Information System Audit:

(ISSO) Operating System and Network

Engagement Name: Cut-Off Date: WP Reference:
Audit of Operating System and
Information System Services
Office of DWCC
Prepared by: Date: Received & Noted by / Date:
Ms. Mary Jane R. Bautista,
AudCIS Group 1 07/18/18
CPA, MBA

Audit Objectives
1. Provide ISSO with an independent assessment relating to the effectiveness of the operating system and network.
2. Provide ISSO with an evaluation of the IT function’s preparedness in the event of an intrusion
3. Identify issues which affect the security of the enterprise’s operating system and network

Done
Control With
Procedures Result by /
Description Finding?
Date

I. Control Environment

Source Standard: COSO - Control Environment

Existence of
programs and 1. Obtain copy of DWCC ISSO organization
efforts to set the structure and determine if it support
tone, cultures, delegation of authority and functions of
values and DWCC's organization chart.
behavior of the 2. Obtain copy of the Job Description (JD) of
DWCC ISSO personnel and determine if duties and
are completely responsibility are clearly identified and
and properly aligned with the unit’s objective.
documented.

1. Collect evidence to support that personnel

Ensures that have completed all the necessary training to
management has develop and retain competent individuals in
in place a alignment with the objectives.
process to set
2. Obtain the Key Results Areas (KRA’s) to
objectives and
know the DWCC’s ISSO target/objectives for
that the chosen
a defined period.
objectives
support the
4. Verify if DWCC’s ISSO objective are
measurable and attainable in relation to the
DWCC’s
present manpower complement and resources
mission and are
to attain its objective.
consistent with
its risk appetite. 5. Interview DWCC’s ISSO management or
authorized person and review the operations
information to identify:

Auditing in CIS Environment Page 1 of 6

 Information System Audit:
(ISSO) Operating System and Network
a. Any significant changes in strategy or
activities that could affect the
operations environment
b. Key management changes
c. Changes to internal operations
infrastructure, architecture,
information technology environment,
and configurations or components
d. Changes in key service providers (e.g.
Core banking, transaction processing,
website/Internet banking, voice and
data communication, back-
up/recovery, etc.) and software
vendor listings
e. Any other internal or external factors
that could affect the operations
environment
6. Review the current process/practice of the
DWCC’s ISSO and note the following items
including, but not limited to:
a. Value adding and non-value adding
steps considering the:
 Risks involved
 Regulatory requirement/
Legal implications
 Automation opportunity
 Impact on service
 Efficient process/ minimize
overtime
 Compensating control
b. Any deviations from the manual/
documented flow.
c. Number of pages/ copies, printing,
photocopying and filing of reports
and forms (Evaluate the usefulness/
relevance of the pages/ contents of the
form; determine the redundant
provisions/ requirements; determine
the use/purpose of the reports
generated by IT for each
recipient/user or generated within the
DWCC’s ISSO)
d. Repetition in work steps, documents
and data recorded and use of
logbooks/ registers (Evaluate if there
are duplicate/redundant functions
based on updated Job Descriptions)
e. Bottlenecks/delays in the process
f. Multiple or unnecessary reviews and
approvals

Auditing in CIS Environment Page 2 of 6

 Information System Audit:
(ISSO) Operating System and Network
g. Excess people and other resources
(Evaluate volume of transactions /
head count requirement based on
Outstanding Portfolio and Updated
Table of Organization, respectively)
h. Several hand-offs
i. Poor quality or reworks
7. Based on the reviewed process, determine
possible business process
improvements/value-adding procedures for
the DWCC’s ISSO.

1. Verify whether the memory of the data in the

operating system and network is backed up.
Existence of 2. Verify if the codes are encrypted.
programs and
3. Obtain a flow chart or diagram of the data
efforts that
flow.
contribute to
sound general
4. Inquire if the process is updated and corrected
control when there is a creation or deletion of data.
environment of 5. Verify whether the second storage has enough
DWCC ISSO. storage.
6. Inquire about the presence of computer anti-
virus software in the system.

