CASE STUDY

GALAXY BANK AND TRUST CORPORATION (GBTC), a banking institution, has used the same credit card service organization for over a decade now. The financial institution utilized the credit card application supplied by the Assurance Credit Card, Inc.(ACCI) , a credit card service organization as well as the data processing resources at its organization's data center.You were engaged by GBTC to conduct an Information Systems Audit of the ACCI. which will help GBTC decide whether it will still engage the credit card services of ACCI for the next three (3) years.

Based on your audit, a majority of the control objectives (as listed below)were achieved by ACCI. You have also identified weaknesses in its system which were correctedby ACCI over time. Also, the weaknesses were not considered to be an indication that the overall control environment at the service organization was suspect.Many of the control weaknessesdiscovered are fairly generic and could exist in almost any organization.

List of Deficiencies Noted in Your Audit

1. The quality assurance department does not review output from each plastic card production run for either embossing or encoding accuracy. Without quality assurance or other review, incorrectly embossed or encoded credit cards could be distributed to user institution customers. A possible ramification of an encoding error is that the daily withdrawal limit located on track 3 of the card's magnetic strip could be greater than the amount intended.

2. Programmer manuals describing file layouts, record layouts, subroutine calls, and other pertinent information are not consistently prepared. After initial development, program modifications or enhancements are more difficult and prone to error without detailed program documentation.

3. Although the service organization has a policy that authorizes only appropriate individuals to make program or other modifications, only rudimentary password protection exists to ensure that the policy is followed. System security application software, such as RACF or ACF2, is not installed to help prevent unauthorized modifications to application software, data files, or system software.

4. The internal audit schedule is not adhered to and the areas actually audited are subjectively determined. Audit reports are not always issued on a timely basis, management responses are not documented, and followup audits to determine the implementation status of recommendations are not performed. The internal audit department does not consistently review system design, development, and maintenance controls for program changes. Information systems audit personnel do not routinely attend meetings in which system enhancements and major rewrites of the systems affecting all user institutions are determined.

5. The service organization does not have a consistently applied systems development methodology in place. Client organization sign-off on systems prior to implementation is not solicited by the service organization. Program documentation is not consistently prepared. Program modifications are often placed into production without supervisory review or user approval.

6. Programmer manuals describing file layouts, record layouts, subroutine calls, and other pertinent information are not consistently prepared. After initial development, program modifications or enhancements are more difficult and prone to error without detailed program documentation.

7. Programmers are able to write and authorize their own program changes to be placed into production without consistent review or approval. Once a program is assigned to a programmer for modification, the completion of testing is generally at the programmer's discretion. System validation tests are not routinely performed to ensure that no source code was accidentally deleted or otherwise improperly modified.

8. The service organization does not have a designated person who has responsibility for administering security. No formalized, documented security procedures exist for the assignment of key cards allowing access to critical operational areas, access to application systems by service organization employees through the in-house security system, or control of programmer access through the ACF2 access control software. Security violation reports are not routinely reviewed, passwords are not routinely changed, terminated and transferred employee passwords and key cards are not always removed or modified on the appropriate systems on a timely basis, and an excessive number of individuals are capable of performing password maintenance. Groups of programmers share the same user IDs and passwords for time-sharing functions, thus decreasing the personal accountability for the use of the system. The service organization has recently implemented an access control facility program to control access to programs and data in the batch and time-sharing environments. However, the access control facility was not installed on the test computer, which was connected to the production computer and all disk files.

9. System and production tapes, which would be required in the event of a recovery of data processing service, are not always maintained in the offsite storage facilities. The service organization disaster recovery plan is incomplete and lacking in detail in a number of areas.

10. Systems programmers are given unrestricted access to the System Management Facility (SMF), which is the primary audit trail in the MVS operating system used at the service organization. This facility is used to journal a wide variety of system events, including ACF2 access control software information.

11. No method exists to authorize or document changes made by systems programmers to sensitive areas such as the System Parameter Library (SPL), which contains key information for the audit, control, and security of the

MVS operating system.

12. The Authorized Program Facility (APF) is provided by IBM to control access to libraries of programs that can circumvent all security mechanisms of the operating system, including the access control software. Most APFauthorized libraries can be accessed only by systems programmers whose job it is to maintain the programs in those libraries. However, one test library was APF authorized and also allowed application programmers unrestricted access to it. As a result, the possibility existed that an application programmer could run an unauthorized program.

13. The production library for application programs is APF authorized and contained 25 APF authorized programs, some of which were old and un- documented. During our review, all 25 of these programs were either deleted or moved to a more appropriate library.

