Information Technology Reference
In-Depth Information
The IS auditors can review access rights to determine who has what rights to reports. Ac-
cess can be granted based on job roles or at senior management discretion.
Everyone can have access to management reports if the enterprise does not have restric-
tions. The IS auditor would recommend that restrictions be applied depending on the policy
of the enterprise.
d) What control procedures does the enterprise have in place for output distribu-
tion?
Output can be available for distribution by email, printing, viewing online, or download.
Distribution of output should be controlled in order to ensure that unauthorised people do
not have access to it.
The IS auditor can obtain information on output distribution lists from senior management.
It is recommended that the IS auditor interviews users and managers in order to find out if
the controls are working or too restrictive thereby stifling business activities.
e) What controls does the enterprise have for printing sensitive documents?
Depending on organisational policies on access to information, sensitive data can only be
accessed by managers and others who have been given specific rights due to their job roles
or additional responsibilities. A typical example would be payroll data. Only the payroll
manager and his staff may be given rights to print the payroll and payslips. Because this is
sensitive information, only specific members of staff will be given rights to print payroll
information.
The sources of information on such controls include access rights on the payroll application
system and specific printing rights on the print server. This information can be found by
checking the access rights configuration on the payroll application or documentation pre-
pared by IT department or system owners.
f) How does the enterprise ensure that output is kept confidential?
One way in which users can be made to keep output information confidential is by getting
them to sign a confidentiality agreement. The users should clearly understand the require-
ments of the agreement and consequences of not observing the agreement. In some enter-
prises, users are required to renew the agreement every year.
The other way is by using access rights which restrict access to output to only authorised
persons. We have referred to access controls in most of the questions above which is an
effective way of ensuring that access is restricted.
The IS auditor should review confidentiality agreements to determine if all employees have
signed the agreements. The IS auditor can also review various management and privacy in-
cident reports to check if users are observing confidentiality. It is often not enough to just
Search WWH ::




Custom Search