IBM AS400 Security Procedures

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

C.

General Information (continued)

12.

Review minutes of steering committee and management policy meetings to identify EDP activities and progress on these projects.

13. Review management reports for evidence of management review and coordination of EDP activities.

14.

Review EDP budget versus actual cost reports to ascertain whether data center resources are properly monitored.

15.

Review procedures that are in place for the evaluation and approval of computer equipment and software packages prior to acquisition and implementation.

GENERAL

C/PROG

4

Page 2 of 2

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

D.

Standards

1.

Document who is responsible for creating and updating policies and procedures for the EDP Standards Manual.

2.

Verify that the EDP Standards Manual contains an adequate explanation of the policies for EDP procedures.

3.

Verify that the EDP Standards Manual contains: a.

Detailed procedures regarding the preparation of documentation for application systems.

b.

Conventions to be used in the development of programs.

c.

Standard forms, illustrations and their use.

d.

Security requirements for both the applications and the computer itself.

e.

Operational standards for the EDP department and surrounding areas.

STANDARDS

D/PROG

5

Page 1 of 1

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

E.

Documentation

1.

Document who is responsible for creating, maintaining and distributing application documentation.

2.

Verify that there is a formal, signed approval of each element of documentation at an appropriate management level.

3.

Verify that the documentation is maintained in secure on-site and off-site storage facilities.

4.

Verify that all major applications processed on the computer system have appropriate levels of corresponding documentation.

5.

Review selected application documentation against corresponding software programs to ensure that documentation is accurate, complete and current.

6.

For each application, verify that corresponding System Documentation contains an overview that includes: a.

The general nature and purpose of the system.

b.

The functional requirements of the system.

c.

The logical flow of the system or flow charts.

7.

For each application, verify that corresponding Program Documentation contains:

a.

Descriptions of each program and system interfaces.

b.

Input and output description.

c. Description of program logic and flow. d.

Record layouts and file descriptions.

DOCUMENTATION

E/PROG

6

Page 1of 2

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

E.

Documentation (continued)

8.

For each application, verify that corresponding User Manuals are developed, which describe the operations performed and contain: a.

Application description.

b.

Procedural requirements.

c.

Sample reports and input screens.

d.

Source documents required.

e.

Description of screens, edits, etc.

9.

Verify that current computer Operating Instructions contain:

a.

Set-up instructions.

b.

Operating system requirements.

c.

Restart and recovery procedures.

d.

Emergency procedures.

e.

Listing of program messages, responses, etc.

DOCUMENTATION

E/PROG

7

Page 2 of 2