Effective Date:  12/03/2004

Internal Audit Polices and Procedures


Chapter 5 - Computer Policies

General:

Internal Audit uses computers as tools for improving productivity and making work easier.  On a daily basis, we prepare working papers, create other documents, and check e-mail.  Because of their speed and reliability, computers sometimes provide the only feasible way to perform tasks, such as obtaining information from financial systems or analyzing data for unusual patterns or variances.  Computers also help prevent destruction of data since files can be backed up and stored away from the computer.

Because our computers are a valuable resource, we must take steps to prevent the loss of destruction of our machines, software programs, and data files.

Desktop Machines, Laptops, and Printers:

Each staff member is responsible for safeguarding the desktop PC and printer in his or her office.  Offices should be locked after normal business hours, when a staff member is working at another location, or when the area will be unattended.  Physical security is the best line of defense against loss or damage of the machines or data they contain.

The office has purchased laptop computers and two portable printers for the staff to use when working in offices of auditees.  Printers and laptops should be signed out through the department secretary when needed and returned when not in use.  Returning the machines reduces the risk of loss and frees up the machines for other staff members to use.

Laptops and portable printers are highly susceptible to theft so extra caution should be taken to protect them.  At an audit site, an auditor is responsible for securing the machines when they are left unattended.  Alternatives for securing laptops and printers include

If laptops or printers can be properly secured, they may be left at an audit site overnight.  Otherwise, they should be returned to the office or taken home.

Since computer equipment is sensitive to moisture and extremes of temperature, laptops and printers should not be left in an automobile for extended periods of time, particularly in warm weather.  Transit time when moving a computer hardware in an automobile should be kept to a minimum; the machines should not be left in the automobile overnight.  Hardware should be placed out-of-sight, preferably in the trunk, if they will be left in an unattended automobile.

Software and Data Files:

There should be no unlicensed software installed on Internal Audit's computers.  Only software approved by the Director of Internal Audit can be installed on our computers.

Each computer should have a corresponding software license for all of its installed software.  Software licensed to the University or Internal Audit Department should only be copied for back up purposes.

Electronic files for on-going projects and audits should be stored centrally on a computer’s hard drive or a diskette.  In cases of highly sensitive projects, additional steps should be taken to protect data files such as “password protecting” files or saving the files only on diskette and the diskette should be physically controlled.  Passwords can be assigned from the Tools menu under Options and Save.  If you chose to assign a password, write it down an put in a secure place.  Without the password, the document can’t be opened.

Data Backup:

Because items stored electronically can be lost or destroyed far more easily than they were created, it is important to back-up these items.  Each staff member is responsible for performing periodic back-up of their computer files; back-ups should be done at least once a week.  Data can be backed-up to an auditor’s private folder on Internal Audit’s Novell server or to a portable storage device such as a CD.

Also, each auditor should activate the “Automatic Save” feature of Word and Excel (found on the Tools menu, under Options) on his or her machine.  This feature automatically backs-up a file being created or modified to the PC’s hard drive at specified intervals.  Automatic back-ups prevent large amounts of work from being lost if the power supply to the machine is interrupted.

Safeguarding Portable Storage Devices:

The staff should take special care to safeguard portable storage devices such as DVDs, CDs, flash drives, and diskettes.  The following are some suggestions to help safeguard them: 

· Do not leave storage devices unattended when working out of the Audit Office.  These items are highly portable and their loss could cause unintentional release of sensitive data.

·  Use felt tip markers to label DVDs, CDs, and diskettes.

· Do not place the storage devices diskettes near a magnetic field as a magnetic field can erase data on storage devises.  Items that produce magnetic fields include:  telephones, speakers, appliances, microwaves, copiers and televisions.

Electric Power Quality:

A surge protectors and a battery back-up power supply should be used with desktop computers and peripheral equipment such as printers.  The power supplies provided with laptops should be used unless the laptop is running off its internal battery

E-mail and On-Line Resources:

Each staff member will receive a free e-mail account through Information Technology Services.  Due to the ease with which e-mail can be read or forwarded, extra care should go into its creation.  Most E-mail systems retain copies without the knowledge of the creator and messages sent to public newsgroups or bulletin boards can be accessed with search engines such as Alta Vista or Yahoo.  Always consider the ramifications of the E-mail being read by someone other than the intended recipient.

Each staff member will also receive a log on ID for the University’s administrative information systems.  Access to individual systems, such as FRS, will be allowed on an as needed basis.  Since our information needs as auditors gives us access to a wider range of computer records, we must take special precautions to safeguard sensitive or confidential items.  Information obtained during the course of a project should only be disclosed as part of the normal audit communication process or with the permission of the Director of Internal Audit.  Under no circumstances should on-line information be obtained or used except in connection with an audit project.

Return to Home Page Table of Contents