IT General Controls by taoyni

VIEWS: 95 PAGES: 13

									  Audit Program - Information Systems Controls – Full Scope



Index                               Section Title
 000                                  Pre-work
 100                 Information Systems Security Administration
 200                              Physical Security
 250                               Virus Controls
 300                              Logical Security
 400                            Contingency Planning
 500                           Ratings and Conclusion



Abbreviation                  Definition
    CL                        Checklist
    FS                    Findings Summary
     Q                      Questionnaire
    RN                      Review Notes
    WP                       Work paper
                Audit Program - Information Systems Controls – Full Scope


000 – Pre-Work

                                       Audit Procedures

The following should be completed in advance of the scheduled audit.
    Contact the International CIO to determine if he/she has any concerns about the market.
    Contact the market’s contact to discuss the audit process, and answer any questions or
       concerns that are brought up.
    Request the following documents:
          o The name(s) and phone number of the data security manager(s) Information will
              be used in section 100.
          o Facility security procedures, if available. Information will be used in section 100.
          o Copies of the education security program. Information will be used in section 100.
          o A copy of the Business Continuity Plan (BCP) should be available for review
              during the audit. Information will be used in section 400.
          o Results of the last BCP test. Information will be used in section 400.
          o Current contact list, hardware/software inventory, telecommunications
              configuration and insurance coverage information. Information will be used in
              section 400.

   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   _________________________________________________

   Performed By: __________                                  Reviewed By: __________
           Date: __________                                         Date: __________


100 – Information System Security Administration

                                       Audit Procedures

   101.    Verify the name(s) of the data security manager(s).

   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   _________________________________________________

   Performed By: __________                                  Reviewed By: __________
           Date: __________                                         Date: __________

   102.    Determine if an education program has been implemented to promote user awareness
           about security policies and procedures.




                                                                                   Page 2 of 13
               Audit Program - Information Systems Controls – Full Scope


   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   _________________________________________________

   Performed By: __________                                    Reviewed By: __________
           Date: __________                                           Date: __________


200 – Physical Security

                                       Audit Procedures

       201.   Identify sensitive areas and assure that perimeter controls are in place. Examples
              of sensitive areas include computer rooms, communications areas and closets, and
              backup storage libraries.

   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   __________________________________________________

   Performed By: __________                                    Reviewed By: __________
           Date: __________                                           Date: __________

       202.   Identify entry and exit points to all sensitive areas, including potential access
              points such as air conditioning vents or space above ceilings.
              a. Note any unnecessary doors or windows, as well as emergency opening
                  devices at fire exits.
              b. Review access point controls, such as entry and exit logs and electronic and
                  visual surveillance equipment.
              c. Include external access point controls, especially in cases of multiple-tenant
                  buildings where physical access cannot be restricted.

   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   __________________________________________________

   Performed By: __________                                    Reviewed By: __________
           Date: ____ ______                                          Date: __________

       203.   Assure that access authorization procedures are used for all persons (employees,
              contract workers, security staff, and visitors) requiring access to sensitive areas.
              Access to sensitive areas should be controlled and monitored through the use of




                                                                                       Page 3 of 13
           Audit Program - Information Systems Controls – Full Scope


          physical devices, such as photo ID badges, optically coded badges and electronic
          keycards.

Results:
___________________________________________________________________________
___________________________________________________________________________
__________________________________________________

Performed By: __________                                   Reviewed By: __________
        Date: __________                                          Date: __________

   204.   Review specific access procedures, including the following:
          a. Granting and discontinuance of authorization.
          b. Control over passkeys.
          c. Reentry procedures after emergencies.
          d. Controls over entry by time of day.
          e. Reception area policies.
          f. Access during emergencies.

Results:
___________________________________________________________________________
___________________________________________________________________________
__________________________________________________

Performed By: __________                                   Reviewed By: __________
        Date: __________                                          Date: __________

   205.   Assure that alarms are installed at all potential entry and exit points of sensitive
          areas. All alarms and other electronically controlled security devices should be
          connected to a back-up power source that would allow them to function in the
          event of a power failure. Also, alarm events should be logged and routinely
          reconciled to actual events.

