Scribd
Upload
12 views8 pages

Example of Systems Audit

The document outlines a systems audit process for personal computers within a company's internal network, focusing on hardware and software security, usage policies, and data transfer. It details the stages of the audit, including gathering information, identifying risks, establishing control objectives, and conducting tests to ensure compliance with security protocols. The final steps involve drafting a report with findings and recommendations, which is then presented to company managers for further action.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
12 views8 pages

Example of Systems Audit

The document outlines a systems audit process for personal computers within a company's internal network, focusing on hardware and software security, usage policies, and data transfer. It details the stages of the audit, including gathering information, identifying risks, establishing control objectives, and conducting tests to ensure compliance with security protocols. The final steps involve drafting a report with findings and recommendations, which is then presented to company managers for further action.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 8

Systems audit example

http://yeberthmartinez.bligoo.com/ejemplo-de-auditoria-de-sistemas

Posted by Yeberth on 02/18/2013 at 16:21

Tags: University Work Categories Systems Audit

Hardware and software audit on workstations.

Scope

The audit will be carried out on computer systems on personal computers that are connected to
the company's internal network.

Aim

Have an updated overview of information systems in terms of physical security, usage policies,
data transfer and asset security.

Resources

The number of people that will make up the audit team will be three, with a maximum execution
time of 3 to 4 weeks.
Stages of work

1. Gathering basic information

One week before the start of the audit, a questionnaire is sent to the managers or those
responsible for the different areas of the company. The objective of this questionnaire is to know
the equipment they use and the processes they perform on them.

Managers will be responsible for distributing this questionnaire to the various employees with
access to computers, so that they can also complete it. In this way, a more global view of the
system will be obtained.

It is also important to identify and meet with those responsible for the company's systems
department to gain a deeper understanding of the hardware and software used.

Interviews will include:

IT Director / Manager

IT Assistant Managers

IT Assistants

External support technicians

2. Identification of potential risks


The method of acquiring new equipment or software applications will be evaluated. The
procedures for acquiring them must be regulated and approved based on the company's
standards and the minimum requirements for executing the base programs.

Possible risks will also include security gaps in the software itself and the correct configuration
and/or updating of critical equipment such as the firewall.

Potential risks can present themselves in a wide variety of ways.

3. Control objectives

The existence and correct application of the company's security, emergency and disaster recovery
policies will be evaluated.

A review of the company's policy manuals will be carried out to ensure that their procedures are
up to date, clear and understood by staff.

The Company must have a security program to assess the risks that may exist regarding the
security of the maintenance of equipment, programs and data.

4. Determination of control procedures

The appropriate procedures will be determined to apply to each of the objectives defined in the
previous step.

Objective No. 1: Existence of hardware regulations.


ü The hardware must be correctly identified and documented.

ü All purchase orders and invoices must be available in order to support the warranties offered by
the manufacturers.

ü Access to the hardware components is restricted to the direct persons who use it.

ü A maintenance plan and record of dates, problems, solutions and proposed next maintenance
must be available.

Objective No. 2: Equipment access policy.

ü Each user must have a username and password to access the equipment.

ü Passwords must be secure (minimum 8 characters, alphanumeric and alternating upper and
lower case).

ü Users will be logged out after 5 minutes of inactivity.

ü New users must be authorized through confidentiality agreements and must remain in place
after the employment relationship has ended.

ü Restricted use of removable media (USB, CD-ROM, external disks, etc.).

5. Tests to be performed.
These are the procedures that will be carried out in order to verify compliance with the
established objectives. Among them we can mention the following techniques:

ü Take 10 machines at random and evaluate the difficulty of access to them.

ü Trying to extract data with an external device.

ü Ease of disassembling a PC.

ü Ease of access to confidential information (usernames and passwords).

ü Verification of contracts.

ü Check that users log out after 5 minutes of inactivity.

6. Obtaining the results.

At this stage, the results arising from the application of the control procedures and the tests
carried out will be obtained in order to determine whether or not the previously defined control
objectives are met. The data obtained will be recorded in tailor-made forms for each procedure in
order to have the results perfectly catalogued with the aim of facilitating their interpretation and
avoiding erroneous interpretations.

7. Conclusions and Comments:

In this step, a summary of all the information obtained will be detailed, as well as what is derived
from that information, whether it be security flaws, organization or business structure. The
failures found in physical security will be exposed, whether in terms of information protection
(cases of fire, theft), management and obtaining of backup copies, in security regulations such as
password usage regulations, equipment acquisition forms, and studies prior to acquisitions to
verify the benefit that they would provide. Finally, the issues of business organization will be
discussed, such as the parties responsible for security, maintenance and supervision of other
areas.

8. Drafting the report

A report of all the problems found is detailed in a concise and clear manner, noting the technical
data of each of the audited machines:

ü Brand

ü Model

ü Serial Number

ü Problem found

ü Recommended solution

9 . Presentation of the draft report to the person in charge of microcomputing

The draft report will be presented to a person in charge of the IT area, as clarified in the previous
point, with as much detail as possible of all the problems and recommended possible solutions.
This report will be submitted in writing in original and copy, signing a document of compliance
with the same to acquire a strong commitment to solve them, in this way we will avoid possible
future confusion.

10. Writing the Summary Report and Conclusions.


It is in this step where the real results are shown to those responsible for the company. The report
presented will reveal all the points evaluated during the audit, results, conclusions, scores and
possible solutions.

The conclusion will cover the auditors' results, errors, critical points and observations. While the
summary will show possible solutions to these critical points and failures, as well as
recommendations for proper use and also recommendations on the incorrect way to perform
some procedures.

11. Delivery of the report to the company's managers.

This is the last part of the audit and the delivery of the final report with the results obtained in the
audit is formalized in a meeting.

Parameters are also set if required to monitor points where the result has not been satisfactory or
simply to verify that the control objectives continue to be met over time.

Here is an example of another model of an audit applied to a company.

And here is a brief description of the controls to take into account when performing an audit.

You might also like