ࡱ> [ Abjbj &jjf=l*******>8F$j>1|""""""""&(((^V&$ ͻJ*"""""J**""_r"*"*"&"& >N**" >82x$ѷ`1XN4>>**** I. Audit Approach As an element of the Universitys core business functions (payroll, financials, student, and medical), Disaster Recovery will be audited every three years using a risk-based approach. The minimum requirements set forth in the general overview and risk assessment section below must be completed for the audit to qualify for core audit coverage. Following completion of the general overview and risk assessment, the auditor will use professional judgment to select specific areas for additional focus and audit testing. Specifically this audit will include consideration of: Backup Procedures Insurance Coverage Restart/Recovery Disaster Recovery Tests Note: The hours and percentages are based on a 240 hour audit II. General Overview and Risk Assessment (55 Hrs - 23%) For Campus, Medical Center, and Lab central network management; general overview procedures will include interviews of department management and key personnel; a review of available financial reports; evaluation of policies and procedures associated with business processes; inventory of compliance requirements; consideration of key operational aspects; and an assessment of the information systems environment. During the general overview, a detailed understanding of the management structure, significant financial and operational processes, compliance requirements, and information systems will be obtained (or updated). As needed, the general overview will incorporate the use of internal control questionnaires process flowcharts, and the examination of how documents are handled for key processes. A. The following table summarizes audit objectives and corresponding high-level risks to be considered during the general overview. Audit ObjectiveAreas of RiskObtain an understanding of significant processes and practices employed in developing, testing, and implementing business resumption plans specifically addressing the following components: Management philosophy, operating style, and risk assessment practices including Awareness of and compliance with applicable laws, regulations and policies Planning and management of disaster recovery financial resources Efficient and effective operations Determine if a business resumption plan exists and was developed using a sound methodology that includes the following elements: Identification and prioritization of the activities that are essential to continue functioning. The plan is based upon a business impact analysis that considers the impact of the loss of essential functions. Operations managers and key employees participated in the development of the plan. The plan identifies the resources that will likely be needed for recovery and the location of their availability. The plan is simple and easily understood so that it will be effective when it is needed. The plan is realistic in its assumptions. Determine if information backup procedures are sufficient to allow for recovery of critical data. Determine if a test plan exists and to what extent the business resumption plan has been tested. Determine if financial resources have been made available to maintain the business resumption plan and keep it current. Determine if business resumption plan has the capacity to meet operating requirements. Determine if the IT business resumption plan is a part of the overall disaster recovery plan. Poor management communication regarding expectations (standards and policies) may result in inappropriate