Results:
___________________________________________________________________________
___________________________________________________________________________
__________________________________________________

Performed By: __________                                   Reviewed By: __________
        Date: __________                                          Date: __________

   206.   Assess the location of the organizations, as well as the specific location of the IS
          areas, to determine proximity to businesses posing potential hazards. Such
          businesses may include oil refineries or chemical manufacturers. Note potential
          internal hazards, such as gas boilers, oil tanks and paper stores.




                                                                                   Page 4 of 13
           Audit Program - Information Systems Controls – Full Scope


Results:
___________________________________________________________________________
___________________________________________________________________________
__________________________________________________

Performed By: __________                                   Reviewed By: __________
        Date: __________                                          Date: __________

   207.   Review detailed procedures for areas prone to natural disasters, such as
          earthquakes, tornadoes or floods. Consider local building ordinances concerning
          disaster-resistant building standards.

Results:
___________________________________________________________________________
___________________________________________________________________________
__________________________________________________

Performed By: __________                                   Reviewed By: __________
        Date: __________                                          Date: __________

   208.   Assess provisions for steady, continuous electrical supply or alternate power
          sources, as well as the effects of a power failure or overload on equipment and
          other sensitive components. A reliable source of back-up power should be
          available. Review power regulation systems, including voltage regulators or
          uninterruptible power supplies (UPS). Consider back-up power for essential
          support systems, such as air conditioning, humidity control systems, alarm
          systems, access control mechanisms, and lighting.

Results:
___________________________________________________________________________
___________________________________________________________________________
___________________________________________

Performed By: __________                                   Reviewed By: __________
        Date: __________                                          Date: __________

   209.   Assess each IS area for potential threats from heat, direct sunlight, dust static
          electricity and humidity. Review air conditioning and temperature regulation
          systems for adequacy and ongoing maintenance.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                   Reviewed By: __________



                                                                                   Page 5 of 13
            Audit Program - Information Systems Controls – Full Scope


          Date: __________                                           Date: __________

   210.    Review placement of water and drainage pipes to ensure they are routed away
           from IS operations areas. Assess the potential for water storage tanks to flood
           electronic equipment areas, the location of shut-off valves and moisture-detection
           equipment and the susceptibility to extended flooding.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                    Reviewed By: __________
        Date: __________                                           Date: __________

   211.    Review smoke detection and automatic fire extinguishing equipment to assure
           that it is functional and that it provides adequate protection. Equipment and
           evacuation procedures should be tested on a regular basis and should be
           documented. Emergency exits should be easily locatable. Ensure that the
           appropriate hand-held and/or automatic fire-extinguishing system(s) is/are being
           used.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                    Reviewed By: __________
        Date: __________                                           Date: __________

   212.    Analyze the potential threat posed by fires in adjacent buildings (or businesses
           within a multiple-tenant building) and areas, particularly if the areas are outside
           direct organizational control. Review the fire rating on buildings and materials
           and the presence of firewalls to limit the spread of fires, as well as procedures for
           handling fires and their spread to adjacent areas.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                    Reviewed By: __________
        Date: __________                                           Date: __________




                                                                                    Page 6 of 13
               Audit Program - Information Systems Controls – Full Scope


250 – Virus Controls

                                      Audit Procedures

      251.   Determine how often the antivirus software is updated

   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   _________________________________________________

   Performed By: __________                                  Reviewed By: __________
           Date: __________                                         Date: __________

      252.   Verify that antivirus software is pushed to the clients whenever there is a
             definition update.

   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   _________________________________________________

   Performed By: __________                                  Reviewed By: __________
           Date: __________                                         Date: __________


300 – Logical Security
                                      Audit Procedures
      301.   Determine:
             a. How access levels are granted.
             b. Whether all access is restricted unless specifically authorized.
             c. If the password file is controlled (e.g., encryption).
             d. How security violations are detected and reported.

   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   _________________________________________________

   Performed By: __________                                  Reviewed By: __________
           Date: __________                                         Date: __________

      302.   Determine that password security is in effect on all applications. (Users do not
             share ID’s and passwords. ID’s and passwords are not written down and available
             to others).




