IBM AS400 Security Procedures

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

J.

Operations/Processing

1.

Obtain a copy of the EDP department work schedules for computer processing to ensure:

a. There is adequate staffing for each area of work.

b.

All tasks are accomplished in a timely manner to meet user requirements.

2.

Ensure schedules are periodically reviewed to determine if they are current.

3.

Review the computer activity log, which is maintained for all work performed and any errors that occur, and compare it to the workload schedules to determine if schedules are satisfactorily met.

4.

Describe how frequently the computer activity utilization reports are reviewed.

5.

Review the operator’s manual, which should include job control procedures, operating instructions and computer facility maintenance requirements.

6.

Document the procedures in place for the periodic review and update of the operator’s manual.

7.

Describe the times the computer is operational and the various shifts that are maintained.

8.

Ensure adequate cross training of EDP personnel has occurred for continued functioning of the computer if the operator is absent.

9.

Determine if a concentration of duties exists and if compensating controls are in place.

OPERATIONS/PROCESSING

J/PROG

16

Page 1 of 3

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

J. Operations/Processing (continued)

10. Review procedures in place which would allow management to detect if operators process unauthorized jobs.

11.

Review procedures to control access to and usage of production files stored on diskette or tape.

12.

Review procedures for the proper handling of diskettes or tapes, which include:

a. External labeling requirements. b. Internal labeling requirements.

c.

Provisions to ensure only the correct diskettes or tapes are used.

13.

Describe the transmittal form used to control the movement of each batch of source documents or input forms between the users and data entry.

14.

Ensure that batches are identified by a serial number or sequence number to provide subsequent accountability and for reference purposes.

15.

Review completed batches for specially marked indicators to prevent duplication or omissions.

16.

Obtain a copy of the log maintained in the data entry area to record the flow of batches. Is a similar log maintained in user departments.

17.

Review procedures for requirement of data entry personnel to contact users if there are any errors in batches prior to input.

18.

Describe the method of storing the source documents while they are in the custody of the EDP department.

OPERATIONS/PROCESSING

J/PROG

17

Page 2 of 3

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

J.

Operations/Processing (continued) 19.

Obtain a copy of the current output distribution list. What about output ques? Are they separated for confidential reports (payroll, accts payable, etc.)?

20. Review output distribution list for accuracy, completeness, etc. 21.

Document flow of output, to ensure proper safeguards are placed on the output, until it arrives in the user departments.

22.

Review procedures for output, which should include:

a. Review of all output for completeness. b. All errors are recognized and reported. c. Batch totals match output totals.

d.

Confidential outputs handled properly.

23.

Review the tape inventory list.

a. Are scratch tapes all accounted for (in scratch bin and missing from tape rack).

b.

Are other empty slots accounted for.

24.

If the tape inventory is separated by machine:

a. are the tapes physically segregated?

b. are the tapes identified in some way so as to distinguish one set of tapes from the other (color coordinated - as an example)?

c.

is the serial number sequence unique?

OPERATIONS/PROCESSING

J/PROG

18

Page 3 of 3

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K. SYSTEM ACCESS CONTROLS

Objective: To ensure that system security options are appropriately set to

provide an adequate level of logical security.

Procedures:

K.1 System Access Security - General

K.1.1 Ensure that all security files are backed-up to diskette/tape every time

they are changed.

K.1.2 Document who has access to the system console.

K.1.3 Document applications that cannot be secured using built-in system

security and ensure that the following controls are programmed into the application:

1. edits on data fields. 2. secondary passwords. 3. exception reports. 4. audit trails.

K.1.4 Ensure that EDP duties are separated from user department duties.

K.1.5 Ensure that the responsibility of controlling diskettes/tapes is separated

from that of programming or processing transactions.

K.1.6 Ensure that the responsibility of monitoring computer activity is separate

from that of programming and operating.

K.1.7 Review cross training procedures to ensure there is no segregation of

duties problem.

K.1.8 Determine if procedures have been developed for reporting and

following-up on security violations.

K.1.9 Determine the required length of passwords. [Recommend 6 to 8]

K.1.11 Review the procedure in establishing the initial user-id. [How is the user-id established, how is the user informed, is the password set at expired, etc.]

SYSTEM SECURITY K/PROG

19

Page 1 of 22