behavior. The Disaster Recovery risk assessment processes may not identify and address key areas of risk. Inadequate skill level or training to accomplish the necessary tasks Inadequate separation of responsibilities for activities may create opportunities for fraud, misuse and errors or omissions. Processes and/or disaster recovery systems may not be well designed or implemented, and may not yield desired results, i.e., accuracy of information, operational efficiency and effectiveness, and compliance with relevant regulations policies and procedures. The business resumption plan will not meet the capacity needed for business operations. The following procedures will be completed as part of the general overview whenever the core audit is conducted. General Control Environment For the department(s) responsible for the business recovery plan, disaster recovery plan, and emergency/crisis response plan, iInterview the department director and key managers to identify and assess their philosophy and operating style, regular channels of communication, and all internal risk assessment processes. Obtain the departments organization chart, delegations of authority, and management reports. Interview select staff members to obtain the staff perspective. During all interviews, solicit input on concerns or areas of risk. Evaluate the adequacy of the organizational structure and various reporting processes to provide reasonable assurance that accountability for programmatic and financial results is clearly demonstrated. If the organizational structure and various reporting processes do not appear adequate, consider alternative structures or reporting processes to provide additional assurance. Comparison to similar local departments, or corresponding departments on other locations, may provide value in this regard. Business Processes Identify all key department activities. Gain an understanding of the corresponding business processes, and positions with process responsibilities. For financial processes, document positions with responsibility for initiating, reviewing, approving, and reconciling financial transactions types. Document processes via flowchart or narratives identifying process strengths, weaknesses, and mitigating controls. Evaluate processes for adequate separation of responsibilities. Evaluate the adequacy of the processes to provide reasonable assurance that University/Lab resources are properly safeguarded. If processes do not appear adequate,D develop detailed test objectives and procedures, and conduct detailed transaction testing with specific test criteria. Consider whether statistical (versus judgmental) sampling would be appropriate for purposes of projecting on the population as whole or for providing a confidence interval. Information Systems Interview department information systems personnel to identify all department information systems, application, databases, and interfaces (manual or electronic) with other systems.including escalation systems, command and control systems, notification systems and other systems to process information during a disaster. Obtain and review systems documentation, if available. Document Review the information flow including via flowcharts and narratives, including all and interfaces with other systems. Consider two-way test of data through systems from source document to final reports, and from reports to original source documents. Evaluate the adequacy of the information systems to provide for availability, integrity, and confidentiality of