                                                                                     Page 7 of 13
           Audit Program - Information Systems Controls – Full Scope


Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                 Reviewed By: __________
        Date: __________                                        Date: __________

   303.   Determine that passwords are removed as soon as an individual's employment is
          terminated to ensure that a terminated employee cannot gain access to the
          computer files through an outside terminal.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                 Reviewed By: __________
        Date: __________                                        Date: __________

   304.   Have the administrators produce a list of authorized IT system users and the
          user’s level of access. Review the list to determine if permissions are appropriate
          for the individual’s duties and responsibilities and support segregation of duties.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                 Reviewed By: __________
        Date: __________                                        Date: __________

   305.   Determine that all remote access is gained through the servers in San Antonio.
          Remote access security controls should be documented and implemented for
          authorized users operating outside of the trusted network environment.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                 Reviewed By: __________
        Date: __________                                        Date: __________

   306.   Obtain and review a sample of Last Day Checklists to ensure that all appropriate
          actions have been completed.



                                                                                 Page 8 of 13
              Audit Program - Information Systems Controls – Full Scope



   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   _________________________________________________

   Performed By: __________                                Reviewed By: __________
           Date: __________                                       Date: __________


400 - Contingency Planning

                                     Audit Procedures

      401.   Review the contingency plan for completeness. It should include the following:
             a. Statement of the plan’s objectives and assumptions.
             b. Definitions of and provision for different levels of disruption, including
                complete disaster, operation interruption, and loss of individual system
                components (e.g. disk controllers, terminal controllers, printers, etc.).
             c. Documented scenarios for each level of disruption (e.g. interruption of
                communications, destruction of programs, destruction of database, excessive
                transaction volume, etc.).
             d. Instructions on when and how to activate and use the plan.
             e. Detailed procedures and guidelines for each area of recovery (e.g. application
                system recovery, equipment recovery, communications recovery, systems
                software recovery, etc.).
             f. Security requirements for alternate processing environments.
             g. Authorized contingency plan distribution list with distribution limited to
                authorized personnel.
             h. Review and approval of contingency plan provisions by senior management.
             i. Identification of key contingency plan personnel, including responsibility for
                plan maintenance.

   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   _________________________________________________

   Performed By: __________                                Reviewed By: __________
           Date: __________                                       Date: __________

      402.   Review the plan for accuracy of:
             a. Assumptions.
             b. Hardware configurations.
             c. Software configurations.
             d. Staff.



                                                                                  Page 9 of 13
           Audit Program - Information Systems Controls – Full Scope


          e. Risk assessment.
          f. Legislative and regulatory requirements. And,
          g. Other technical and industry issues.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                 Reviewed By: __________
        Date: __________                                        Date: __________

   403.   Verify that all aspects of the contingency plan are current. Verify compliance
          with change control procedures regarding:
          a. Hardware configurations.
          b. Software configurations.
          c. Staff.
          d. Risk assessment.
          e. Legislative and regulatory requirements. And,
          f. Other technical and industry issues.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                 Reviewed By: __________
        Date: __________                                        Date: __________

   404.   In reviewing adequacy of the plan “acceptable downtime” as established by the
          user should be the key criterion in determining whether the plan is adequate. If
          service can be restored within this time period to appropriate operational levels
          then the plan should be considered adequate.

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                                 Reviewed By: __________
        Date: __________                                        Date: __________

   405.   Review the following to determine the adequacy and appropriateness of the
          contingency plan:
          a. Contingency planning team composition and functions.
          b. Application software and data priorities.



                                                                                Page 10 of 13
                 Audit Program - Information Systems Controls – Full Scope


               c.   Equipment inventory and critical configuration.
               d.   Communications requirements.
               e.   Systems software inventory and critical configuration.
               f.   Critical forms and supplies.
               g.   Back-up provisions for software, data files, and supplies.
               h.   Alternate processing facilities.
               i.   Staffing and assignments.
               j.   Transportation inventory and logistics.
               k.   Security provisions.
               l.   Contingency plan testing.
               m.   Information systems and business interruption insurance.

