412197746.

xls
Company (Name):
A
A total
total of
of 56
56 controls
controls have
have been
been Interview
Interview topic
topic recommendations
recommendations & & control
control documentation
documentation to
to request
request
Fiscal Year End (Date): designed
designed toto evaluate
evaluate ALL
ALL KEY
KEY risks
risks from management are listed to further assist audit, risk & security
based on best practices and the latest
Tested on (Date)/ tested by (Name): professionals in performing tests of control for each control activity.
auditing standards.
Tested in (System):

Audit Program for AS/400 (iSeries, System i) and OS/400 (i5/OS, IBM i) - SAMPLE
Control Control Activity Description Control Activity Background Control Control IT Nature Control Interview Topic Recommendations Control Documentation Recommendations
Activity Activity Type Nature IT Dependent/ Rating The following interview topics should assist auditors in getting a The following documentation may assist auditors in enhancing
Code Preventive/ Manual/ Non IT- High/ better understanding of the steps involved in performing control understanding of the control activity and performing tests of control for
Detective Automated Dependent Medium/ activity by the process owner(s) which will assist in effectively each control activity
Low performing tests of control for each control activity.

Data Center and Network Operations

Control Objective IT2: Organization’s financial data is appropriately managed during the update and storage process to ensure it remains complete, accurate, & valid.
(CO Assertion: Pervasive to All Accounts - Completeness, Cut-off, Presentation, Recording, Validity, Valuation)
Control Objective Background: If data is not retained, in the event of systems incident, there is a risk that the entity's financial statements
may be materially misstated, because it may not be possible to reconstruct the data from source documentation.
IT2.04 Only authorized employees have User profiles with the special authority *SAVSYS are able to back up all data Preventive Manual Non-IT Low Manager over backup and retention of electronic data: - Backup policy
access to modify backup and modify the backup schedule. Dependent - Individual responsible for the backups - Backup operations procedures, including:
schedules. (1) Backup job monitoring
(2) Error resolution procedures
- Listing of profiles with the special authority *SAVSYS

Information Security

Control Objective IT4: Systems configuration and security settings are appropriately implemented, administered, and safeguarded to protect against unauthorized modifications that can result in
incomplete, inaccurate, or invalid processing or recording of organization’s financial data. (CO Assertion: Pervasive to All Accounts - Completeness, Cut-off, Presentation, Recording, Validity, Valuation)

Control Objective Background: If systems configuration and security settings are inadequate or not administered appropriately, security
breaches may go undetected, information resources may be compromised, and significant flows of transactions may be ineffective.
IT4.13 The i5/OS (OS/400) environment is The i5/OS can be configured to enable audit log facility. QAUDCTL system Detective Manual IT Dependent Medium Security administrator: - Approved information security policy
configured and activated to record value defines whether audit logging is turned on. QAUDLVL system value - Strategy and level for audit logging - Procedures for audit logging and reviewing
audit events (such as unauthorized defines which security-related actions are recorded system-wide (for all - Security packages used for analyzing audit journals - OS/400 Security report with ‘Display Security Auditing’ details
or inappropriate system activity, users). The use, the level of audit logging, and the action the system should - Frequency of review process - Procedures for detecting and resolving unauthorized activity
including use of special authorities) take during specific events (QAUDENDACN system value) should be - Assignment of the monitoring responsibility - Samples of approved and signed audit journals
as defined in information security determined by management. - Procedures for reacting to unauthorized system activity
policies; audit reports are regularly
reviewed by management and The audit journal should be reviewed on a periodic basis by an individual
necessary action taken. independent of the security administrator in order to detect and react to any
unauthorized system activity.

Page 1 of 9
 412197746.xls
Control Control Activity Description Control Activity Background Control Control IT Nature Control Interview Topic Recommendations Control Documentation Recommendations
Activity Activity Type Nature IT Dependent/ Rating The following interview topics should assist auditors in getting a The following documentation may assist auditors in enhancing
Code Preventive/ Manual/ Non IT- High/ better understanding of the steps involved in performing control understanding of the control activity and performing tests of control for
Detective Automated Dependent Medium/ activity by the process owner(s) which will assist in effectively each control activity
Low performing tests of control for each control activity.