1. Verify that all users are required to have

passwords.
2. Verify that all new users are instructed in the
use of passwords and the importance of
Adequate and password control.
effective
3. Review password control procedures to
password policy
ensure that passwords are changed regularly.
is in place for
controlling
4. Review the password file to determine that
access to weak passwords are identified and disallowed.
operating system 5. Verify that password file is encrypted and that
and network the encryption key is properly secured.
6. Assess the adequacy of password standards
such as length and expiration interval
7. Review account lockout policy and
procedures.

Adequate
1. Verify that current version of antivirus
management
software is installed on the server and that
policies and
upgrades are regularly downloaded to
procedures are
workstations
in place to
2. Determine if the operations personnel have
prevent the
educated about computer virus and aware of
introduction and

Auditing in CIS Environment Page 3 of 6

 Information System Audit:
(ISSO) Operating System and Network
spread of the risky practice that introduce and spread
destructive viruses
programs,
including
viruses.

II. Information and Communication

Source Standard: COSO – Information and Communication

1. Check validation of the conduct of regular

Obtain, generate meetings, email blast, and other
and use relevant communication media to communicate
quality information, business objectives, etc.
information to 2. Check information obtained from external
support the parties and evaluate importance to DWCC
functioning of ISSO and reliability.
internal control. 3. Check escalation and reporting process to
Management and Board. Check if directives
are provided by the oversight committee to
ensure attainment of institution’s objectives.

III. Monitoring Activities

Source Standard: COSO – Monitoring

1. Obtain understanding of the previous audit if

there is any and gather the working papers and
a copy of the audit report. If this is the first
time, make inquiry to the management
regarding the network including errors and
Outstanding flaws.
issues and
2. Check the findings and issues reported in the
previous audit
previous audit and identify the issues still not
findings were
resolved.
timely and
3. Review the actions performed by the
immediately
management in resolving the issues. The
resolved.
length of time must also be considered.
4. Monitor the access of every employees in the
network including the transaction logs.
5. Review management actions on setting
passwords and security controls.

IV. Control Activities

IV.A. Configuration Management of Routers

Auditing in CIS Environment Page 4 of 6

 Information System Audit:
(ISSO) Operating System and Network

Test of Operating Effectiveness

Review Physical Review router security policies to determine if
Security of there is segregation of duties on installation,
Routers performing hardware maintenance and making
physical connections to the router.

Test of Operating Effectiveness

Determine
1. Review segregation of duties on logging in
existence of
and assuming administrative privileges on the
Static
router and review password policy for log ins.
Configuration
2. Review the dynamic configuration services
Security of
permitted on the router and networks
Routers
permitted

Test of Operating Effectiveness

Review Network Determine protocols, ports and services to be
Service Security permitted or filtered by router and describe
of Routers procedures and roles for interactions with external
service providers

IV.B. Configuration Management of Firewall

Ensure that the Test of Operating Effectiveness

required Review the firewall rule base to determine if it
grants minimal access for each device and only
firewall rulings
the authorized traffic between the organization
are being and the outside is allowed to pass through the
followed. firewall.

Ensure that the Test of Operating Effectiveness

firewall is Review the adequacy of firewall in achieving the
adequate proper balance between control and convenience.

Verify if changes
Test of Operating Effectiveness
in the firewall
Check if the requested changes were properly
settings are
approved, implemented and documented.
implemented.

IV.C. Configuration Management of Intrusion Detection and Prevention Software

Auditing in CIS Environment Page 5 of 6

 Information System Audit:
(ISSO) Operating System and Network

Ensure if Test of Operating Effectiveness

software is Verify existence of a software for detecting
installed intrusion and prevention.

Verify if the
Test of Operating Effectiveness
software
Determine if the software is efficient and effective
installed is fit for
in performing its function.
its functions

Ensure that there Test of Operating Effectiveness

is follow-up Review actions implemented after detection of
actions intruders

Prepared by:

Shrerlyn Bautista Daryll Ingrid I.Malapitan Jon Christian M. Miranda

LovelynCarvajal Shaina Manalo Christine Nagtalon

Romar Glenn Diego Angel Mae M. Mendoza Christia LynnPortes

Iesa Angela P. Garcia Joelyn M. Miranda Krisshia Lynn R. Sanchez

Jiv Libera Christia MaeVilladiego

Approved by:

Ms. Mary Jane R. Bautista, CPA, MBA

Auditing Advisor

Auditing in CIS Environment Page 6 of 6