UC Core Audit Program

Data Center Operations & OS Software

I. Audit Approach

As an element of the University’s core business functions, Data Center Operations will
be audited every three years using a risk based approach. The IT Data Center Operations
is usually responsible for the management, physical controls, and processing of
production IT systems. The Data Center is also normally responsible for the installation
and maintenance of the operating systems for the computers used to process production
IT systems.

The minimum requirements set forth in the “general overview and risk assessment”
section below must be completed for the audit to qualify for core audit coverage.
Following completion of the general overview and risk assessment, the auditor should
use their professional judgment to select areas for additional focus and audit testing.

II. General Overview and Risk Assessment (70 hrs – 23%)

The general overview will include interviews of department management and key
personnel; evaluation of policies and procedures associated with business processes and
mission; inventory of compliance requirements; consideration of key operational aspects;
and an assessment of the information systems environment. Prior audits should be
reviewed to determine impact, if any. During the overview, a general understanding of
the management structure, compliance requirements, financial issues, daily and routine
operations, and efficiency and effectiveness of the operation will be obtained (or
updated).

As needed, the general overview will incorporate the use of internal control
questionnaires, process flowcharts, and the examination of how documents are handled
for key processes.

A. The following table summarizes audit objectives and corresponding high-level risks
to be considered during the general overview.

Audit Objective Areas of Risk

Obtain an understanding of significant
processes and practices employed,
implementing, and supporting the Data
Center operations specifically addressing
the following components:
• Management philosophy,
operating style, and risk
assessment practices including:
o Awareness of and
compliance with applicable
laws, regulations and policies,
o Planning and management
of Data Center Operations
financial resources,
• Data Center management systems
may be ineffective and inefficient
due to misalignment with their
mission and not capable of meeting
the business objectives
• Organizational structure may be
inappropriate for achieving business
objectives
• Lack of accountability could also
lead to improper segregate of duties
• Internal controls could be assessed
as not reliable where process
weaknesses are substantial
• Information systems, applications,

39468459.doc, September 4, 2010, JDHJr Page 1 of 8

 UC Core Audit Program
Data Center Operations & OS Software
o Efficient and effective database, and limited electronic
operations interfaces may be inappropriate for
• Organizational structure, achieving the business objectives
governance and delegations of • Operating systems may not be
authority and responsibility properly configured or maintained
• Positions of accountability for (patched) thus resulting in insecure
financial and operational results systems.
• Process strengths (best practices),
weaknesses, and mitigating
controls

B. The following procedures should be considered as part of the General Overview

whenever the core audit is conducted.

General Control Environment

1. Interview the department director and key managers to identify and assess
their philosophy and operating style, regular channels of communication, and
risk assessment processes.
2. Obtain the department’s organization chart, delegations of authority, and
management reports.
3. Interview select staff members to obtain the staff perspective. During all
interviews, solicit input on concerns or areas of risk.
4. Evaluate the adequacy of the organizational structure and reporting processes
to assure the proper accountability of the data center’s operations.
5. If the organizational structure and various reporting processes do not appear
adequate, consider alternative structures or reporting. Comparison to
corresponding departments at other locations, may provide value.

Business Processes

6. For the Data Center, identify the key department activities and controls. Gain
an understanding of the corresponding processes, and positions of
responsibilities. The data center’s responsibilities usually include:
a. Processing controls, including batch, the use of control totals, and
input output controls
b. Security of the data center including physical security and controls,
and environmental controls
c. System software operations, including the controls to separate system
programming from application programming and data base operations
d. Administrative planning and support including capacity planning,
preventative maintenance and insurance.
e. Backup and Recovery processes including routine backups and storage
and recovery planning and testing.
7. For financial systems, such as the recharge system, identify positions with
responsibility for initiating, reviewing, approving, and reconciling financial

39468459.doc, September 4, 2010, JDHJr Page 2 of 8

 UC Core Audit Program
Data Center Operations & OS Software
transactions. Gain an understanding of processes by examining flowchart or
narratives identifying process strengths, weaknesses, and mitigating controls.
8. Evaluate processes for adequate separation of responsibilities or proper
management review. Evaluate the adequacy of the processes to provide
reasonable assurance that University/Lab resources are properly safeguarded.
9. Evaluate the adequacy of the operations practices to provide for availability,
integrity, and confidentiality of the University/Lab information resources.
10. Develop detailed test objectives and procedures, and conduct detailed testing
with specific test criteria.

