Management Controls: Risk Identifier

CONTROL OBJECTIVE CONTROL RISK ICQ REF

TRANSACTION RECORDING AND PROCESSING
1 Responsibilities for the management 1.1 The policy for IT is well defined and 1.1
and provision of IT facilities are well kept up to date.
defined.
1.2 Staff are organised so as to implement 1.2
and deliver that policy.
2 Personnel procedures ensure that 2.1 Comprehensive job descriptions are 2.1
competent staff are employed. available for all staff that clearly define
the scope of duties.

2.2 There are defined procedures for staff 2.2

recruitment with references being
taken up and aptitude tests given to
potential recruits.
2.3 There are defined exit procedures for 2.3
the termination of employment.

2.4 Staff are well managed, and 2.4

trained to do their jobs effectively.

2.5 There are defined procedures for 2.5

recruiting, controlling and assessing
the work of contract staff.
3 Standards and instructions exist for all 3.1 Standards, instructions and working 3.1
aspects of IT and these are monitored methods are defined, communicated
and updated regularly. and adhered to.
3.2 Standards are reviewed on a regular 3.2
basis, and there are procedures for
the frequency of review and the
amendment of prescribed standards.
4 Separation of duties provides for
secure use of IT facilities.
4.2 Management has installed controls to
4.1 There is separation of duties for the 4.1
functions of:
initiating transactions
processing transactions
controlling processing
manipulating stored data
obtaining output
control, checking and
supervision.
4.2
compensate for known weaknesses.
Management Controls: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Is the policy for IT well defined and kept up to date? 1.1.1
1.2 1.2 Are staff organised so as to implement and deliver that policy? 1.2.1
1.2.2
1.2.3
1.2.4
2.1 2.1 Are comprehensive job descriptions available for all staff that clearly 2.1.1
define the scope of duties?
2.2 2.2 Are there defined procedures for staff recruitment with references being 2.1.2
taken up and aptitude tests given to potential recruits? 2.2.3
2.2.4
2.3 2.3 Are there defined exit procedures for the termination of employment? 2.3.1
2.3.2
2.4 2.4 Are staff well managed, and trained to do their jobs effectively? 2.4.1
2.4.2
2.5 2.5 Are there defined procedures for recruiting, controlling and assessing the 2.5.1
work of contract staff? 2.5.2
3.1 3.1 Are standards, instructions and working methods defined, communicated 3.1.1
and adhered to? 3.1.2
3.2 3.2 Are standards reviewed on a regular basis, and are there procedures for 3.2.1
the frequency of review and the amendment of prescribed standards?
4.1 4.1 Is there separation of duties for the functions of: 4.1.1
initiating transactions?
processing transactions?
controlling processing?
manipulating stored data?
obtaining output?
control, checking and supervision?
4.2 4.2 Has management installed controls to compensate for known 4.2.1
weaknesses?
Management Controls: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Check that all IT policies are up to date.
1.2 1.2.1 Find out whether a formal reporting structure exists and whether it goes to a sufficiently senior
level within the organisation. Review minutes, memorandum, etc to ensure that lines of
communication are working.
1.2.2
Ask the head of IT about the level of reporting, eg management team, IT steering group. Find
out who ultimately makes decisions as to the IT and information processing policy, the
procurement of new equipment, development of new systems and modifications to existing
systems.
1.2.3
Determine whether there are IT liaison officers/IT champions in departments and establish their
lines of communication between the IT department and users.
1.2.4
Where IT is provided externally, determine whether the responsibility for security and control is
clearly identified and arrangements in place to allow monitoring by the client.
2.1 2.1.1
Establish whether job descriptions have been developed for staff working in IT environments
and that they are kept up to date.
2.2 2.2.1
Find out whether there is a personnel recruitment policy and whether it require that applicants
are interviewed by skilled, trained interviewers and that references are always taken up and
followed up by a telephone call or a visit.
2.2.2
Check that all the years and months of an applicants career are identified and missing months
accounted for, to identify enforced dismissal, imprisonment, etc.
2.2.3
Ask if anyone is working out their notice and whether they are working in a sensitive area.
 2.2.4
Ask about the arrangements for reviewing staff progress and identifying staff training
requirements.
2.3 2.3.1
Ask if there are procedures for escorting staff with critical access facilities from the premises
when they resign.
2.3.2
Check that there are procedures for deleting access facilities when staff leave.
2.4 2.4.1
Ask whether there are personal development processes in place and if they include line
manager briefings and agreed target-setting processes.

ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS

2.4.2
Check whether there is a defined training programme that seeks to match personal development
needs.
2.5 2.5.1
Check whether anyone has overall responsibility for monitoring contract staff and whether they
have details of work carried out and payments made in relation to the contract.
2.5.2
Ask about the procedures for deleting access facilities when contract staff leave.
3.1 3.1.1
Obtain a copy of the standards for IT in the organisation and ensure that they cover the range of
IT activities.
3.1.2
Ensure that there are adequate procedures for verifying adherence to the standards.
3.2 3.2.1
Find out whether there are formal arrangements for reviewing and updating the standards.
4.1 4.1.1
Examine the staffing structure, job descriptions and procedures of the organisation to ascertain
whether adequate separation of duties is achievable.
4.2 4.2.1
Where the organisation cannot support segregation of duties because of its size, consider what
alternative control mechanisms are employed.
4.2.2
Ask users about their responsibilities for maintaining the system/application to compensate for
known weaknesses in IT processing.
File Controls: Risk Identifier
CONTROL OBJECTIVE
TRANSACTION RECORDING AND PROCESSING
1 Responsibilities for controlling access
to and use of files are clearly defined.
2 Access to files through physical
means is well controlled.
3 Access to files through software is well
controlled.
CONTROL RISK ICQ REF
1.1 Responsibilities for controlling files are 1.1
assigned and set down in a security
policy and in written procedures that
are kept up to date and communicated
to all staff.
1.2 Compliance with the policy is 1.2
monitored by IT and user management
2.1 Physical access to electronic media is 2.1
restricted to authorised personnel.
2.3 Responsibility for control over 12.2
electronic media is allocated to a
specific individual(s).
2.3 Procedures exist to prevent 2.3
unauthorised copying of computer
programs and data files and all users
are aware of their responsibilities.
3.1 Access to electronic files is controlled 3.1
by unique user identifier/password
combinations and responsibility for
controlling the issue and deletion of
user identifiers and passwords is
clearly defined.
3.2 All users are aware of their 3.2
responsibilities in relation to
password security.
3.3 Passwords are changed frequently. 3.3
3.4 Access rights to files are strictly 3.4
controlled to prevent unauthorised
access or accidental or deliberate
loss or damage.

4 All software and media are properly
configured and documented.
3.5 Where identifiers are provided 3.5
for temporary users, these only
provide access to a limited set of
facilities and their use is strictly
monitored.
3.6 Access to supervisory and 3.6
administrative users is strictly
controlled and only available to
authorised personnel such as
systems programmers and network
supervisors.
3.7 System software facilities such 3.7
as TIMEOUT and LOGOUT are
utilised to reduce the risk of
unauthorised access to files and/or
systems.
3.8 All file accesses are monitored 3.8
by system software and attempted
violations are reported to and
actioned by management.
3.9 Access to general-purpose 3.9
software and other software facilities,
such as utilities that can edit files, is
strictly controlled.
4.3 All IT systems are built and 4.1
configured to a documented baseline
standard that addresses known
security weaknesses and
vulnerabilities.
4.4 There is an inventory of all electronic 4.2
media showing their location,
movement, use, issue and receipt.
4.3 An up-to-date inventory is maintained 4.3
of all application and system software
5 Backing-up arrangements for files
are well controlled.
5.1 Arrangements for backing up files 5.1
within each installation ensure a
secure storage environment,
completeness and accuracy, defined
retention periods and provide for the
recovery of files.
File Controls: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Are responsibilities for controlling files assigned and set down in a 1.1.1
security policy and in written procedures that are kept up to date 1.1.2
and communicated to all staff? 1.1.3
1.1.4
1.1.5
1.2 1.2 Is compliance with the policy monitored by IT and user 1.2.1
management? 1.2.2
2.1 2.1 Is physical access to electronic media restricted to authorised 2.1.1
personnel? 2.1.2
2.1.3
2.1.42.
1.5
2.2 2.2 Is responsibility for control over electronic media allocated to a 2.2.1
specific individual(s)? 2.2.2
2.3 2.3 Do procedures exist to prevent unauthorised copying of computer 2.3.1
programs and data files and are all users aware of their
responsibilities?
3.1 3.1 Is access to electronic files controlled by unique user 3.1.1
identifier/password combinations and is responsibility for controlling 3.1.2
the issue and deletion of user identifiers and passwords clearly 3.1.3
defined?
3.2 3.2 Are all users aware of their responsibilities in relation to password 3.2.1
security? 3.2.2
3.3 3.3 Are passwords changed frequently? 3.3.1
3.3.2
3.3.3
3.3.4
3.4 3.4 Are access rights to files strictly controlled to prevent unauthorised 3.4.1
access or accidental or deliberate loss or damage? 3.4.23.
4.3
3.4.4
3.4.5
3.4.6
3.5 3.5 Are identifiers provided for temporary users, and if so, do these 3.5.1
provide access to a limited set of facilities and is their use strictly 3.5.2
monitored? 3.5.3
3.5.4
3.5.5
3.6 3.6 Is access to supervisory and administrative users strictly controlled 3.6.1
and only available to authorised personnel such as systems 3.6.2
programmers and network supervisors? 3.6.3
3.6.4
3.6.5
3.7 3.7 Are system software facilities such as TIMEOUT and LOGOUT 3.7.1
utilised to reduce the risk of unauthorised access to files and/or 3.7.2
systems? 3.7.3
3.7.4
3.8 3.8 Are all file accesses monitored by system software and are 3.8.1
attempted violations reported to and actioned by management?

