Information Technology Reference
In-Depth Information
ers would normally keep copies of signed forms which can be made available to the IS
auditor for review.
If the enterprise does not have such an access authorisation system or similar, the IS auditor
should recommend that a suitable system is established and implemented.
g) How is segregation of duties applied in the application systems?
Segregation of duties could be based on job description. In the application system, this
could be done by creating groups to which users can be added. Each group will have spe-
cific functions and rights.
The IS auditor can obtain evidence of segregation of duties by reviewing group functions
on the system and individual user job roles. User rights can also be reviewed in order to
determine specific user rights if they are not group based. The IS auditor should always
be on the lookout for user movements, such as users who have left the enterprise, recently
joined, and those who have moved from one department to the other. It's common to find
that these users are still active on the system when they are no longer with the enterprise
or are still holding old access rights when their job roles have changed. A good example
would be an accountant who has been transferred to internal audit department. Definitely
the accountant's user rights should have been changed immediately after the transfer was
effected.
User rights can be complex in some cases and always changing. The IS auditor might be
required to spend a bit of time auditing user rights, especially historical records related to
some past activities performed by some users. This is common in high-volume transaction
environments such as retail banks. Where the application systems are highly automated,
the IS auditor can obtain most of the information online.
h) Are system patches and upgrades applied in a timely fashion?
System patches are technical or security fixes applied to operating systems or application
systems. These are regularly made available by software developers such as Microsoft and
Cisco. Some system patches are published more frequently than others.
It is recommended that system patches are deployed only after they have been tested by the
IT department. Tests should first be performed on a testing computer such as a test server.
If the tests are successful, the patches can then be deployed on the computers requiring the
updates.
The IS auditor is required to review how quickly the system patches are applied by determ-
ining dates when the patches were made available and the date the patches were actually
deployed. The IS auditor will also need to check which updates have not been deployed.
This information can be obtained from the patch management servers such as windows
Search WWH ::
Custom Search