You are on page 1of 3

1

Macabontoc, Lovelaine Joy N.


Madriaga, Joarmy

MWF 3-4PM
Prof. Gonzaga

SUMMARY OF AUDIT FINDINGS


CONTROL
CONTROL
FINDING RESULTS AND ISSUES
CATEGORIES POLICIES & GOOD
WEAK CONTROLS/
TECHNIQUES CONTROL
DEFICIENCIES
Access
Restricting
Systems programmers
Controls
Access
to
are given unrestricted
Production
access to the System
Programs
Management Facility
(SMF), which is the
primary audit trail in
the MVS operating
system used at the
service organization.
This facility is used to
journal a wide variety
of system events,
including ACF2 access
control
software
information.

RECOMMENDATIONS
Logical
access
to
production programs and
data in the mainframe
environment should be
granted
only
to
appropriately authorized
individuals.

Backup
controls

Safeguard
against
unexpected data
loss
and
application

Natural
Disasters. Tailor
your
backup
Human fraud.
strategy to the needs of
your
business.
For
example, if you can
afford to lose data in the
event of a disk failure,
you may not need to
perform backups very
often. The advantage of
taking
infrequent
backups is that you free
Oracle's resources for
other operations.

Internal control
procedures

Assuring
achievement of
an
organization's
objectives
in
operational
effectiveness
and efficiency,
reliable
financial
reporting, and
compliance
with
laws,
regulations and
policies.

Inadequate control
within the
applicant over the
business processes.
No/weak internal c
ontrol procedures
offer possibilities for
fraud,
unauthorised or illegal
activities

- appointment of a
responsible person for
quality in charge of
procedures and internal
controls of
the company;
- make each head of
department fully aware
of
internal controls of their
own department;
record the dates of
internal controls or a
udits and correct
identified weakness
through
corrective actions;
-notify the customs
authorities if fraud, una
uthorised or illegal
activities are discovered;
- make the relevant
internal control procedur
es available to the
personnel concerned

2
Approvals,
Authorizations,
and
Verifications
controls

Any
changes
should
be
authorized,
tested,
approved, and
implemented
properly.

Review
of Document
performance
information
about current
performance to
measure
the
extent to which
goals
and
objectives are
being achieved
and to identify
unexpected
results
or
unusual
conditions that
require followup.

Management
authorizes
employees
to perform
certain
activities or
changes and
to execute
certain
transactions
within
limited
parameters..

-System
security
application software,
such as RACF or
ACF2,
is
not
installed
to
help
prevent unauthorized
modifications
to
application software,
data files, or system
software.

A system update must be


done in order to lessen
the
risk
of
some
unauthorized changes.

-Programmer are able


to write and authorize
their own program
changes to be placed
into
production
without
consistent
review or approval.
Once a program is
assigned
to
a
programmer
for
modification,
the
completion of testing
is generally at the
programmers
discretion.
System
validation tests are not
routinely performed to
ensure that no source
code was accidentally
deleted or otherwise
improperly modified.
Programmer
documentation
describing file layouts,
record
layouts,
subroutine
calls, and other data
are
not
routinely
prepared. As a result,
after a system is
developed,
program
modifications
or
enhancements
are
more
difficult
to
perform, and such
changes are more
likely
to
contain
errors.

File
documentation
policy
must
be
implemented so that
activity performance can
be measure to determine
if its achieved the
objective.

3
AUDIT OPINION:
In our opinion, the information systems controls of the database environment of the company should improve in

some respects, as follows:


1. Better written policies and procedures for management of data assets and database technical
environments.
2. Stronger separation of duties among the data architecture, data administration, database administration
and the applications development functions.
3. Clearer organizational ownership and responsibility for the database environment.
4. Sufficient cross training between database administrators.
5. Improved procedures for the management of data in the database environments.
6. Better policies and procedures to control the database change authorization process.
7. Improved control over access to the data contained within the database environments.
8. Updated written procedures to ensure both physical and logical recovery of the database environments.
9. Better written procedures to ensure data integrity in the database environments.
10. Establish policies and procedures to increase the effective and efficient operation of the database
environments.
11. Improve the plan to solve the issues related to database environments by including more specific tasks
and milestones for completion.

You might also like