Information Systems

11. Interview department personnel to identify department information systems,

including monitoring systems, escalation systems, command and control
systems, notification systems and any other systems used to process the data
center’s information.
12. Review systems documentation, logs and other documentation, as needed to
gain an understanding of the data centers information processes..
13. Review management’s monitoring and supervision of the data center
operations.
14. Develop detailed test objectives and procedures, and conduct detailed testing
with specific test criteria

C. Following completion of the general overview steps outlined above, a high-level

risk assessment should be performed and documented in a standardized working
paper (e.g., a risk and controls matrix). To the extent necessary, as determined by
the auditor, this risk assessment may address aspects of other areas outlined below
(financial reporting, compliance, operational efficiency and effectiveness; and
information systems). In addition to the evaluations conducted in the general
objectives section, the risk assessment should consider the following: annual
expenditures; time since last review, recent audit findings; organizational change;
regulatory requirements, etc.

39468459.doc, September 4, 2010, JDHJr Page 3 of 8

 UC Core Audit Program
Data Center Operations & OS Software

III. Financial (20 hrs – 7%)

A. The following table summarizes audit objectives and corresponding high-level risk
regarding financial network management processes.

Audit Objective Areas of Risk

Evaluate the adequacy of financial
resources, and appropriate financial
planning consistent with the objectives of
the Data Center. Include the following
components:
• Compliance with the budgeting
and approval process for the
funding major equipment upgrades
and replacement
• Recharge for Data Centers
services are consistent and
appropriate.
• Recharge rates are documented
and approved
• IT governance appropriate for
adequate consideration of financial
needs
• Evaluate the cost benefit of lease
vs. buy of capital assets
• Evaluate the cost benefit of
software purchases
• Servers and IT equipment may be
acquired that are inadequate for the
needs of its customers.
• Acquisitions of IT equipment may
be made that have not been through
the budget and approval process.
• Funding shortages may prevent the
Data Center from achieving its
business objective.
• Funding may be used to purchase
resources that were inappropriate
for the intended purposes
• Purchase versus lease decision may
be flawed due to incorrect financial
assumptions
• IT governance may not provide
adequate considerations of the
financial needs

B. The following procedures should be considered as part of the financial review

whenever the core audit is conducted.
1. Identify all financial processes used by the department. Review of recent
financial reports or other operational financial information.
2. Identify budgetary processes used by the department. Obtain and review
recent budgetary reports.
3. Document through spreadsheets, narratives, or flowcharts the budget and
recharge costing practices (i.e., actual vs. standard costs; capitalization).
4. Gain an understanding of the different methods used to monitor department
funds, and budget variances.
5. Identify the processes for classifying cost as either, direct charges or overhead
charge. Gain an understanding of the overhead rate calculation and review
process.
6. Determine if the department is funded sufficiently to adequately provide the
services at an appropriate level.
7. Determine if the financial processes used are appropriate to provide
management both inside and outside the department with the proper
information.

39468459.doc, September 4, 2010, JDHJr Page 4 of 8

 UC Core Audit Program
Data Center Operations & OS Software

IV. Compliance (60 hrs – 20%)

A. The following table summarizes audit objectives and corresponding high-level risks
regarding compliance with policies and procedures, and regulatory requirements.

Audit Objective Areas of Risk

Evaluate compliance with the following
requirements:
• UCOP Policies
IS3
IS10
Other Business and Financial
Bulletins and other University
policies
Electronic communications
policy
• Applicable State and Federal laws
and regulations including:
FERPA
Gramm Leach Bliley (GLBA)
HIPAA
SB 1392
Evaluate adequacy and compliance with
local policies, standards, and guidelines
• Non-compliance could result in the
fines, penalties, and sanctions
• Poor security or poor performance,
from lack of adequate guidance
policy.
• Delegations of authority may be
inappropriate.
• Non-compliance of local processes
with University requirements may
negatively impact reliability and
security of the systems.

B. The following procedures should be considered as part of the Compliance review

whenever the core audit is conducted.
1. Obtain an understanding of all applicable state or federal regulations.
2. Determine whether state or federal regulations apply to application
development and review for compliance (e.g., HIPAA, FERPA, SB 1392,
GLBA).
3. Validate compliance with applicable state or federal regulations.
4. Obtain an understanding of all applicable University Office of the
President and Campus/Lab policies.
5. Determine whether any University Office of the President and
Campus/Lab policies apply to the application development process (e.g.,
IS-3, IS-10, etc.)
6. Validate compliance with applicable University Office of the President
and Campus/Lab policies.

V. Operational Effectiveness and Efficiency (50 hrs – 17%)

39468459.doc, September 4, 2010, JDHJr Page 5 of 8

 UC Core Audit Program
Data Center Operations & OS Software
A. The following table summarizes audit objectives and corresponding high-level risks
regarding operational effectiveness and efficiency.