14. For performance or other reasons, the mainframe was designed to allow certain programs to bypass standard MVS security and control mechanisms. The base Program Properties Table contains the names of several programs that are not used at the service organization. These program names are authorized to bypass certain functions, such as dataset integrity or MVS passwords, and to access main storage owned by other programs. Since these programs do not exist at the service organization, it would be possible for someone to create an unauthorized program, assign it the name of one of the programs not being used in the Program Properties Table, and then run it without being subject to standard security controls.

15. No policy existed to require users to periodically change their passwords.

16. ACF2 has the capability to protect tape files from unauthorized access. However, this feature was not being utilized by the service organization. Thus, it is possible for a programmer to read a production tape, create a copy of it with certain records changed, and substitute it for the production tape.

17. The service organization does not have a consistently applied formal systems development methodology in place. Furthermore, written user approval of systems prior to implementation is not always obtained by the service organization, program documentation is not routinely prepared, and program modifications are sometimes placed into production without supervisory review or user approval. As a result, there is an increased risk that areas of user concern could be bypassed, important control features could be overlooked, and programs may not be properly tested or designed to meet user specifications.

18. Programmer documentation describing file layouts, record layouts, subroutine

calls, and other data are not routinely prepared. As a result, after a system is developed, program modifications or enhancements are more difficult to perform, and such changes are more likely to contain errors.

19. Programmers are able to write and authorize their own program changes to be placed into production without consistent review or approval. Once a program is assigned to a programmer for modification, the completion of testing is generally at the programmer's discretion. Test plans are not consistently prepared, and test results are not always reviewed by supervisory personnel. These weaknesses increase the risk that source code could be accidentally deleted or otherwise improperly modified.

20. Application programmers have write access to a variety of production source, parameter, cataloged procedure, and macro libraries. This access is not logged by ACF2. Thus, programmers could make unauthorized changes to the source code, which might be placed into production at a later time.

21. The service organization's disaster recovery plan has been developed to address only the destruction of the main data center and the IBM mainframe computers. Network recovery procedures are not addressed, nor are procedures defined in the Card Production Department and Statement Production Department. Also, the existing plan was not tested for a 20- month period. When a service auditor's report does not express an opinion as to the operating effectiveness of the policies and procedures in place at a service organization, an internal auditor should recommend to the process owner at the client organization that they ask the service organization why the service auditor did not perform tests of operating effectiveness. The most common reason is that the service organization was avoiding the additional fee that would be charged by the service auditor to perform additional testing. If this is the case, the internal auditor should assess the level of risk associated with the process being audited. If the risk is considered high, the auditor should recommend that the process owner submit a request to the service organization that the service auditor perform tests of the operating effectiveness of the policies and procedures in place at the service organization. If the service organization refuses, the internal auditor should work with the process owner at the client organization to determine whether the risk is significant enough to consider utilizing the service of an alternative service organization. Another option is for the client organization to send its own auditors to the service organization's processing facilities to perform an audit of applicable general controls. While this type of audit will not be as detailed and will not be able to test for a six-month period, it will provide a limited amount of assurance that at least basic controls are being exercised by the service organization.

CONTROL OBJECTIVES AS SPECIFIED BY ACCI MANAGEMENT

Control objectives are specified by ACCI's management. However, service auditors play a significant role in consulting with management to ensure that the control objectives specified address the primary risks associated with the service organization's operations. Following each control objective is a detailed description of the policies and procedures purported to be in place to ensure that the control objective is attained. ACCI Management also provides this information. For service auditor reports that include the auditor's opinion on the operating effectiveness of the policies and procedures placed in operation, the service auditor specifies the tests performed to gain reasonable, but not absolute, assurance as to their effectiveness. These tests typically include inquiries with management and staff of the service organization, sample tests of individual transactions, examinations of system access controls, assessment of segregation of duties, observation of service organization operations, and so on.

Below is an INTERNAL CONTROL CHECKLIST that your accounting firm uses for IT Audit engagements:

CONTROL OBJECTIVES FOR A CREDIT CARD PROCESSING SERVICE ORGANIZATION

1. The data center and client functions should be structured to maintain adequate segregation of duties.

2. The data center should be organized to provide adequate segregation of duties and functions.

3. Internal audit should provide a review and verification of electronic data processing operations.

4. Appropriate administrative policies and procedures should be documented.

5. A quality assurance function should exist to ensure the quality of service provided to clients.

6. New programs being developed and changes to existing programs should be authorized, tested, approved, properly implemented, and documented.

7. Changes to existing software should be authorized, tested, approved, and implemented properly.

8. Physical access to computer equipment and storage media should be limited to properly authorized individuals.

9. Logical access to production programs and data in the mainframe environment should be granted only to appropriately authorized individuals.

