Beruflich Dokumente
Kultur Dokumente
IT AUDIT GUIDE
General Controls Review
LOGICAL ACCESS:
AUDIT PROCEDURES
Scope:
The scope includes:
Review of documentation, policies and procedures
regarding the user administration process(es);
Control Adequate?
Yes
No
w/
w/o
cc
cc
Exception
Classification
HI
MO
LO
WP
Ref./
Auditors
Initial
AUDIT PROCEDURES
Has the Change management policy been:
Documented;
Communicated;
Signed off by management;
Does it describe the process for granting of access and
terminating access to users; and
Does it describe the application being requested for
access?
User Access Authorization and Approval
Objective:
To ensure that all system access requests are properly
initiated and approved. To determine that employees are only
granted access to data that is appropriate based on their job
function.
Risk/Exposure:
Access may be granted to users without proper approval from
management.
Verify if a methodology is used for initiation and approval of
user requests.
Ensure the request form includes (at a minimum) the following
information:
Name of requester;
Phone number and department;
Requester's signature;
Type of access;
List of modules that need to be accessed;
Supervisor's name; and
Supervisor's approval (changes must be approved by
someone other than the requester).
Determine if request number are assigned to the System
Request Form.
Evaluate the process of determining that appropriate access
was granted and no segregation of duties exists.
Access Termination
Objective:
Determine that terminated employees have been removed
timely from the systems to prevent unauthorized access to
data.
Control Adequate?
Yes
No
w/
w/o
cc
cc
Exception
Classification
HI
MO
LO
WP
Ref./
Auditors
Initial
AUDIT PROCEDURES
Risk/Exposure:
Access may be granted to resigned users or access was not
terminated resulting to unauthorized access to the application.
Verify if a methodology is used for terminating user access in
the application.
Determine if appropriate request and approval are obtained.
Validate that the access was either terminated or deleted.
Monitoring of User Access
Objective:
Determine that an adequate level of monitoring is being
performed surrounding logical access.
Risk/Exposure:
Access violations and security attempts may not be detected
and resolved timely.
Verify if a procedures/ guidelines is used for monitoring user
access to the application.
Validate guidelines and procedures are being observed.
Control Adequate?
Yes
No
w/
w/o
cc
cc
Exception
Classification
HI
MO
LO
WP
Ref./
Auditors
Initial