the University/Lab information resources. If system controls do not appear adequate, dDevelop detailed test objectives and procedures, and conduct detailed testing with specific test criteria C. Following completion of the general overview steps outlined above, a high-level risk assessment should be performed and documented in a standardized working paper (e.g., a risk and controls matrix). To the extent necessary, as determined by the auditor, this risk assessment may address aspects of other areas outlined below (financial reporting, compliance, operational efficiency and effectiveness; and information systems). In addition to the evaluations conducted in the general objectives section, the risk assessment should consider the following: annual expenditures; time since last review, recent audit findings; organizational change; regulatory requirements, etc. III. Financial (17 Hrs - 7%) A. The following table summarizes audit objectives and corresponding high-level risks regarding financial network management processes. Audit ObjectiveAreas of RiskEvaluate the adequacy of financial resources, and appropriate financial planning consistent with the objectives of Network Disaster Recovery Management. Include the following components: Appropriate level of investment in recovery planning (hot site vs. cold site) Appropriate investment in capital equipment, Appropriate investment in human resources. Appropriate management of contracts Appropriate data back up facilities Appropriate insurance coverage Does IT governance provide adequate consideration of financial needs A process to capture required financial information. Processes may not adequately align resources with key business objectives Poor systems performance, Inadequate capacity Inefficiency use of resources All other risks Inadequate funding of key positions Budgeting processes may not adequately align resources with key business objectives. Budget variances not adequately monitored and evaluated may result in department budget overdrafts, or project cost overruns. Improper classification of costs may cause regulatory compliance concerns (A21, cost accounting standards). Recharge methodologies and overhead rate calculations may not provide adequate funding for continued level of service.  B. The following procedures should be considered whenever the core audit is conducted. Identify all financial reporting methods in use by the department for both departmental activities, and capital projects. Obtain and review copies of recent financial reports. Identify all budgetary reporting methods in use by the department for both department activities, and capital projects. Obtain and review copies for recent budgetary reports. Document through spreadsheets, narratives, or flowcharts the capital project budget processes and capital project costing practices (i.e., actual vs. standard costs; capitalization). Gain an understanding of the different methods implemented to monitor department, fund, and project budget variances. Validate on a test basis. Interview department staff to document the process of classifying cost as either, direct charges or overhead charge. Gain an understanding of the overhead rate calculation and review process. Validate on a test basis. On a test basis, evaluate the accuracy and reliability of financial reporting. If certain reporting does not appear accurate and reliable, develop detailed test objectives, procedures, and criteria. . Conduct detailed testing as need to determine the impact of financial reporting