Audit Objectives Associated with PC Security
Audit objectives for assessing control controls in the PC environment include the following:
• Verify that controls are in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft.
• Verify that adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators.
• Verify that backup procedures are in place to prevent data and program loss due to system failures, errors, and so on.
• Verify that systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes.
• Verify that the system is free from viruses and adequately protected to minimize the risk of becoming infected with a virus or similar object.
Audit Procedures Associated with PC Security
• The auditor should observe that PCs are physically anchored to reduce the opportunity of theft.
• The auditor should verify from organizational charts, job descriptions, and observation that programmers of accounting systems do not also operate those systems. In smaller organizational units where functional segregation is impractical, the auditor should verify that there is adequate supervision over these tasks.
• The auditor should confirm that reports of processed transactions, listing of updated accounts, and control totals are prepared, distributed, and reconciled by appropriate management at regular and timely intervals.
• Where appropriate, the auditor should determine that multilevel password control is used to limit access to data and applications and that the access authority granted is consistent with the employees’ job descriptions.
• If removable or external hard drives are used. The auditor should verify that the drives are removed and stored in a secure location when not in use.
• By selecting a sample of backup files, the auditor can verify that backup procedures are being followed. By comparing data values and dates on the backup disks to production files, the auditor can assess the frequency and adequacy of backup procedures. If an online backup service is used, the auditor should verify that the contract is current and adequate to meet the organizations needs.
• By selecting a sample of PCs, the auditor should verify that their commercial software packages were purchased from reputable vendors and legal copies. The auditor should review the selection and acquisition procedures to ensure that end-user needs were fully considered and that the purchased software satisfies those needs.
105
• The auditor should review the organization’s policy for using antiviral software. This policy may include the following points:
1. Antiviral software should be installed on all microcomputers and invoked as part of the startup procedure when the computers are turned on. This will ensure that all key sectors of the hard disk are examined before any data are transferred through the network
2. All upgrade to vendor software should be checked for viruses before they are implemented.
3. All public-domain software should be examined for virus infection before it id used.
4. Current versions of antiviral software should be available to all users. Verify that the most current virus data files are being downloaded regularly, and that the antivirus program is indeed running in the PC’s background continuously, and thus able to scan all incoming documents. Corporate versions generally include a “push” update where the software automatically checks the home Wed site of the antivirus vendor for new updates each time it is connected to the Internet and the PC is booted.