   Results:
   ___________________________________________________________________________
   ___________________________________________________________________________
   _________________________________________________

   Performed By: __________                                     Reviewed By: __________
           Date: __________                                            Date: __________


500 – Ratings and Conclusion

                                           Background

Communicating audit conclusions and findings to management is essential to ensure a successful
audit. At the conclusion of every audit, an exit conference should be held with the General
Manager, Information Systems Manager and Information Systems Security Administrator.

This discussion should be both professional and informative, with the overall goal being to
provide information and support for any findings or areas that can be improved upon. Normally,
management will welcome any suggestions and recommendations that can be offered to remedy
the findings. The General Manager’s overall goal is to maintain an efficient and profitable
market while adhering to corporate policies and procedures.

Rating Methodology
A Rating assigned to a location’s performance must be fairly assigned and supportable. While
audit ratings will always be subjective, we must strive to introduce a certain level of objectivity
to make audit opinions supportable and achieve a high level of consistency between auditors.

Each audit consists of certain audit attributes. The Auditor–in-Charge will assign a Pass/Fail
rating to each attribute. The number of “Pass” ratings will determine the overall audit rating.
The number of “Pass” ratings required to achieve a “Satisfactory” rating will vary by area due to
a different number of attributes in each audit type.




                                                                                       Page 11 of 13
                 Audit Program - Information Systems Controls – Full Scope


A “Pass” rating is warranted when there are no reportable findings in that attribute. If there is a
reportable finding in an attribute, a “Fail” rating is given. The Audit Managers and Director
have the authority to deviate from this scale in limited circumstances but must document the
reasons for the deviation.

Rating Definitions
The Internal Audit department will use the following ratings, which are defined generically as
follows. All ratings should be contingent on individual or accumulative amount of error or loss
in relation to market revenue. Specific definitions can be found in each section below.

Satisfactory. To obtain a satisfactory rating, a location must receive a “Pass” rating on the
majority of audit attributes. A satisfactory rating indicates adequate internal controls in place
and substantial compliance with Company policies and procedures. The location may require
improvement in some areas, but no material issues, errors, or exposure to loss.

Needs Improvement. To obtain a “Needs Improvement” rating, a location must receive a
“Pass” rating on approximately one half of the attributes. A “Need Improvement” rating
indicates a lack of internal controls resulting in errors, which may not always be material
individually, but the combination of all findings indicate inadequate attention to the financial
details and administration of branch business. Findings usually demonstrate a greater degree of
non-compliance with Company policy.

Unsatisfactory. An “Unsatisfactory” rating will be given when a location receives a “Pass”
rating on approximately half or less of the attributes. The unsatisfactory rating overall indicates
material errors, differences, or losses. The aforementioned created uncertainty about the
reliability and integrity of financial statements due to the lack of control. Usually findings
indicate a substantial disregard for compliance with Company policies – financial and
operational.

                                         Audit Objectives

The overall objective of this section is to communicate audit findings and conclusions to
management and determine a rating supported by the audit work papers and necessary
documentation obtained while performing fieldwork.

                                        Audit Procedures

       501     Audit Rating (WP501)
               a. Review all work papers, questionnaires, and checklists noting the reportable
                  findings in each area.
               b. Ensure all supporting documentation for each finding has been obtained and is
                  included with the fieldwork.
               c. Complete the matrix and determine an overall market rating according to the
                  stated criteria.




                                                                                      Page 12 of 13
          Audit Program - Information Systems Controls – Full Scope


Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                             Reviewed By: __________
        Date: __________                                    Date: __________

   502   Exit Conference Summary and Notes (FS502)
         a. Summarize all reportable audit findings to present to management during the
            exit conference. Include a general summary along with any important details
            for each finding (most details can be communicated verbally during the
            discussion).
         b. Discuss any findings, potential control weaknesses, or concerns with the
            General Manager, Business Manager, IT Manger and Security Administrator.
            Document results of the discussion (RN502).

Results:
___________________________________________________________________________
___________________________________________________________________________
_________________________________________________

Performed By: __________                             Reviewed By: __________
        Date: __________                                    Date: __________




                                                                           Page 13 of 13

								
To top