issues. IV. Compliance (48 Hrs - 20%) A. The following table summarizes audit objectives and corresponding high-level risks regarding compliance with policies and procedures, and regulatory requirements. Audit ObjectiveAreas of RiskEvaluate compliance with the following requirements: UCOP Policies. IS3 IS10 Other Business and Finance Bulletins and other University policies Electronic communications policy; Applicable State and Federal laws and regulations including; HIPAA FERPA SB 1386 FEMA GLBA SEMS Evaluate adequacy and compliance with local policies, standards and guidelines  Non-compliance with laws and regulations may put the University at risk with law enforcement or regulatory agencies. Poor security, Poor performance, from lack of adequate guidance policy Delegations of authority may be inappropriate. Non-compliance with laws and regulations may put the University at risk with law enforcement or regulatory agencies. Non-compliance of local processes with University requirements may negatively impact reliability and security of the systems.  The following procedures should be considered whenever the review is conducted. Determine if recovery plans and off site data storage comply with laws, regulations and policies. Determine whether state or federal regulations (SB1386, GLBA, etc.) apply to data that may be stored for disaster recovery and review for compliance. 32. Determine whether any office of the president or university policies apply to the data that may be stored for disaster recovery and review for compliance . V. Operational Effectiveness and Efficiency (36 Hrs - 15%) A. The following table summarizes audit objectives and corresponding high-level risks regarding operational effectiveness and efficiency. Audit ObjectiveAreas of RiskEvaluate management processes, specifically addressing the following areas: Personnel management (The use of employees vs. contractors); Specialization of work - centralized vs. decentralized Granting physical access (keys or electronic access) and issuing security badges IT physical security and equipment changes affecting IT physical security. Consider planned vs. ad hoc changes. Hot site vs. Cold sitePaying more for services when less expensive alternatives are available Loss of control of IT security (if contractors are used)  Determine if: 1. There is an individual or team responsibility to routinely ensure the alternate processing facility has the necessary hardware, supplies, and documentation to resume processing? 2. Management has reviewed the adequacy of recovery team coverage for the Disaster Recovery and Business Continuation plan and the frequency of such reviews? 3. Management has has considered outside resources for their Disaster Recovery efforts, if outside resources are usedused, ascertain whether central assets were considered before obtaining the outside resources?resources. 4. Management has plans for recovery from short-term computer interruptions? 5. Complete audit trails are maintained during the recovery period? 6. Any emergency restarts occurred recently that would test the reliability of the back up ?media. 