One of the audit engagements listed in the annual risk-based internal audit plan of the Department of Labour was an information technology (IT) General Control Review. As the CAE, you assigned the internal audit manager to conduct the audit and the scope of the audit limited to IT general controls. Since there is no IT Steering Committee, the internal audit manager has been directed to Stephen Phiri, the Financial Accountant and Palesa Ndlovu, the IT Manager. The following information came to light: 1. Data is processed on the departments small mainframe, which is located in the IT division. The IT division is linked to the user divisions by on-line terminals. In addition to the mainframe there are various other pieces of hardware e.g. print servers linked to the mainframe;

2. To assist you in your review, Stephen Phiri, arranged for you to obtain his secretary, Annette Samuel's password, should you want to gain access to the system and its various applications. She gave you her user ID and informed you that her password was AS123 and that, as she would be away the next day, you could work at her terminal;

3. In response to your enquiry relating to the use of computer-generated logs, Palesa Ndlovu, was fairly vague and indicated that she thought the only logs which may be used were related to specific applications such as Masterfile amendments;

4. Although access to the IT division was controlled by a security key pad, it was not necessary for you to obtain the entry code as, on the day of your visit, the door was held open by the fire extinguisher to enable a stationery company to make a delivery of printer paper. You also noticed that the extinguishers nozzle had been removed from the extinguisher and was being used as a flower vase. It had been attractively placed on top of a server;

5. Palesa Ndlovu, indicated that a disaster recovery plan was not regarded as necessary as: the size and complexity of the IT facility did not warrant it; no disaster had occurred in the last few years; the IT personnel were honest; and he felt that modern day hardware was very reliable and no need for backup.

6. IT staff are encouraged to experiment and explore potential improvements to application software, but in their own time. Where program enhancement changes are needed to affect the improvements, the staff member may implement the improvement but must inform Palesa Ndlovu. (Graded Questions on Auditing 2019, adapted and modified)

REQUIRED MARKS 2.1 Based on the information given above, discuss the weaknesses in general controls at the Department of Labour: IT Division in respect of access controls; and continuity of operations. For each weakness, discuss the associated risk. (20 marks)

2.2 Discuss the conditions that you as the IT auditor will take into account when deciding whether or not to use CAATTS in the audit engagement.(5) 2.3 Briefly discuss the three performance implementation standards that specifically address the internal auditors assurance engagement responsibilities regarding information systems and technology.(3)