Munir


Protected backup disks.

Tip!To test controls, t IS auditor interviews, observes, visit facilities, & reviews documentations.

AUDITING LAN LOGICAL SECURITY CONTROLS:A method should be in place to restrict, identify and report authorized and unauthorized users of the LAN. LAN access should be monitored. Following controls should be reviewed: Proper login procedures. Authorized access. Disable after short inactivity. Prohibition of remote access. Reporting of login attempts. Updated information of communication lines.

NETWORK OPERATING CONTROL REVIEWS Appropriate implementation, conversion and acceptance test plans were

developed for the organization’s distributed data processing network. Implementation and testing plans for the network’s hardware and

communications links were established. Operating provisions for distributed data processing networks exist to ensure

consistency with the laws and regulations governing transmission of data. Procedures to ensure data compatibility are properly applied to the entire

network’s datasets and that the requirements for their security have been determined.

All sensitive files/datasets in the network have been identified and that the requirements for their security have been determined.

Procedures were established to assure effective controls over the hardware and software used by the departments served by the distributed processing network.

Adequate restart and recovery mechanisms have been installed at every user location served by the distributed processing network.

OPERATIONS

IS OPERATIONS REVIEWSOBSERVING PERSONNEL PERFORMING THEIR DUTIES:Audit procedures should include observation of IS personnel performing their duties to determine whether controls are in place to ensure efficiency of operations, adherence to established standards and policies, adequate supervision, IS management review, and data integrity and security.

COMPUTER OPERATIONS:


Umar Munir


Computer operation controls relate to the day-to-day operation of the hardware and software within the IS organization, responsibility for the running of the computers including the mounting of files located on secondary storage media, changing printer forms and discontinuance of the use of devices requiring maintenance. Operation controls include: Restricting access capabilities. Scheduling. Exception processing procedures to obtain approval to run program differently. Rerun handling.Operator manual should be reviewed to determine whether instructions are adequate.

FILE HANDLING PROCEDURES:Procedures should be established to control the receipt and release of files/secondary storage media to other locations. Internal tape labels should be used to help ensure the correct tapes are mounted for processing.

DATA ENTRY CONTROL: Authorization of input documents. Reconciliation of batch totals. Segregation of duties between the person who keys the data and the person who

reviews the keyed data for accuracy and errors.

LIGHTSOUT OPERATIONSCONTROL CONCERNS: Remote access to the master console is often granted to stand-by operators for

contingency purposes such as a failure in the automated software. Contingency plans must allow for the proper identification of a disaster in the

unattended facility. Ensure that errors are not hidden.

PROBLEM MANAGEMENT REPORTING REVIEWSAdequately documented procedures should have been developed to guide IS operations personnel in logging, analyzing, resolving and escalating problems in a timely manner in accordance with management's intent and authorization.The procedure is as under: Interviewing IS personnel. Reviewing IS department’s procedures. Reviewing performance records. Ensuring all problems are identified and preventive action is taken. Processing problems are identified and resolved.

HARDWARE AVAILABILITY AND UTILIZATION REPORTING REVIEWSHardware availability and utilization can be obtained from the problem log, processing schedules, job accounting system reports, preventive maintenance schedules and reports, and the hardware performance monitoring plan.Following reviews are made to determine whether hardware is being used effectively or otherwise: Hardware performance monitoring plan. Problem log. Preventive maintenance schedule. (should be performed during slack periods, or

when there is no critical application is running) Ability to automatically contact the vendor in case of failure. Workload schedules and hardware availability reports.


Umar Munir


SCHEDULING REVIEWSThe approach for personnel and job scheduling is as under: Obtaining list of regularly scheduled applications. Reviewing log to determine if activities are done as per schedules. Ensuring that priorities have been developed. Ensuring that run/rerun is as per assigned priority. Determining whether critical applications have been identified and assigned the

highest priority. Determining whether scheduling procedures ensure optimal use of computer

facilities. Determining whether staff is adequate. Ensuring proper daily work schedules is determined – used as audit trial.


Umar Munir

Documents

Chapter 3 (Auditing Infrastructure and Operations)