7. The action taken to the restarts was appropriate and minimized down time? VI. Information and Communication (84 Hrs - 35%) A. The following table summarizes audit objectives and corresponding high-level risks regarding information systems. Audit ObjectiveAreas of RiskDetermine if the plan reflects the current IT environment Determine if the plan includes prioritization of critical applications and systems. Determine if the plan includes time requirements for recovery/availability of each critical system, and that they are reasonable. Does the business resumption plan include arrangements for emergency telecommunications Is there a plan for alternate means of data transmission of the computer network is interrupted Plan is outdated or does not meet business requirements Key critical applications and system may not be identified and increase the risk of business resumption The timing of bring key systems on-line may increase the risk of business resumption  B. Based on the information obtained during the information and communication overview, conduct observations and evaluate whether any operations should be evaluated further via detailed testing. For example, detailed testing could include observations at the Campus/Medical Center level to determine: What actions start the the master Disaster Recovery Plan (DRP), Business Recovery Plan (BRP), and Emergency Recovery Plan (ERP)? What actions stop the ERP? How Departmental (e.g. Payroll, Financials, Student and Medical) Disaster Recovery Plan (DRP) correlate with the overall ERP? How data captured during the emergency? What done with the data captured? At the departmental level to determine: What actions start the DRP? What actions stop the DRP? How the DRP ties into the ERP? How data captured during the emergency? What done with the data captured? UC Core Audit Program Audit Program and Internal Control Questionnaire Disaster Recovery As of July 2, 2003 Reviewed by Doug Huff/LLNL 10/15/03 "$ :1>?Hlmo \(3DNRkz~T ##$#%######@$H$Z$$hHhw&CJCJcHdhw&Hhw&CJCJcHdhw&Hhw&CJCJcHdhw&Hhw&CJCJcHdhw&CJcHdhw&Hhw&CJ56CJ\]CJ 5CJ\6!XYk~iF & F.Eƀw&F & F.Eƀw&^fAA~#$ N qoomgmmeee^F & F.Eƀw&F & F.Eƀw& N O j$k$$Ifl0$L064 la<$<<$If^a$ $<<$Ifa$ "^`"  L iK & F,$Eƀw&IfK & F,$Eƀw&oIfK & F,$Eƀw&IfL 1 iK & F,$Eƀw&IfK & F,$Eƀw&IfK & F,$Eƀw&If1 TiK & F,$Eƀw&oIfK & F,$Eƀw&oIfK & F,$Eƀw&oIfTIiK & F,$Eƀw&oIfK & F,$Eƀw&oIfK & F,$Eƀw&oIfIJ cK & F,$Eƀw&IfK & F,$Eƀw&If$If :iK & F,$Eƀw&IfK & F,$Eƀw&IfK & F,$Eƀw&If:;_K & F$Eƀw&IfK & F$Eƀw&If 8$If^8UiK & F$Eƀw&IfK & F$Eƀw&IfK & F$Eƀw&If/01I? "^`"k$$Ifl0$L064 la<K & F$Eƀw&If1bF & F"Eƀw&.S & F# 8Eƀw&.^`[q*F & F"Eƀw&.F & F"Eƀw&.F & F"Eƀw&.kF & F"Eƀw&.^F & F"Eƀw&.Hq*$^F & F"Eƀw& .F & F"Eƀw&.F & F"Eƀw&.#k$F & F"Eƀw& .F & F"Eƀw& .F & F"Eƀw& .^#S T ##$#%#qk[QCQ 0^`0 "^`" & F 1$@& ^p^pF & F"Eƀw&.F & F"Eƀw& .%######$j0d$Ifk$$Ifl0$L064 la<$<<$If^a$ $<<$Ifa$ "^`"$$$$$$$$T%x%&]&&&&1'C)D)J)a)w))*&*******,N-Q---t.u......///ؽشآؙثثؙ؉؀؀y 5>*CJ\56CJ\] HhEz&Hhw&CJCJcHdhw&CJcHdhw&CJcHdhw&Hhw&CJCJcHdhw&CJcHdhw&Hhw&CJCJHhw&CJHhw&CJHhw&CJHhw&CJ,$$%0%gK & F$Eƀw&IfK & F$Eƀw&IfL & F$C$Eƀw&If0%T%x%%gK & F$Eƀw&IfL & F$C$Eƀw&IfK & F$Eƀw&If%%&&i_ $If^K & F$Eƀw&IfK & F$Eƀw&If&]&w&]P & F H$Eƀw&IfQ & F H$C$Eƀw&Ifw&&&_P & F H$Eƀw& IfP & F H$Eƀw&If&&&_P & F H$Eƀw& IfP & F H$Eƀw& If&2''WX & F H"$Eƀw& If^`"P & F H$Eƀw& If' (((OE $If^X & F H"$Eƀw&If^`"X & F H"$Eƀw&If^`"((((()9F & F0Eƀw&. "^`" "^`"k$$Ifl0$L064 la<)`*++q*F & F0Eƀw&.F & F0Eƀw&.F & F0Eƀw&.+,-----t.u.qgggecY "^`" h^h`F & F0Eƀw&.F & F0Eƀw&.u.....v p$Ifk$$Ifl0$H064 la<$<<$If^a$ $<<$Ifa$....%/G/////_UUU &$If^&K & F$Eƀw&If 8$If^8K & F$Eƀw&If ////////n0KL & F$C$Eƀw&IfMh$C$Eƀw&If^h h$If^h$If &$If^&/m00Z1-2H2b220313233333444444T8X8\888899#99:::n:::;,;-;;;=>B?F?J?