Page 75 - Courses
P. 75

IT Essentials — Physical and Environmental Controls

            When stock is ordered, card numbers are entered into the system so that we have an accurate count.
            I perform a monthly control self-assessment, comparing HR employment records and vendor card
            assignments against active cards.

            Very nice. Thank you. Can I get a copy of the standard operating procedure (SOP) that describes the
            process and the results from last month’s self-assessment? I would greatly appreciate it.

            Certainly. I will email those over as well.

            The last two topics I would like to discuss are transfers and terminations. Let’s start with an
            explanation of how transfers work, if you don’t mind.

            Transfers are really easy. I log into the console, and bring up the record for the card and add or
            remove readers based on what is stated on the ticket. When I complete the request, I resolve the
            ticket, which automatically sends a notification to the user. The ticket is closed when the user
            accepts the change as resolved. This process is completed through a workflow script in the ticketing
            system.

            Okay. What about “terminations”?

            Terminations all start with a ticket being automatically generated that includes an assignment for
            me to delete the card from the system. If the employee does not turn in their card as required, they
            are charged $25 (USD), which is deducted from their final paycheck. If they do turn the card in, then
            once I receive the card, I use the shredder on my desk to shred the physical card, and then adjust the
            inventory accordingly.

            Thanks. I have just one more question. You mentioned earlier that you perform a control self-
            assessment to determine adds and deletions against tickets. How do you validate that granted
            access remains appropriate?

            Ah yes; I should have mentioned that earlier. Every card reader and biometric reader has an assigned
            owner. Monthly, I send a report to the reader owners electronically, which they review and
            electronically sign, validating that they have reviewed the list and concur that access is appropriate.
            They then create a ticket if any access requires updating.

            Thank you. If it’s not too much trouble, could you please forward me an example of a sent report, an
            approved report, and a ticket created by a reader owner? Those items will round out the evidence I
            need for this audit. This was very helpful.

            Fieldwork Recap

            The conversation you just reviewed is just one example of the type of fieldwork an internal auditor
            would conduct during a physical and environmental security audit.  By the conclusion of the audit
            engagement, the internal auditor should have a good understanding of how external physical


            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   70   71   72   73   74   75   76   77   78   79   80