Change Control

Control Objective IT6: Programs and systems are appropriately acquired or developed in a manner that supports the accurate, complete, and valid processing and recording of
organization’s financial information. (CO Assertion: Pervasive to All Accounts - Completeness, Cut-off, Presentation, Recording, Validity, Valuation)

Control Objective Background: Inappropriate decisions to acquire or develop programs and systems can result in implementation of software that is unable to meet the entity's information
processing needs, there is an increased risk that financial reporting applications will not be able to pass data between underlying network and infrastructure components.
IT6.03 Any acquisition or development of If invalid (i.e., unnecessary or inappropriate) modifications are made, systems Preventive Manual IT Dependent Medium Manager responsible for systems development and approval of - Policies around application development and approval process
AS400 application systems and may not function in a manner that is consistent with management's intentions. change requests: - Job descriptions and responsibilities relating to authorization of
i5/OS (OS/400) operating system Where upgrades or changes are either not performed or are performed - Systems development or implementation & approval process implementations
software is approved by without management's approval, the consequences include (1) the entity's - Steps involved to ensure business requirements are met - Listing of implementations performed over the period of
management prior to information systems no longer adequately support the entity in achieving its - Assessing impact on other systems & business processes intended reliance
implementation. objectives and (2) the control environment may be degraded. Therefore, it is - User involvement in the request process - Program change status reports and prioritization
important to ensure that any modifications should be approved by - Monitoring outstanding, rejected, or approved changes - Inventory listing of purchased software
management. Using a process that requires authorization of system changes - Evaluation and prioritization of modifications - Approved project plans
provides management with control over those changes. This process verifies - Determination of the time frame of implementation - Minutes of change control meetings
that only changes that are relevant and beneficial to the enterprise are - Authorization of modifications for implementation
performed. - Monitoring of project timetables, status and milestones

*** THIS IS A SAMPLE, NOT A COMPLETE AUDIT PROGRAM ***

The complete audit program is available at http://soxmadeeasy.com/AS400.html and contains 56 Controls covering ALL principal process areas in IT, including:

• Batch and online processing control framework - This control framework is developed to ensure that organization’s operations around scheduling, performance, and monitoring of IT
programs and processes are adequately supervised by management in order to assure complete, accurate, and valid processing and recording of financial information. Items covered:
- Batch and online processing
- Automated scheduling tools on the i5/OS (OS/400) and more.

• Backup and recovery control framework - Controls to ensure organization’s financial data is appropriately managed during the update and storage process to ensure it remains complete, accurate, and valid:
- Data retention tools (management, security, access to such tools, etc.),
- Backups and retention of critical i5/OS (OS/400) files (planning, scheduling, and supervision),
- Backup tapes (management, storage, archival, readability assessments, etc.) and more.

• Physical Security control framework - This control framework is developed to ensure that adequate physical security mechanisms are in place and operate effectively. Items covered:
- Assessment of physical access control mechanisms,
- Authority to change physical access control mechanisms,
- Monitoring of physical access control mechanisms, etc.

• Logical Security control framework - Controls to ensure that system security settings are adequately configured and are protected against unauthorized modifications. Items covered:
- Password authentication mechanisms in the AS/400 (iSeries, System i) and OS/400 (i5/OS, IBM i) environment,
- User access privileges (new access, removal of users, security of profiles assigned special authorities, segregation of duties, etc.),
- Access to the command line, access to critical commands/utilities on the i5/OS (OS/400), use of adopted authority,
- Access to the resources in the i5/OS (OS/400) Integrated File System,
- Assessment of the overall security mode on the i5/OS (OS/400); object level security on the i5/OS (OS/400),
- Configuration of trust relationships between i5/OS (OS/400) systems ,
- Graphical User Interface software (the Operations (iSeries) Navigator),
- Logging and monitoring audit events,
- Security of default profiles (IBM supplied profiles, etc.),
- Communication services on the i5/OS (OS/400), and much more.

• Change Management & Control - Controls designed to ensure that programs and systems are appropriately acquired or developed, implemented, and managed in a manner that supports accurate,
complete, and valid processing and recording of organization’s financial information. Items covered:
- Acquisition, development, modification, and maintenance of AS400 application systems and i5/OS (OS/400) operating system software,
- Controls around approval, testing prior to implementation, quality assurance reviews, business risk and impact assessments, adequacy of post implementation reviews, and more.

The audit program covers all critical configuration settings and access controls to ascertain the reliability of the AS/400 (iSeries, System i) & OS/400 (i5/OS, IBM i) control environment. Page 2 of 9
 412197746.xls
Control Control Activity Description Control Activity Background Control Control IT Nature Control Interview Topic Recommendations Control Documentation Recommendations
Activity Activity Type Nature IT Dependent/ Rating The following interview topics should assist auditors in getting a The following documentation may assist auditors in enhancing
Code Preventive/ Manual/ Non IT- High/ better understanding of the steps involved in performing control understanding of the control activity and performing tests of control for
Detective Automated Dependent Medium/ activity by the process owner(s) which will assist in effectively each control activity
Low
• Change Management & Control - Controls designed to ensure that programs and systems are appropriately acquired or developed, implemented, and managed in a manner performing tests ofaccurate,
that supports control for each control activity.
complete, and valid processing and recording of organization’s financial information. Items covered:
- Acquisition, development, modification, and maintenance of AS400 application systems and i5/OS (OS/400) operating system software,
- Controls around approval, testing prior to implementation, quality assurance reviews, business risk and impact assessments, adequacy of post implementation reviews, and more.