ƽ󇙐|sHhw&CJCJcHdhw&hHhw&CJHhw&CJCJcHdhw&CJcHdhw&Hhw&CJ56CJ\]CJcHdhw&HhDz&CJCJcHdhw&Hhw&CJHhw&CJCJcHdhw&CJHhw&CJ-n000[1iK & F$Eƀw&IfK & F$Eƀw&IfK & F$Eƀw&If[11111=3 "^`"m$$Ifl0$H064 la< $If^K & F$Eƀw&If1,2-222n%HC$Eƀw&^H & F1C$Eƀw&F & F1Eƀw&.2/303333344^TTRH "^`" "^`"LC$EƀDz&^` C$^`F & F1Eƀw&.444444txk$$Ifl0$L064 la<$<<$If^a$ $<<$Ifa$45K55iK & F$Eƀw&oIfK & F$Eƀw&oIfK & F$Eƀw&If55D6[6iK & F$Eƀw&IfK & F$Eƀw&oIfK & F$Eƀw&oIf[666666i___ $If^K & F$Eƀw&IfK & F$Eƀw&If666667A;1 ^`^F & F7Eƀw&. "^`"m$$Ifl0$L064 la<77E8F8$9%9r9s999::m:n:::;;-;;;$<<$If^a$ $<<$Ifa$ "^`" C$^` ^`^;;<;v; IK & F$Eƀw&Ifk$$Ifl0$L064 la<v;;L<<iK & F$Eƀw&IfK & F$Eƀw&IfK & F$Eƀw&If<====_K & F$Eƀw& If t$If^tK & F$Eƀw&oIf=======i___ $If^K & F$Eƀw& IfK & F$Eƀw& If===>.?/?xnn vZ^v`Z & F01$@& ^`0 "^`"m$$Ifl0$L064 la<J?Q??fAAAAAAAA Hhuz&5CJcHdht|5CJCJHhw&CJHhw&CJ /???I@q*F & F9Eƀw&.F & F9Eƀw&.F & F9Eƀw&.I@q@@@@@qoi_ vZ^v`Z`F & F9Eƀw&.F & F9Eƀw&.@@@Aq*F & F:Eƀw&.F & F:Eƀw&.F & F:Eƀw&.A*88 Heading 2$@&^CJN@N Heading 3 $ 0@&^`0 5CJ\88 Heading 4$@&`CJHH Heading 5 $ p`@&^p``CJN@N Heading 6 $ p@&^p` 5CJ\JJ Heading 7$$<<@&a$56CJ\]>@> Heading 8$ @& 5CJ\<A@< Default Paragraph Font,@, Header  !, @, Footer  !DCD Body Text Indent"^`"H"H Level 1 & F01$@&^`0CJhHO2H Level 2 & F01$@&^`0CJhDR@BD Body Text Indent 2 ^CJDSRD Body Text Indent 3 p^pCJ*B@b* Body TextCJ|er| HTML Preformatted7 2( Px 4 #\'*.25@9OJPJQJ^J=!XYk~#$NOL1  T  I J : ; U/01[H#ST$% !0!T!x!!!""]"w"""""2## $$$$$$$%`&''()))))t*u********%+G++++++++++++n,,,[-----,.-...//0/////00000001K111D2[222222222233E4F4$5%5r5s55566m6n66677-7;7<7v77L8899=99999999:.;/;;;I<q<<<<<<<=<=^=`=a=e=f=|=======0@0@0@0@0@0. 0. 0. 0. 0x@0x@0@0@0@0@0@0@0@0@0@0@0@0@0@0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0@0, 0, 0, 0, 0, 0@0 0 0 0 0 0 0@0@0# 0@0@0" 0" 0" 0" 0" 0@0@0" 0" 0" 0" 0@0@0" 0 " 0 " 0 " 0 " 0 @0@0@0@0@0@0@0@0@0@0@0 0 0 0 0 0 0 0 0@0 0 0  0  0 0  0 0  0  0 0@0@0@0@0@00 00 00 00 00 00 0(@0(@0(@0@0)@0)@0)@0)@0)@0)@0) 0)@0)@0)@0)@0) 0)@0)@0)@0)@0)@0)@0)@0)@0)@0)@0) 0) 0) 0) 0) 0)@0)@0)@0)1 0)@0)1 0-)@0)1 0-)@0)@0)@0)@0)@0)X@0)@0/@0/@0/@0/@0/@0/ 0/ 00/ 00/ 00/ 00/ 0/ 0/ 0/@0/@0/@0/@0/@0/7 0/@0/@0/@0/@0/@0/@0/@0/@0/@0/@0/@0/@0/@0/@0/@0/X@0)@0n6@0n6@0n6@0n6@0n6@0n6 0n6 0n6 0n6 0n6 0L8n6@0n6 0n6 0 n6 0 n6@0n6@0n6@0n6@0n6@0n6@0n6@0n6@0n69 0n69 0n69 0n69 0n69 0n6@0n6@0n6@0n6: 0n6: 0n6: 0n6: 0n6: 0n6@0@0@00@0@0@0@0@0@0 0nn$/J?A!6EU~N L 1 TI :1#%#$0%%&w&&&'()+u../n0[112445[667;;v;<===/?I@@AAA"$%&'()*+,-./012345789:;<=>?@ABCDFGHIJKLMNOPQRSTVWXYZA#f===f=== T!w!f==== Terry Allen Terry Allen Karl Heins Karl Heins Karl Heins Karl Heins Doug Huff Jan Pappas Karl HeinsCC:\audit programs\IT Disaster Recovery Core audit program 10 20.docPCataldoHK:\Cataldo\FINAL Core Audit Programs\Disaster Recovery Core program .doc9`*^ * pq3P ^/vfPv#KBk"`P,X`\LZ(Kfs!ldo$X3j$MM&%v"v/``&N 's*p'F h'ƦA@+leʆ ~0U_Mz1H 2j$w \5`5]Z:|O3%;`IH; P>0!6?H.{#B?v|dkEL9EN}FEN^Kr5GKs Opx:TxAڄ'X3Y Y~\_ZgZ8Ly3Z`)?e]67_E'Y`7scdt_e`j&1θ.pkQL(6l0<d;lr%]en@*o1hg7o颍+p6Cq08hr,t l0^`0.0^`0.0^`0o(.^`o(. L ^ `L.  ^ `.xx^x`.HLH^H`L.^`.^`.L^`L.^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L. ^`OJQJo( ^`OJQJo(o ^`OJQJo( ^ ^ ^^ `OJQJo( ..^.`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o nn^n`OJQJo(^`o()^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h ^`OJQJo(h   ^ `OJQJo(oh   ^ `OJQJo(h ZZ^Z`OJQJo(h **^*`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh jj^j`OJQJo(D\D^D`\o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.^`o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(h HH^H`OJQJo(h ^`OJQJo(oh ^`OJQJo(h   ^ `OJQJo(h ^`OJQJo(oh XX^X`OJQJo(h ((^(`OJQJo(h ^`OJQJo(oh ^`OJQJo(h^`.h^`.h pp^p`OJQJo(@ @ ^@ `o(.h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(  ^ `o(.pp^p`.@ L@ ^@ `L.^`.^`.L^`L.^`.PP^P`. L ^ `L.hpp^p`)h@ @ ^@ `.hL^`L.h^`.h^`.hL^`L.hPP^P`.h  ^ `.hL^`L.h^`)h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.88^8`o(.