Information Technology Reference
In-Depth Information
are directly managed by the IT function. In such a case, the IS auditor should recommend
that the enterprise considers appointing system owners.
d) Are systems owners aware of their responsibilities?
System owners are given a description of their responsibilities when they are appointed to
the role. The IS auditor should assess whether they know and understand their responsibil-
ities.
If the response to the above question is yes, then the IS auditor should be able to collect the
description of their responsibilities from IT or human resources department. In some enter-
prises, the role of a system owner is included in the main job description of the appointed
members of staff.
If the answer is no, then the IS auditor should recommend to management that the job de-
scriptions be officially written and distributed to system owners so that they understand
their responsibilities and may be linked to annual employee performance assessments.
e) How do system owners ensure that data and information is secure?
System owners have the responsibility of ensuring that data and information is secure and
protected. They normally work with the information technology security function to ensure
that security procedures are followed and adhered to.
The IS auditor would be looking for responsibilities which show that the system owners
also have security roles such as access control administration in the application systems.
The reports which are produced by the system owners should also show that they have this
role. Systems owners are required to report on security of data and information in their reg-
ular reports to management. For example, the system owner would be interested in know-
ing that the IT function does make backups of their data and that the data can be recovered
in the event of a disaster. Where security incidents occur, the system owners should include
such activities in the reports.
The IS auditor can also find more evidence by interviewing the system owners and review-
ing security procedures related to specific application systems used by each system owner.
f) Who authorises user access to application systems?
The practice may vary from one enterprise to the other, but generally the line manager or
system owners would authorise users to be granted access to an application system. Author-
isation can be through any accepted method within the enterprise. This could be through
signing a form which is in hard copy or electronic form.
Evidence can be obtained from previous authorisations made by the system owner or the
line manager to confirm that procedures are being followed. IT department or system own-
Search WWH ::
Custom Search