The audit program covers all critical configuration settings and access controls to ascertain the reliability of the AS/400 (iSeries, System i) & OS/400 (i5/OS, IBM i) control environment.

Page 3 of 9
 412197746.xls

This audit program contains detailed Links to the pre-populated test sheets are included where
testing instructions, rather than everything has been conveniently pre-documented with
generic descriptions of the tests to be fill-in fields for company-specific information.
performed.

Testing Procedures Testing Reference Conclusion Exception Details Mitigating Planned Planned Remediation Ref. to Post-
For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to Effective/ For ineffective controls Controls Remediation Remediation Status Remediation
reasonable assurance that controls operate effectively in accordance with established policies, procedures, supporting evidence Ineffective For ineffective Procedures Date Completed/ Testing Details
and guidelines. The following testing procedures will assist auditors in performing tests of control for each considered pertinent controls For ineffective For ineffective In Progress If applicable
control activity. controls controls

Perform the following procedures to verify only appropriate users have the authority to modify backup Tab 4
schedules:
• Obtain a listing of users with *SAVSYS special authority:
This can be done by reviewing the user profile information;
To obtain user profile information, request the security administrator to run the following:
- DSPUSRPRF USRPRF(*ALL) TYPE(*BASIC) OUTPUT(*OUTFILE)
• Review users with the *SAVSYS authority
• Determine if access to modify backup schedules is appropriate
• Confirm that access to modify backup schedules is reviewed by management periodically
• Document your conclusions.

Obtain output from issuance of WRKSYSVAL SYSVAL(*ALL) OUTPUT(*OUTFILE) command and examine Tab 15
the following System Values configured in the system for appropriateness:
• QAUDCTL (defines whether audit logging is turned on) should be set to ‘*AUDLVL’
• QAUDLVL (defines which security-related actions are recorded system-wide for all users)
should be set to at least ‘*AUTFAIL,’ ‘*SAVRST’, “*SECURITY,’ and ‘*SERVICE’
• QAUDENDACN (determines the action that the system takes if auditing is active and the
system is unable to write entries to the audit journal) should be set to ‘*NOTIFY’

Further, obtain documentary evidence to confirm that audit journals are reviewed periodically by the
appropriate personnel.

Page 4 of 9
 412197746.xls
Testing Procedures Testing Reference Conclusion Exception Details Mitigating Planned Planned Remediation Ref. to Post-
For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain Reference to Effective/ For ineffective controls Controls Remediation Remediation Status Remediation
reasonable assurance that controls operate effectively in accordance with established policies, procedures, supporting evidence Ineffective For ineffective Procedures Date Completed/ Testing Details
and guidelines. The following testing procedures will assist auditors in performing tests of control for each considered pertinent controls For ineffective For ineffective In Progress If applicable
control activity. controls controls

Examine documentary evidence such as policies and procedures, requirement lists, and the results of the Tab 21
approval processes conducted, indicating that the development and implementation projects are approved
in accordance with established policies and procedures:
• Obtain a listing of AS400 application systems and i5/OS (OS/400) operating system software
acquired or developed over the period of intended reliance (the audited timeframe)
• Use your attribute sampling guidelines to select an adequate sample of such acquisitions
or development projects completed over the period under review for further testing
• For selected acquisitions or development projects, examine documentary evidence to
confirm that projects were approved by authorized individuals prior to implementation
• Document your conclusions.

Page 5 of 9
412197746.xls 000066Tab 4

Control IT2.04
Activity #
Control Only authorized employees have access to modify backup schedules.
Activity
Test Steps 1) On [date], obtained from [Name, Title] a system generated listing of users with *SAVSYS special authority;
2) Reviewed the listing with [Name, Title] on [date] for appropriateness to ensure only authorized users have such access;
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Users with *SAVSYS special authority:

Count System ID Report Date Profile Name Profile Owner Profile Status Password *NONE Initial Program Initial Menu Special Authorities Access Appropriate Issues Comments/ Issue
*Exclude profiles *Exclude profiles *Only list profiles with Per Job Noted? Description
with with Password ‘*SAVSYS’ special Responsibilities? (Yes/No)
‘*DISABLED’ *NONE = ‘*YES’ (no *Exclude profiles with ‘Initial Program’ = *NONE authority; exclude other (Yes/No)
status access) AND ‘Initial Menu’ = *SIGNOFF (end-user access profiles
shouldn't be possible)