Audit Objective Areas of Risk

Evaluate the adequacy of operational • Operation effectiveness and
effectiveness and efficiency consistent efficiency could be compromised
with the objectives of Data Center due to poor system performance
Management. Include the following • Lack of proper planning could
components: allow the condition of inadequate
• Appropriate investment in capacity to develop
human resources and equipment • Self-evaluation and improvement
• Adequacy of Data Center processes may not be aligned with
personnel for skill and training the directives of management
• Self evaluation and • Service levels may not satisfy the
improvement process needs/requirements of the Data
• Personnel management Center and its customers
• Specialization of work – • Paying more for services when less
centralized vs. decentralized expensive alternatives are available.
• Appropriate management
of contracts
• Software and equipment
changes review and approval
processes
• Patch vs. permanent fix
problems
• Process in evaluating the
needs for new and/or upgrades to
hardware, software, and facilities

B. The following procedures should be considered as part of Operational Effectiveness

and Efficiency review whenever the core audit is conducted.
1. Evaluate appropriateness of mix of use of employees and contractors.
2. Determine if when contractors are used, adequate knowledge transfer is
performed prior to termination of contracts.
3. Evaluate use of specialists/ subject matter experts in areas where appropriate in-
house expertise does not exist.
4. Review relevant strategic plans to determine whether major system changes are
planned.
5. Evaluate the cost benefit of lease vs. buy of equipment.
6. Determine if root cause analyses are performed for system problems. Evaluate
whether symptoms of problems are addressed or if system fixes resolve the root
of the problem.
7. Review service level agreements for adequacy of coverage. Determine if
historical performance has been adequate and in accordance with service level
agreement.

39468459.doc, September 4, 2010, JDHJr Page 6 of 8

 UC Core Audit Program
Data Center Operations & OS Software
8. Determine if timelines appear adequate to address new system objectives.
Review any projects plan to ensure data center milestones are identified and
adequately budgeted for time and resources.

VI. Information and Communication (100 hrs – 33%)

A. The following table summarizes audit objectives and corresponding high-level risks
regarding daily and routine operations processes.

Audit Objective Areas of Risk

Evaluate the following routine operational
activities regarding processing,
applications and systems recovery, and
system interfaces performance.
• Logging, maintenance, and
monitoring review of operational
(daily computer processing)
work.
• Output controls and distribution
• Scheduling, preparing, and
running assigned processes
• Incident handling, escalation and
reporting as it pertains to
recovery processes, hardware,
software, or any operational
failure
• Work order process for assigning
and monitoring non-operational
work.
• Process to communicate to
management and users hardware
and software system updates,
changes prior to implementation.
• Process to communicate to
management and users any
emergency hardware or software
changes.
• Process to communicate to
management and users the status
of all systems.
• Development and implementation
of daily processes for the Data
Center Operations may be
inappropriate for achieving the
management objectives
• Recovery processes may be too
complicated for operational
purposes and, therefore, not used
• Output distribution may be
inappropriately distributed resulting
in inefficiencies and possible
compromise of sensitive data
• Lack of proper traffic monitoring
tools may not achieve the results
originally intended
• Lack standard procedures in
logging, maintenance, and review
of operational reports making the
processes ineffective
• Improper defined backup
procedures and standards may result
in data unrecoverable
• Non-operations work may not be
done properly or on a timely basis
• Management and users may be
unprepared for system changes

B. The following procedures should be considered as part of the Information and

Communication review whenever the core audit is conducted:

39468459.doc, September 4, 2010, JDHJr Page 7 of 8

 UC Core Audit Program
Data Center Operations & OS Software
1. Evaluate the monitoring of the logging, maintenance of the daily computer
processing.
2. Determine the controls and communication of used to assure proper delivery
of processed output. Give attention to any sensitive forms are used, such as
checks.
3. Gain an understanding of the process to communicate system software and
hardware changes to users and management. Evaluate the adequacy of the
communication.
4. Determine the procedure for escalating problems to appropriate levels of
management. Review the documentation of recent problems that had been
escalated and evaluate the timeliness and adequacy of the process.
5. Determine if root cause analyses are performed for system problems.
Evaluate whether symptoms of problems are addressed or if system fixes
resolve the root of the problem.
6. Review service level agreements for adequacy of coverage. Determine the
process to communicate status of the systems (up time percent) to users.
Determine if the process to gather the status will likely provide accurate
information. Determine if historical performance has been adequate and in
accordance with service level agreement.
7. Identify the process to declare a disaster including who must make that
decision.
8. Gain an understanding of how all the data center staff receive information
regarding a disaster and how they receive their instructions for any alternate
processing locations to which they must report.
9. Evaluate the systems programmers source of information on fixes, patches
and other known causes of failure. Determine how they evaluate these repairs
and the process to apply the fixes.

39468459.doc, September 4, 2010, JDHJr Page 8 of 8