10. Processing should be scheduled appropriately, and deviations should be identified and resolved.

11. Data transmissions between the service organization and clients should be complete, accurate, and secure.

12. Data transmissions between the service organization's data centers should be complete, accurate, and secure.

13. Credit card application information should be accepted from authorized sources.

14. Credit card application information should be recorded completely, accurately, and in compliance with client specifications.

15. Output information should be complete, accurate, and distributed in accordance with client specifications.

16. Online input should be received from authorized sources.

17. Appropriate client specifications should be used for programmed calculations.

18. Card-holder activity should be completely and accurately posted to the appropriate accounts.

19. Card-holder statement information should be complete, accurate, and distributed in accordance with client specifications.

20. Personal identification numbers and post mailer notification information should be complete, accurate, and distributed in accordance with client specifications.

21. Management reports and data files should be complete, accurate, and distributed in accordance with client specifications.

22. Output information to other application systems should be complete and accurate.

23. Card production requests should be accepted from authorized sources.

24. Cards should be produced completely and accurately.

25. Access to blank cards should be limited to authorized personnel, and inventory should be accounted for properly.

26. Card production output should be distributed in accordance with client specifications.

27. Input should be completely and accurately received from authorized sources.

28. Interchange transactions should be completely and accurately processed in accordance with client and association specifications.

29. Net settlement amounts should be accurate.

30. Merchant transaction reports should be complete and accurate.

31. Output to other application systems at the service organization should be complete and accurate.

32. Merchant transactions should be received completely and accurately from the merchant system.

33. Merchant information should be processed completely, accurately, and in accordance with client specifications.

34. Output information should be complete, accurate, and distributed in accordance with client specifications.

35. Administrative and operational procedures should be established within the service organization data center to reasonably assure protection of physical assets and continuity of operations.

CONTROL OBJECTIVES FOR A SERVICE ORGANIZATION THAT PROVIDES MULTIPURPOSE APPLICATIONS FOR FINANCIAL INSTITUTIONS

Control policies and procedures provide reasonable assurance as to the operating effectiveness of the following:

1. Changes to the application system are authorized, tested, approved, properly implemented, and documented.

2. Changes to existing system software and implementation of new system software are authorized, tested, approved, properly implemented, and documented.

3. Physical access to computer equipment, storage media, and program documentation is limited to properly authorized individuals.

4. Logical access to programs and data is limited to properly authorized individuals.

5. Deposit account transactions are properly authorized.

6. Deposit account transactions are processed completely and accurately.

7. Deposit account balances are calculated correctly.

8. Loan transactions are properly authorized.

9. Loan transactions are processed completely and accurately.

10. Loan balances are calculated correctly.

INSTRUCTION:

1.Design a letterhead of your accounting firm (showing its full name, business address, contact numbers, and e-mail address, preferably with a company logo. )

2.Using your accounting firm's letterhead, Draft an Information Systems Audit Report following the format presented below:

(Your Auditing Firm's Letterhead)

Addressee: (Audit Committee of the Board of Directors of GALAXY BANK AND TRUST CORPORATION)

We have conducted an audit of the Assurance Credit Card, Incorporated's (ACCI) credit card application system, your company's credit card service-provider. Our audit also included tests of controls ofACCI's data processing resources at its organization's data center.In view thereof, we are pleased to report our audit findings and opinion which will help the GBTC decide whether it will still engage the credit card services of ACCI for the next three (3) years. Presented below is the Executive Summary of our audit findings,recommendations, and our audit opinion.

AUDIT REPORT

EXECUTIVE SUMMARY

BACKGROUND:________________________________________________________

______________________________________________________________________

______________________________________________________________________

SCOPE OF AUDIT:_____________________________________________________

______________________________________________________________________

______________________________________________________________________

AUDIT OBJECTIVES AND RESULTS:

_____________________________________________________________________

_____________________________________________________________________

_____________________________________________________________________

SUMMARY OF AUDIT FINDINGS

CONTROL

CATEGORIES

CONTROL POLICIES & TECHNIQUES

AUDIT FINDINGS, RESULTS AND ISSUES

RECOMMENDATIONS

GOOD CONTROL

WEAK CONTROLS/

DEFICIENCIES

1.Access

Controls

Restricting Access to Production Programs

Systems programmers are given unrestricted access to the System Management Facility (SMF), which is the primary audit trail in the MVS operating system used at the service organization. This facility is used to journal a wide variety of system events, including ACF2 access control software information.

Logical access to production programs and data in the mainframe environment should begranted only to appropriately authorized individuals.

AUDIT OPINION:

In our opinion, _______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________.

__________________

Name of auditing firm

_______________________________________________

Signature over Printed Name of Audit Engagement Partner

________________

Date of audit report