Mega Corp of Los Angeles, California, installed a backup data center at its Dallas, Texas, office 16 months ago. The center is used for testing and development work with full capabilities to handle complete backup processing in the case of a failure of the company's primary computer center. The new data center is located on the fifth floor of the Dallas office complex and consists of a large IBM mainframe, 15 tape drives, 20 disk drives, and network-communications equipment to link the center to the company's worldwide teleprocessing network. The network had 100 terminals connected, but ten were returned to the supplier last month.

One thousand employees occupy the top 36 floors of the complex with the remaining space

leased out to other businesses. Approximately 25 of the 1,000 employees work to cover the center's three shifts (the center operates 24 hours per day 365 days per year) that provide functions of scheduling, security, software support, operations support, and library facilities.

The Computer Operation

Information regarding the computer operation is as follows:

An automatic fire-extinguishing (Halon 1301) system was installed six months ago. At that

time, management provided a meeting for all computer personnel to verbally instruct them as to

their responsibilities in the event of a fire emergency.

A security officer was hired prior to the startup of the computer center to administer security

procedures for the protection of the facility. The officer reports directly to the computer center

manager.

A separate forms areas is maintained at the center to store related computer forms (stock paper,

preprinted check forms, blank invoices, etc.). A one-week inventory of forms is kept in the

printer area to enable the printer operator to load them timely when requested.

Forethought was given to locating production-status and backup tapes adjacent to the tape

drives to facilitate their mounting in a timely manner.

Procedure manuals specify a yearly inventory of hardware at the Dallas computer center whose

manager instructed that an inventory should not be taken because new equipment has not been

received and that the inventory list should be accurate.

Devices were installed at entrance and exit points of the computer facility to detect magnetic

items (tapes and/or disk packs) passing through. This was done to prevent the unauthorized

removal of tapes or disks.

To provide adequate backup for the computer center personnel, the librarian, computer

operator, and the programmer functions are performed by all personnel so the center will be

operational if it lost an employee who was the only one that could perform one of these jobs.

Messages of special instructions or problems encountered are verbally passed from shift to shift. The computer-center manager feels this is adequate considering the small size of the staff.

Thirty incoming dial-up communication lines exist at the center to provide a link between the

company's 50 remote sites and the mainframe computer. These lines are patched directly to the

mainframe to avoid any human intervention that might result in loss of data due to a

disconnection of cables.

A maintenance contract exists with a local computer representative to provide repair service

anytime it is contacted. The head computer operator contacts the service company for repairs.

The serviceman maintains a notebook of any repairs made, even though this is not required by

his company.

The remote tape library is located on the sixth floor above the computer center directly over the

existing production tape library. Personnel stated that the distance between the tape drives and

the remote library is too far to make practical use of the library. Moreover, the room is being

used for temporary forms storage.

No written procedures exist to explain who or how users should contact the computer facility to

obtain help with their computer problems or inquiries. Consequently, user personnel usually

enter the computer center and flag down the first person they see to obtain any needed

assistance. Computer personnel feel this is a bother to them to have to deal with the users in

addition to their scheduled job duties.

The auditing division's schedule indicates that an audit of the computer center will be started

next month. A lead auditor was assigned to the computer review, and the audit methodology

described below was followed.

Developing Scope

The audit of the Dallas computer center is intended to be a complete operational review

identifying and documenting all procedures necessary for its continued operation. A review of the physical facilities will be conducted to determine that all personnel, equipment, and data are

adequately protected.

Obtaining Background Information

Background information was obtained from computer correspondence, related audit

working papers, audit publications, and discussions with other auditors.

Developing Audit Objectives

Audit objectives were developed to provide the staff auditors guidance in reviewing

controls. These objectives developed for the computer center review include:

1. Ensure that adequate segregation of duties exists.

2. Ensure that communications in or out of the center are logged and adequately controlled to

prevent fraud or misuse.

3. Determine that quality control is practiced through constant monitoring of activities and

equipment with revisions made as necessary.

4. Ensure that adequate security exists in and around the center and the related facilities to

protect personnel, equipment, and data from destruction, hazard, and misuse.

5. Ensure that regularly performed functions and procedures are scheduled in an orderly

fashion, facilitating maintenance and processing.

6. Ensure that an accurate inventory of all equipment and supplies is maintained.

7. Determine that all data are necessarily backed up to afford a smooth and timely recovery.

8. Ensure that all sensitive and controlled/ negotiable documents are adequately protected from

theft and misuse and are periodically accounted for as appropriate.

9. Ensure that security-review functions are performed by an independent security officer.

10. Determine that departmental and system documentation is adequate and current.

Submitting the Planning Memorandum

The auditee was notified of the scheduled audit by sending a planning memo containing the

time frame of the audit, its scope, the auditors assigned, and the audit objectives.

Performing the Preliminary Survey

The audit team performed a preliminary review survey by reviewing the auditee's

objectives, organizational structure, physical facilities, personnel, administrative controls, and

operations. At that time, the audit objectives were reviewed and expanded or altered as necessary

along with the scope. The modifications were made with the audit supervisor's approval. The audit team evaluated the results of the survey identifying controls and areas of audit emphasis.

Developing the Audit Program

The audit team developed an audit program detailing the procedures to test the controls

identified in the preliminary survey.

Performing the Audit Fieldwork

The audit team performed the tests defined in the audit program and documented evidence

for support of audit findings.

Required:

From the background information provided and objectives listed, identify six control weaknesses. Identify the weakness, impact and make a recommendation for each weakness.