Question
Mega Corp of Los Angeles, California, installed a backup data center at its Dallas, Texas, office 16 months ago. The center is used for testing
Mega Corp of Los Angeles, California, installed a backup data center at its Dallas, Texas, office 16 months ago. The center is used for testing and development work with full capabilities to handle complete backup processing in the case of a failure of the company's primary computer center. The new data center is located on the fifth floor of the Dallas office complex and consists of a large IBM mainframe, 15 tape drives, 20 disk drives, and network-communications equipment to link the center to the company's worldwide teleprocessing network. The network had 100 terminals connected, but ten were returned to the supplier last month.
One thousand employees occupy the top 36 floors of the complex with the remaining space
leased out to other businesses. Approximately 25 of the 1,000 employees work to cover the center's three shifts (the center operates 24 hours per day 365 days per year) that provide functions of scheduling, security, software support, operations support, and library facilities.
The Computer Operation
Information regarding the computer operation is as follows:
An automatic fire-extinguishing (Halon 1301) system was installed six months ago. At that
time, management provided a meeting for all computer personnel to verbally instruct them as to
their responsibilities in the event of a fire emergency.
A security officer was hired prior to the startup of the computer center to administer security
procedures for the protection of the facility. The officer reports directly to the computer center
manager.
A separate forms areas is maintained at the center to store related computer forms (stock paper,
preprinted check forms, blank invoices, etc.). A one-week inventory of forms is kept in the
printer area to enable the printer operator to load them timely when requested.
Forethought was given to locating production-status and backup tapes adjacent to the tape
drives to facilitate their mounting in a timely manner.
Procedure manuals specify a yearly inventory of hardware at the Dallas computer center whose
manager instructed that an inventory should not be taken because new equipment has not been
received and that the inventory list should be accurate.
Devices were installed at entrance and exit points of the computer facility to detect magnetic
items (tapes and/or disk packs) passing through. This was done to prevent the unauthorized
removal of tapes or disks.
To provide adequate backup for the computer center personnel, the librarian, computer
operator, and the programmer functions are performed by all personnel so the center will be
operational if it lost an employee who was the only one that could perform one of these jobs.
Messages of special instructions or problems encountered are verbally passed from shift to shift. The computer-center manager feels this is adequate considering the small size of the staff.
Thirty incoming dial-up communication lines exist at the center to provide a link between the
company's 50 remote sites and the mainframe computer. These lines are patched directly to the
mainframe to avoid any human intervention that might result in loss of data due to a
disconnection of cables.
A maintenance contract exists with a local computer representative to provide repair service
anytime it is contacted. The head computer operator contacts the service company for repairs.
The serviceman maintains a notebook of any repairs made, even though this is not required by
his company.
The remote tape library is located on the sixth floor above the computer center directly over the
existing production tape library. Personnel stated that the distance between the tape drives and
the remote library is too far to make practical use of the library. Moreover, the room is being
used for temporary forms storage.
No written procedures exist to explain who or how users should contact the computer facility to
obtain help with their computer problems or inquiries. Consequently, user personnel usually
enter the computer center and flag down the first person they see to obtain any needed
assistance. Computer personnel feel this is a bother to them to have to deal with the users in
addition to their scheduled job duties.
The auditing division's schedule indicates that an audit of the computer center will be started
next month. A lead auditor was assigned to the computer review, and the audit methodology
described below was followed.
Developing Scope
The audit of the Dallas computer center is intended to be a complete operational review
identifying and documenting all procedures necessary for its continued operation. A review of the physical facilities will be conducted to determine that all personnel, equipment, and data are
adequately protected.
Obtaining Background Information
Background information was obtained from computer correspondence, related audit
working papers, audit publications, and discussions with other auditors.
Developing Audit Objectives
Audit objectives were developed to provide the staff auditors guidance in reviewing
controls. These objectives developed for the computer center review include:
1. Ensure that adequate segregation of duties exists.
2. Ensure that communications in or out of the center are logged and adequately controlled to
prevent fraud or misuse.
3. Determine that quality control is practiced through constant monitoring of activities and
equipment with revisions made as necessary.
4. Ensure that adequate security exists in and around the center and the related facilities to
protect personnel, equipment, and data from destruction, hazard, and misuse.
5. Ensure that regularly performed functions and procedures are scheduled in an orderly
fashion, facilitating maintenance and processing.
6. Ensure that an accurate inventory of all equipment and supplies is maintained.
7. Determine that all data are necessarily backed up to afford a smooth and timely recovery.
8. Ensure that all sensitive and controlled/ negotiable documents are adequately protected from
theft and misuse and are periodically accounted for as appropriate.
9. Ensure that security-review functions are performed by an independent security officer.
10. Determine that departmental and system documentation is adequate and current.
Submitting the Planning Memorandum
The auditee was notified of the scheduled audit by sending a planning memo containing the
time frame of the audit, its scope, the auditors assigned, and the audit objectives.
Performing the Preliminary Survey
The audit team performed a preliminary review survey by reviewing the auditee's
objectives, organizational structure, physical facilities, personnel, administrative controls, and
operations. At that time, the audit objectives were reviewed and expanded or altered as necessary
along with the scope. The modifications were made with the audit supervisor's approval. The audit team evaluated the results of the survey identifying controls and areas of audit emphasis.
Developing the Audit Program
The audit team developed an audit program detailing the procedures to test the controls
identified in the preliminary survey.
Performing the Audit Fieldwork
The audit team performed the tests defined in the audit program and documented evidence
for support of audit findings.
Required:
From the background information provided and objectives listed, identify six control weaknesses. Identify the weakness, impact and make a recommendation for each weakness.
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started