PHILIPPINE VETERANS BANK

Internal Audit Department

IT Audit Section

IT AUDIT GUIDE
General Controls Review
LOGICAL ACCESS:

AUDIT PROCEDURES
Scope:
The scope includes:
Review of documentation, policies and procedures
regarding the user administration process(es);

Evaluation of the user administration process, including,

access request and approval; and

Information security access restrictions to IT Group

personnel who performs granting of access to users.

User Administration Systems and Responsibilities

Objective:
To understand whether the current user administration
procedures are in place as well as understanding who is
responsible for change management process.
Risk/Exposure:
Lack of a formal user administration process could result into
unauthorized access being granted to users.
Determine the systems (applications) upon which to focus the
user administration review.
Determine the people responsible for user administration of
each of the systems/application identified.
Determine if there is a common user administration process,
which is applied across systems under review.
Determine if user administration process exists and is formally
documented.
Determine if a process exists to maintain the user
administration procedures.
Review the User Administration Policy and determine the
following:

Control Adequate?
Yes
No
w/
w/o
cc
cc

Exception
Classification
HI

MO

LO

WP
Ref./
Auditors
Initial

PHILIPPINE VETERANS BANK

Internal Audit Department
IT Audit Section

AUDIT PROCEDURES
Has the Change management policy been:
Documented;
Communicated;
Signed off by management;
Does it describe the process for granting of access and
terminating access to users; and
Does it describe the application being requested for
access?
User Access Authorization and Approval
Objective:
To ensure that all system access requests are properly
initiated and approved. To determine that employees are only
granted access to data that is appropriate based on their job
function.
Risk/Exposure:
Access may be granted to users without proper approval from
management.
Verify if a methodology is used for initiation and approval of
user requests.
Ensure the request form includes (at a minimum) the following
information:
Name of requester;
Phone number and department;
Requester's signature;
Type of access;
List of modules that need to be accessed;
Supervisor's name; and
Supervisor's approval (changes must be approved by
someone other than the requester).
Determine if request number are assigned to the System
Request Form.
Evaluate the process of determining that appropriate access
was granted and no segregation of duties exists.
Access Termination
Objective:
Determine that terminated employees have been removed
timely from the systems to prevent unauthorized access to
data.

Control Adequate?
Yes
No
w/
w/o
cc
cc

Exception
Classification
HI

MO

LO

WP
Ref./
Auditors
Initial

PHILIPPINE VETERANS BANK

Internal Audit Department
IT Audit Section

AUDIT PROCEDURES

Risk/Exposure:
Access may be granted to resigned users or access was not
terminated resulting to unauthorized access to the application.
Verify if a methodology is used for terminating user access in
the application.
Determine if appropriate request and approval are obtained.
Validate that the access was either terminated or deleted.
Monitoring of User Access
Objective:
Determine that an adequate level of monitoring is being
performed surrounding logical access.
Risk/Exposure:
Access violations and security attempts may not be detected
and resolved timely.
Verify if a procedures/ guidelines is used for monitoring user
access to the application.
Validate guidelines and procedures are being observed.

Control Adequate?
Yes
No
w/
w/o
cc
cc

Exception
Classification
HI

MO

LO

WP
Ref./
Auditors
Initial