Microcomputer Audit Guide
| Pages | 344-349 |
| DOI | https://doi.org/10.1108/eb044723 |
| Date | 01 June 1986 |
| Published date | 01 June 1986 |
| Author | Meredith C. Adkins,Kathleen C. Lucas |
| Subject Matter | Information & knowledge management,Library & information science |
ARTICLES
Microcomputer
Audit Guide
MEREDITH
C.
ADKINS
Microcomputer
Coordinator
Regional
Computer Center
Data Processing Agency
City of
Cincinnati and
Hamilton County, USA
KATHLEEN
C.
LUCAS
Senior Internal Auditor
City of Cincinnati, USA
Editor's note:
When
I
came across this article as
part of my routine journal
scanning,
I
thought
what a
useful checklist this could
be for
electronic library
managers,
who have
installed
or are
considering installing micros
in their
libraries.
I
am delighted to report
that the
publisher
of the
journal in which the
article
appeared,
A.
James Andrews, concurs with
my view
and has graciously
agreed
that it may
be reprinted in
The Electronic Library.
T
his audit guide is written for all
departments and divisions using
microcomputers within the govern-
ment of the City of Cincinnati. Its
purpose is to provide guidance on
how to measure the adequacy of control and
security of their systems, identify areas of
risk and raise management and user aware-
ness of their stewardship responsibilities.
The City of Cincinnati has formal
standards related to the acquisition of
microcomputers. It also has hardware and
software standards. Additionally, the
Regional Computer Center has formal
standards covering all aspects of mainframe
computer software development. This guide
was prepared from generally accepted
microcomputer standards that have been
adopted and published by various outside
sources. We anticipate that over the next year
the guide will be enhanced and eventually
form the basis for microcomputer standards
for the City of Cincinnati.
The following questions represent
methods for achieving good control and
security over microcomputer
systems.
A 'yes'
answer indicates adherence to generally
accepted standards. A 'no' answer indicates a
potential problem area and should be given
further attention.
I. Management control YES NO
Management should
be
provided with management reports through
which progress toward
goals
may be reviewed.
1.
Are
microcomputers long range and short range plans provided
to
management?
2.
Do management reports show evidence of goal achievement?
3.
Are microcomputer
usage
risks periodically reviewed by
management?
II.
Control analysis
There should be an assessment of risks associated with microcomputer
use,
and an analysis of cost/benefit considerations in determining
what control features to include.
1.
Was an assessment of risks associated with microcomputer use
performed
as
follows:
a. Were types of applications (accounting, analytical,
word-processing and office automation) in use identified?
b.
Was the sensitivity and vulnerability of data in each classification
of applications evaluated?
c.
Was a
cost/benefit analysis performed to identify what
control features to include?
2.
Are users in your department trained in accordance with the
duties they perform?
3.
For sensitive applications, have critical duties been separated?
4.
Where separation of duties
is
inadequate, do compensating
controls exist?
5.
Is
one person designated
as
the System Administrator?
6. Is the System Administrator responsible for the overall operation
of the system including hard disk storage allocations and
management, loading software programs, archiving, configuring
the system, cleaning the system and maintaining the system?
7.
Is the System Administrator trained
to
manage the system
including the use of standard backup utilities?
344 The Electronic Library, December 1986. Vol. 4, No. 6.
To continue reading
Request your trial