Case to prepare report in specified format

Objective: to help document a system audit report for a company’s password management

policy.

Facts: “Password Management Policy” has been framed as a part of main security policy of the company.

Policy details:

1. Policy Name: “Password Management Policy”. The objective is to ensure that the company has no loss due to password mismanagement.

2. Policy Guidelines:

• Password length to be minimum 8 characters. • Password to be alpha-numeric.

• Password to be changed every 30 days. • Password not to be shared.

3. Policy design and implementation: Management informed its system developers to implement the above policy as a part of system design.

4. Policy monitoring: Manager (PW) appointed by the company in HR department, having access to password log of system reports to System Administrator. At the end of year management appointed an IS Auditor with the following scope:

1. To review policy compliance. 2. To suggest:

i. Modification in policy

Chapter 3, Part 7: System Audit Report format as per best practices

103

IS Audit steps: The basic audit steps including those mentioned at chapter 1, IS Auditor used the audit procedures including compliance and substantive procedures. IS Auditor uses the following audit techniques to collect audit evidence.

i. Inquiry: Interacting with the stakeholders to confirm understanding of the policy and level of compliance by the users.

ii. Documentation: Reviewing the Audit Logs in system. These logs inform which employee logged in on a specific date. Reviewing the attendance records of staff. iii. Observation: Validating the process by which staff enters their passwords in

system.

iv. Re-performance: With the permission of management, IS Auditor tries to create passwords which were not in line with the policy.

B. IS Auditor’s Findings: Based on the audit done auditor came across the following. 1. There were200 employee data available. Of these 175 are working and5 have left. 2. The password of employee who had left had not been disabled.

3. 20 Employees did not change their password every 30 days, as defined in policy. 5 were repeat offenders.

4. 50 instances of employee passwords being used when they were absent have been observed.

Please refer to Appendix 6: System Audit Report.

7.2 Questions

1. The best way to define the purpose for an IS Audit in one word: A. Assurance

B. Activity C. Review D. Performance

2. What is the primary basis of audit strategy? It should be based on: A. knowledge.

B. life-cycle. C. user-request D. risk assessment.

3. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required? A. Integrated test facility (ITF)

Module 6

104 C. Audit hooks

D. Snapshots

4. Which of the following is the first step in compliance testing? To review: A. access security controls

B. input controls C. processing controls D. output controls.

5. The cashier of a company has rights to create bank master in TALLY. This error is a reflection of poor definition for which type of control:

A. User Controls B. Application Control C. Input Control D. Output Control

6. An employees has left the company. The first thing to do is to: A. Hire a replacement employee.

B. Disable his/her access rights.

C. Ask the employee to clear all dues/advances. D. Escort employee out of company premises.

8. Common features in ISACA ITAF 401, SA 700 and NFRA (National Financial Reporting Authority) is.

A. Reporting B. Auditing C. Accounting D. Standard

7.3 Answers and Explanations

1. A. The IS audit focuses on determining the risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. Management gets an assurance about the functioning of controls.

2. D. Audit Strategy is based on risk assessment done by the auditor. Other answers do not represent basis for deciding audit strategy.

3. D. Snapshots is the right answer as in this technique IS auditor can create evidence through IMAGE capturing? A snapshot tool is most useful when an audit trail is required. ITF can be used

Chapter 3, Part 7: System Audit Report format as per best practices

105

to incorporate test transactions into a normal production run of a system. CIS is useful when transactions meeting certain criteria need to be examined. Audit hooks are useful when only select transactions or processes need to be examined.

4. A. is the first step towards compliance test. Other steps are more part of application system transaction audit.

5. A. user controls are not properly defined. User controls need to be defined based on NEED TO DO and NEED TO DO basis. The above is reflection of a greater problem of improper assessment user profiles created in the system.

6. B. the first thing to do as soon as an employee leaves the company is to disable his/her access rights in system. This needs to be done to prevent frauds being committed. Other answers may be valid but are not the first thing to do.

C is the correct answer other options are components of SQL.

7. D. ISACA ITAF is a reporting standard by ISACA. SA 700 is a reporting standard by ICAI. NFRA is an authority created in the new Companies act, to prescribe standard for accounting and auditing.