Understanding that electronic audit documents, reports, work papers, etc. can be the most sensitive documents in the Bank, how are most of you maintaining logical access controls over these documents in electronic format.

That is:
Where do you save the files (local drive / network drive / removable media)?

Who has system permissions to view, modify, and delete those files?

If saved on a network, how do you ensure that your data and files are backed up – should your data and files be co-mingled with the other Bank backup data?

Do you know if the IT admin folks (or anyone else with elevated authority) have access to surreptitiously view, alter or delete the data?

Do you digitally sign documents?

Any feedback would be appreciated.

Where do you save the files (local drive / network drive / removable media)? Files are saved on the server under an Audit section.

Who has system permissions to view, modify, and delete those files? Myself (I am the Audit Dept.), the CFO, and the IT guy.

If saved on a network, how do you ensure that your data and files are backed up – should your data and files be co-mingled with the other Bank backup data? During my IT audit, I verify that backups are being performed on the server. I personally don't have a problem with audit documents being stored on the bank's server. There are a lot of sensitive files there. HR files, Board Minutes, etc. Where else would you save them?

Do you know if the IT admin folks (or anyone else with elevated authority) have access to surreptitiously view, alter or delete the data? Yes, they do. However, you have to trust that they don't. I also have paper copies of most of the important things. It would be pretty obvious if something was changed. Also, I save some things in a pdf format, that can't be easily altered.

Do you digitally sign documents?
No.

Do you think that someone is messing with your files?

Thanks – very helpful.

No I don’t think anyone is messing with the files.

Do I know beyond a shadow of a doubt that, given the current access levels, someone could mess with them and me not know it? No.

In my position as Internal Auditor Director, I do not report to management – only the Board of Directors. I have to ensure that management (or anyone else) does not influence me, my people, my department, my processes, reports, etc. etc.

While I trust who I trust, I think restricting logical access to only the Audit organization is the only way I can ensure that management has not reviewed, copied, tampered, deleted or otherwise influenced pending or developing Audit data.

I'm in the same boat, but short of storing everyting on a USB drive, or something similar, I don't know how to fix that. If you come up with anything, let me know.

Also, I'm sure you are aware that the IT guys can read your email, see what sites you are surfing on the net, etc. Big Brother is everywhere.

All of our audit files are saved to the audit folder on the network. Only IT head, his back-up and Audit Dept have access to this folder. In our situation, they need access to the files in order to make a daily back-up tape of all files. I would push for limited access or no access other than the audit department. Our audit files often contain information that's highly sensitive only meant for management's and board's eyes.