Go to USC home page USC Logo Insert page title here
UNIVERSITY OF SOUTH CAROLINA
Internal Audit Homepage
 |
Audit Charter
Audit Staff
Audit Reports
Conflict of Interest
Flowcharts
  Brochure
 
  Links
 
  Internal Audit Policies
University Policies
 

COMPUTER POLICY

General

Internal Audit uses computers as tools for improving productivity and making work easier. On a daily basis, we prepare working papers, create other documents, and check e-mail. Because of their speed and reliability, computers sometimes provide the only feasible way to perform tasks, such as obtaining information from financial systems or analyzing data for unusual patterns or variances. Computers also help prevent destruction of data since files can be backed up and stored away from the computer.

Because our computers are a valuable resource, we must take steps to prevent the loss or destruction of our machines, software programs, and data files.

Desktop Machines, Laptops, and Printers

Each staff member is responsible for safeguarding the desktop and laptop computers in his or her office. Offices should be locked after normal business hours, when a staff member is working at other locations, or when the area will be unattended. Physical security is the best line of defense against loss or damage of the machines or data they contain.

The office has purchased several laptop computers for the staff to use when working in offices of auditees. Laptop computers are assigned to each staff member and should be accounted for at all times. Peripheral devices such as a USB “flash drive”, mouse, or keypad may also be issued to the auditor along with their laptop. The department administrative assistant is responsible for maintaining records of what desktop and laptop computers and peripheral equipment are assigned to each member of the staff.

Laptop computers are highly susceptible to theft so extra caution should be taken to protect them. At an audit site, an auditor is responsible for securing the machines when they are left unattended. Alternatives for securing laptops and printers include:

  • locking them in an office, a desk, or a file cabinet;

  • powering them down and leaving them with a trustworthy employee of the department being reviewed; or

  • carrying the machines when the auditor leaves the work station.

If laptops can be properly secured, they may be left at an audit site overnight. Otherwise, they should be returned to the office or taken home.

Since computer equipment is sensitive to moisture and extremes of temperature, laptops should not be left in an automobile for extended periods of time, particularly in warm weather. Transit time when moving computer hardware in an automobile should be kept to a minimum; the machines should not be left in the automobile overnight. Hardware should be placed out-of-sight, preferably in the trunk, if they will be left in an unattended automobile.

Software and Data Files:

There should be no illegal software, “spyware”, or advertising software installed on Internal Audit’s computers. Only software approved by the Director of Internal Audit can be installed on our computers. Each computer should have a corresponding software license for all of its installed software. Software licensed to the University or Internal Audit Department should only be copied for back up purposes.

Electronic files for on-going projects and audits should be stored centrally on a computer’s hard drive, compact disks (CD), flash drive, or a diskette. In cases of highly sensitive projects, additional steps should be taken to protect data files such as "password protecting" files or saving the files only on diskette or CD and the diskette or (CD) should be physically controlled. Passwords can be assigned from the Tools menu under Options and saved. If you chose to assign a password, write it down and put in a secure place. Without the password, the document can’t be opened.

Because items stored electronically can be lost or destroyed far more easily than they were created, it is important to back-up these items. Each staff member is responsible for performing periodic back-up of their computer files and storing back-up CDs apart from the computer or working copy of the data. Backup files of on-going projects may also be saved on a laptop or flash drive.

Also, each auditor should activate the "Automatic Save" feature of Word and Excel (found on the Tools menu, under Options) on his or her machine. This feature automatically backs-up a file being created or modified to the PC’s hard drive at specified intervals. Automatic back-ups prevent large amount of work being lost if the power supply to the machine is interrupted.

Passwords

In addition to the physical security measures referenced above in “Desktop Computers and Laptops”, every department employee is responsible for securing their desktop and laptop computers with a strong password. The following tips for creating a strong password are provided by University Technology Services:

Does not contain the user name
Is at least eight characters long
Include lowercase letters a, b, c,...
Include uppercase letters A, B, C,...
Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols (all characters not defined as letters or numerals) ` ~ ! @ # $ % ^ & * ( ) _ + -={ } | [ ] \ : " ; ' < > ? , . /
Use a significant date (numbers), followed with a symbol (* or #), followed by letters
Use the first letter of special sayings followed by symbols and/or dates
Replace letters for numbers and vice-versa

Certain university computer resources require users to change their passwords on a regular basis whereas other resources do not. Internal Audit users should change their passwords on a regular basis whether require to or not, if allowed by the computer system. Users should logoff or “lock” their workstation when leaving it unattended for an extended period of time. Refer to E-mail and On-Line Resources below.

Safeguarding CDs and Diskettes:

The staff should take special care to safeguard CDs, flash drives, and diskettes. The following are some suggestions to help safeguard them:

  • Use felt tip markers to label compact disks or diskettes.

  • Store CDs in a manner that will prevent them from being scratched. Scratching a CD may prevent users from accessing the information stored on them.

  • Do not place diskettes near magnetic field. Items that produce magnetic fields include: telephones, speakers, appliances, microwaves, copiers, televisions.

  • Do not touch the magnetic film inside the floppy disk or allow dust to get on it.

  • Keep the diskettes in a cool, dry, and safe location.

E-mail and On-Line Resources:

Each staff member will receive a free e-mail account. Due to the ease with which E-mail can be read or forwarded, extra care should go into its creation. Most E-mail systems, including those email systems maintained by the university retain copies without the knowledge of the creator. Staff members should exercise care with any information or pictures they may post to a website or blog as that information can be accessed with search engines such as Google or Yahoo. Always consider the ramifications of the E-mail being read by someone other than the intended recipient. When replying to a person who sent an email to a listserv, it is essential that users ensure they are replying to only the sender of the email and not all recipients of the email.

Each staff member will also receive a log on ID for the University’s Information Systems. Access to individual systems, will be allowed on an as needed basis. Since our information needs as auditors give us access to a wider range of computer records, we must take special precautions to safeguard sensitive or confidential items. Information obtained during the course of a project should only be disclosed as part of the normal audit communication process or with the permission of the Director of Internal Audit. Under no circumstances should on-line information be obtained or used except in connection with an audit project.

This portion of the policies was revised 11/7/06.  Changes are in bold. 

[Back to Table of Contents]
RETURN TO TOP
USC LINKS: DIRECTORY MAP EVENTS VIP
SITE INFORMATION
Columbia, SC 29208 • 803-777-2752• Webmaster © University of South Carolina Board of Trustees