Scenarios

Study each of the following scenarios and in each case consider as appropriate:

What are the risks from the identified issue? What is the impact of the given scenario on our desired audit approach? What would you do next?
1. During your testing of program changes, you find that there is no documentation retained for user acceptance testing (UAT) and there is no other documented approval for changes to go live. You also discover that programmers have the ability to place their own code into the production environment.
2. The client you are working on completed its implementation of a major new

ERP system during the year. The Engagement team, with your assistance, has identified a number of application controls, that they wish to place reliance on and which will improve the effectiveness and efficiency of the audit. These have all been tested successfully. Your review of application access finds that several of the staff in the finance department that worked on the implementation have retained extensive access rights, including access to functions beyond their normal role in the business. Furthermore, the directories containing the key executable and database files are globally readable and writeable within the operating system. 3. During a tour of your clients new data center, you are impressed by the level of physical security. Previous weaknesses in remote access controls have also been resolved. Unfortunately, the focus on moving to the new facility has meant that some administrative procedures have lapsed, including the prompt removal of former employees. You find ten employees who have left during the year that have retained their access to the key system. You also note that the administrators have ceased logging on using their own IDs and now log on directly under the administrator ID. 4. Your review of logical access at this client has found that the forms used to request and grant new access to users (either new or existing employees) are not retained or filed. This finding and the lack of password expiry on the key application are the only significant weaknesses you have found. 5. Following the implementation of a patch supplied by the vendor of their offthe-shelf package system, your client has been suffering some data problems in its inventory module. Their Database Administrator (DBA) has identified the

problem as being caused by an incorrect data table reference, and has written a script that corrects the data problems. He mentions to you that one side effect might be that some of the inventory reports the audit team uses for obsolescence review and cut-off purposes will be affected by the running of the script. 6. The clients key system resides on a mainframe. The users connect to the mainframe using terminal emulation software after first logging on to the clients network, which is controlled by Windows NT. Your review of Windows NT security has found several significant weaknesses, including passwords that do not expire, accounts with no password and numerous users with administrator access. Mainframe operations have been outsourced to a third party. You have obtained a user listing for the mainframe operating system and have noted that there are a large number of third party staff with administrator rights. No client staff have these rights. You have no other concerns with mainframe security.