1
2

Total 0 0 0

Page 6 of 9
412197746.xls 000066Tab 15

Control IT4.13
Activity #
Control The i5/OS (OS/400) environment is configured and activated to record audit events (such as unauthorized or inappropriate system activity, including use of special authorities) as defined in information security policies; audit
Activity reports are regularly reviewed by management and necessary action taken.
Test Steps 1) Obtained output from issuance of WRKSYSVAL SYSVAL(*ALL) OUTPUT(*OUTFILE) command from [Name, Title] on [Date];
2) Reviewed audit log facility configuration for appropriateness;
3) Please refer to testing table below for details.
Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]
Results

Auditing system value parameters configured the system:

Count Audit Log Audit Log Possible Values Recommended Auditing Issues Comments/
Facility Facility Minimum Appropriately Noted? Issue
Description Performed? (Yes/No) Description
(Yes/No)
1 QAUDCTL Defines whether *NONE - No auditing performed (Note: AUDLVL might be used for individual users). If set to *NONE, it will not be possible to monitor *AUDLVL
audit logging is security violations and detect unauthorized or undesirable activity on the system.
turned on and the *OBJAUD - Objects selected using CHGOBJAUD (change object), CHGDLOAUD (change document library object), or CHGAUD (change
type of auditing audit) commands are audited
allowed *AUDLVL - Auditing is performed for functions selected on the QAUDLVL system value and on the AUDLVL parameter on specific user
profiles
*NOQTEMP - Auditing is not performed for most actions if the object is in the QTEMP library; this value must be specified with either
*OBJAUD or *AUDLVL

2 QAUDLVL Defines which *NONE - No audit logging; if events are not logged, cannot monitor security violations and undesirable activity on the system *AUTFAIL
(Operates in security-related *AUTFAIL - Authority failure events are logged *SAVRST
conjunction with actions are *AUDLVL2 - Allows more auditing actions (if specified) *SECURITY
the QAUDCTL recorded system- *CREATE - Object create operations are logged *SERVICE
system value) wide for all users *DELETE - Object delete operations are logged
*JOBDTA - Actions that affect a job are logged
*NETCMN - Violation detected by APPN Filter support is logged
*OBJMGT - Object move and rename operations are logged
*OFCSRV - Changes to the system distribution directory and office mail actions are logged
*OPTICAL - Use of Optical Volumes is logged
*PGMADP - Obtaining authority from a program that adopts authority is logged
*PGMFAIL - System integrity violations are logged
*PRTDTA - Printing a spooled file and sending output to printers are logged
*SAVRST - Restore operations are logged
*SECURITY - Security-related functions are logged
*SERVICE - Using service tools is logged
*SPLFDTA - Actions performed on spooled files are logged
*SYSMGT - Use of system management functions is logged

3 *QAUDENDACN Specifies the *NOTIFY - messages sent to QSYSOPR and QSYSMSG (if it exists) message queues every hour until auditing is restarted *NOTIFY
action the system *PWRDWNSYS - if unable to write an audit journal entry, system powers down
should take if
journal entries
cannot be
recorded

Page 7 of 9
412197746.xls 000066Tab 15

Additional auditing features to consider for V5R3 or later:

Count Audit Log Facility Possible Values
1 *NETCMN - Network and *NETBAS - Network base functions are audited
communication functions are audited *NETCLU - Cluster and cluster resource group operations are audited
*NETFAIL - Network failures are audited
*NETSCK - Socket tasks are audited

2 *SECURITY - Security-related *SECCFG - Security configuration is audited

functions are logged
*SECDIRSRV - Changes or updates when doing directory service functions are audited
*SECIPC - Changes to inter-process communications are audited
*SECNAS - Network authentication service actions are audited
*SECRUN - Security run time functions are audited
*SECSCKD - Socket descriptors are audited
*SECVFY - Use of verification functions are audited
*SECVLDL - Changes to validation list objects are audited

Page 8 of 9
412197746.xls 000066Tab 21

Control IT6.03
Activity #
Control Any acquisition or development of AS400 application systems and i5/OS (OS/400) operating system software is approved by management prior to implementation.
Activity
Test Steps 1) On [date], obtained from [name, title] a listing of AS400 application systems and i5/OS (OS/400) operating system software acquired or developed between [date] and [date], noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that projects were approved by authorized individuals prior to implementation
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of AS400 application systems and i5/OS (OS/400) operating system software acquired or developed during the period of intended reliance:
Count Project ID Project Description Project Project Project Approved Approved By Approved by Approved Prior to Issues Comments/ Issue Description
Completed/ Selected Approved by On (Name, Title) Authorized Implementation? Noted?
Implemented for Management? (Date) Approver? (Yes/No) (Yes/ No)
On Detailed (Yes/No) (Yes/No)
(Date) Testing?
(Yes/No)
Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.

1
2

Total 0 0 0 0 0

Page 9 of 9