^`. L ^ `L.  ^ `.xx^x`.HLH^H`L.^`.^`.L^`L.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.^`o(.h ^`OJQJo(pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.  ^ `o(.^`. L ^ `L.  ^ `.xx^x`.HLH^H`L.^`.^`.L^`L.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(h hh^h`OJQJo(h 88^8`OJQJo(oh ^`OJQJo(h   ^ `OJQJo(h   ^ `OJQJo(oh xx^x`OJQJo(h HH^H`OJQJo(h ^`OJQJo(oh ^`OJQJo(88^8`o(.p0p^p`0o(. 0 ^ `0o(.  ^ `o(.xx^x`.HLH^H`L.^`.^`.L^`L. ^`OJQJo( ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(h FF^F`OJQJo(h ^`OJQJo(oh   ^ `OJQJo(h   ^ `OJQJo(h ^`OJQJo(oh VV^V`OJQJo(h &&^&`OJQJo(h ^`OJQJo(oh ^`OJQJo(h^`)h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h^`o(.h  ^ `.h L ^ `L.hxx^x`.hHH^H`.hL^`L.h^`.h^`.hL^`L.^`o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.^`.^`.pp^p`.@ @ ^@ `.^`.^`.^`.^`.PP^P`.h hh^h`OJQJo(h 88^8`OJQJo(oh ^`OJQJo(h   ^ `OJQJo(h   ^ `OJQJo(oh xx^x`OJQJo(h HH^H`OJQJo(h ^`OJQJo(oh ^`OJQJo(^`o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.h ^`OJQJo(oh ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(808^8`0o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L. @ @ ^@ `OJQJo(   ^ `OJQJo(o   ^ `OJQJo( ^`OJQJo( ff^f`OJQJo(o 66^6`OJQJo( ^`OJQJo( ^`OJQJo(o ^`OJQJo(^`o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.hh^h`o()88^8`.L^`L.  ^ `.  ^ `.xLx^x`L.HH^H`.^`.L^`L.^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.h 88^8`OJQJo(h ^`OJQJo(oh   ^ `OJQJo(h   ^ `OJQJo(h xx^x`OJQJo(oh HH^H`OJQJo(h ^`OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(^`o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.h HH^H`OJQJo(h ^`OJQJo(oh ^`OJQJo(h   ^ `OJQJo(h ^`OJQJo(oh XX^X`OJQJo(h ((^(`OJQJo(h ^`OJQJo(oh ^`OJQJo(h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.^`)^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h   ^ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h | | ^| `OJQJo(h LL^L`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh ^`OJQJo(^`o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.8^`o(1. 0 ^ `0o(.@ L@ ^@ `L.^`.^`.L^`L.^`.PP^P`. L ^ `L.h tt^t`OJQJo(h DD^D`OJQJo(oh   ^ `OJQJo(h   ^ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h TT^T`OJQJo(h $$^$`OJQJo(oh ^`OJQJo(^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(^`o(.  ^ `. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.^`o(.  ^ `o(. L ^ `L.xx^x`.HH^H`.L^`L.^`.^`.L^`L.^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`o(.8^`o(.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.:hg7oN '(K.pksc7_?e]]en3%;P,_Mz1*p'!3j$P>MM&%]Z:e`jdd;lA@+6?{#B_ZgZ o$thr,t*ot 9EPt +pk \5#KCq^K OGKIH;LY Y 2v h'dkE`*3Z'X/``&:Tq3P ~0}FEY`L(6lU        >{HnfG       ; /0"$$u****+--0000[2227-7;7<7999=@\\Finmgt-nts03\HP LaserJet 8100 Series PCL (Audit)Ne01:winspoolHP LaserJet 8100 Series PCL\\Finmgt-nts03\HP LaserJet 81004C odXXLetter DINU"4:\\Finmgt-nts03\HP LaserJet 81004C odXXLetter DINU"4:r=@@Unknown Karl HeinsTerri BuchananPCataldo Jan PappasGz Times New Roman5Symbol3& z ArialI& ??Arial Unicode MS?5 z Courier New;Wingdings"hFz&t|PCzf2l) 84o!r0d+>a= 3QHIT Core Audit ProgramDisaster RecoveryDave Curry & Terry AllenPCataldoOh+'0 ( <H d p | IT Core Audit Program9Disaster RecoveryraDave Curry & Terry Allen0aveaveNormalr PCataldoy &3atMicrosoft Word 9.0A@Ik@(&_@ }o@ޢ2՜.+,0$ px  University of Californiag,l+>2 IT Core Audit Program Title  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry F71Table\WordDocument&SummaryInformation(DocumentSummaryInformation8CompObjjObjectPool77  FMicrosoft Word Document MSWordDocWord.Document.89q