Contributed 8/29/00 by Carolann Lazurus (Clazarus@business.buffalo.edu)

SAR/SYSOUT Archive and Retrieval Audit Program 

I.	Initialization

Objective:	To ensure that the parameters defining the SAR system are appropriate and create a stable, secure application.

A.	Review the initialization parameters that establish SAR controls and the change control procedures over them.

1.	Obtain the initialization parameters for SAR and EXP and evaluate them for reasonableness.

2.	Confirm that changes to the parameters are tested and authorized prior to implementation.

B.	Obtain or develop a list of automated interfaces to SAR and evaluate controls over the interfaces.

C.	Evaluate the SAR Initialization process to ensure that the correct parameters are used and that any overrides to normal parameters are reviewed.

D.	Review the job setup schedule for critical jobs.

E.	Locate the source code for all SAR and EXP exits. During discussions with the technical services analyst responsible for SAR, document the purpose of the exit and:

1. determine which exits are critical to the control process. Review the source code and consider testing the exit.

2. for less-critical exits, review the code.

II.	Database Modifications

Objective:	To ensure that changes to the SAR database are authorized, tested and moved into the production environment in accordance with documented procedures.

A.	Review the procedures for the preparation and authorization of input to SAR.

1.	Select a sample of completed change forms and verify all required fields are completed.

a.	SAR ADD! CHANGE TURNOVER FORM

1)	SAR ADD/CHANGE TURNOVER SIGNATURE FORM

b.	SAR CHANGE TO SEGMENTED REPORTS T/O FORM

C.	SAR DELETE/RENAME REPORTS TURNOVER FORM

D.	SAR ACCESS FORM

2.	Select a sample of changes to the SAR database and locate the corresponding change form. Ensure all required fields are completed.

B.	Determine if batch processing is used to update the SAR database or files. If so:

1.	Are edits in place?

3. Are logs or edit reports created?

4. Review documented procedures for authorizing the batch jobs and reviewing the input.

III.	Documentation

Objective:	To ensure that the SAX staff has adequate documentation to perform their daily responsibilities.

A.	Review the S & P procedures manuals and evaluate the SAX-related topics.

B.	Review the Production Control/SAX Team procedures and evaluate.

IV.	Security

Objective:	To ensure that access to SAR software and databases is appropriate, that SAR internal security definitions are appropriate, and that changes to SAR user definitions are properly authorized.

A.	Obtain the ACF2 rules for access to SAR software, parameter files and databases and evaluate the restrictions in force.

B.	Obtain the ACF2 rules used to control access to the EXP software, parameter files and databases and evaluate the restrictions in force.

C.	Obtain the Express input parameters which identify groups of users and grant the groups different EXP privileges. Confirm that the individuals in the tables reflect job responsibilities which are consistent with their current authority.

D.	Review the SAR user definitions and the SAR access authority granted, and confirm the access is appropriate.

E.	Determine that a record of changes to the security files is maintained and monitored by management.

F.	Determine that unauthorized access attempts to SAR data are recorded. Confirm that management is following-up on the information.

G. Document the controls over execution of batch programs against the SAR/EXP databases. Determine if a password is used, and document the controls access to the passwords.

V.	Backup

Objective:	To ensure that the audit is planned, coordinated with FSC and audit personnel, and includes complete documentation of the evaluation and reporting of all audit issues.

A.	Determine if contingency plans have been prepared to deal with a loss of the SAR or Express systems.

B.	Determine if SAR or Express have been restored during any recovery tests.

C.	Confirm that critical SAR and Express datasets are being sent off-site.

D. Confirm that user and vendor documentation has been sent off-site.


VI.	Output

Objective:	To ensure that sufficient output from the SAR system is available for the SAR team and FSC management to monitor SAR.

A.	Confirm that the SAR database is balanced each day (i.e., the number of entries, plus additions, minus deletions equals current number of entries).

B.	Through discussions with the SAR team and through a review of their documented procedures, identify
problem or exception logs.

i.	Determine if Systems Support maintains a log of SAR problems. Discuss the log and any problem trends with Systems Support staff.

C.	Through discussions with the SAR team and through a review of their documented procedures, identify SAR management reports and who receives them.

1.	Confirm that SAR is tracking and reporting the volume of reports it manages and the amount of paper it uses.

D.	Review the PIX problem records for SAR (by running XSAR.LIB(PXSUMRY2) and selecting those ~ix records initiated, approved, closed or commented by someone on the SAR team, SP5). Identify problems, develop statistical summaries, and discuss with the SA2R team.

E.	Through discussions with Systems and programming staff and some Bank users, determine if the SAR reports are being packaged properly and are easy for users to interpret.