3.9 3.9 Is access to general-purpose software and other software facilities, 3.9.1
such as utilities that can edit files, strictly controlled? 3.9.2
3.9.3
4.1 4.1 Are all IT systems built and configured to a documented baseline 4.1.1
standard that addresses known security weaknesses and 4.1.2
vulnerabilities? 4.1.3
4.2 4.2 Is there is an inventory of all electronic media showing its location, 4.2.1
movement, use, issue and receipt?
4.3 4.3 Is an up-to-date inventory maintained of all application and system 4.3.1
software?
5.1 5.1 Are there arrangements for backing up files within each installation 5.1.1
to ensure a secure storage environment, completeness and 5.1.2
accuracy, defined retention periods and to provide for the recovery 5.1.3
of files? 5.1.4
5.1.5
File Controls: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS

1.1 1.1.1 Ask who is responsible for defining procedures for protecting electronic files within the IT and
user departments and establish when such responsibilities were last defined to determine
whether they appear to have been reviewed reasonably frequently.

1.1.2 Ask to see the IT security policy and procedures and check when it was last updated

1.1.3 Check that the policy refers to the Data Protection Act and Computer Misuse Act and that it
identifies the users responsibilities for protecting their own files.

1.1.4 Discuss with staff whether file security is regarded as important and look for evidence of up-
to-date notices and instructions available to staff.
1.1.5
Find out what methods are used to inform staff of computer security issues and if they are
reasonably up to date.
1.2 1.2.1
Review the organisations staff handbook to see whether disciplinary procedures specify
computer security breaches as a disciplinary matter.

1.2.2 Determine how widely it has been distributed. Check with some users to see if they hold a
copy or are aware of it.

2.1 2.1.1 Ask how physical access to files held by the IT department is controlled and whether this
applies out of normal office hours.

2.1.2 Observe the storage arrangements (preferably without any pre-announcement of the visit)
and assess whether the general physical access appears to be well controlled.
 2.1.3 Establish how many locations within the organisation hold files locally. Depending on the
number of locations and the available time, select some of the primary users and ask how
physical access to files is restricted and whether this applies out of normal office hours.

2.1.4 Review the procedures relating to the introduction of alien media to ensure that proper
authorisation and identification of all files takes place.

2.1.5 Determine how alien files are identified and what other physical files reside in the library and
then question the person responsible for storage of physical media about their use.

2.2 2.2.1 Establish who has custody of electronic media for each area where fundamental systems and
system software are held within the IT department and within key user departments with local
installations. Check whether their duties are defined in writing and that these seem to be
comprehensive and up to date.

2.2.2 View the arrangements for accessing electronic media where fundamental systems are
processed.

2.3 2.3.1 Review the procedures in place to discourage unauthorised copying of PC programs and data
files and assess their adequacy.
3.1 3.1.1
Establish who is responsible for the password facility within each IT installation and how they
allocate passwords. Check whether procedures are defined in the IT security policy.
3.1.2
Check that both a personal identifier and a password are required to enter the system.
3.1.3
Ask whether passwords for fundamental systems are made unique and cannot be shared.
3.2 3.2.1
Check whether there is evidence of passwords being displayed in offices or generally being
made public. Find out if users appreciate the need to protect their passwords and that they
have been given guidance on password construction.
 3.2.2
Find out if passwords are displayed on screens.
3.3 3.3.1
Check whether the system can force compliance with a password policy through:

minimum length of password

forced password changes
preventing re-use of former passwords
disallowing the use of common words.
3.3.2 If the password cannot force compliance, test a sample of users passwords to assess
compliance.
3.3.3
Check that default passwords have been changed.
3.3.4
Find out if specialised software is used for interrogating system files to review password
management.
3.4 3.4.1
Ask who determines within each installation how identifier facilities, access rights and types of
access are assigned and check when these procedures were last updated.
3.4.2
Find out what arrangements are in place to introduce new users, remove leavers and review
user lists. Determine whether confidentiality is assured by the arrangements for issuing
passwords to new users and users whose passwords have been changed for them.
3.4.3
Obtain a selection of current users of the system. Find out at what level access is granted (eg
to which applications, which data, which facilities, which workstations). Find out from
personnel or pay records whether all users are current employees, and leavers have had their
identifiers removed.
3.4.4
If possible, examine the date that each user last logged on to the application or system and
investigate those users who have not used the system for over three months.
3.4.5
Find out if users menus display only what users should have access to.
 3.4.6
Check file permissions for a sample of sensitive files to ensure that access is not granted to
individuals who have no legitimate need to access such files.
3.5 3.5.1
Establish who is responsible for managing the temporary user facility and whether it is
possible to log on as a guest and gain access to files.
3.5.2
Review the procedures for allowing temporary access to the system.
3.5.3
Check that after access has been granted, the password is changed.
3.5.4
Establish who monitors the need for GUEST/ENGINEER defaults.
3.5.5
Establish who is responsible for the SUPERVISOR facility within each IT installation, how
they control the facility and whether there are arrangements for holidays, sickness and
emergency access.
3.6 3.6.1
Find out from the system manager or system administrator what privileges are available to
users, especially those specific to operators, security co-ordinators, technical support staff
and field engineers. Review any list of user descriptions in which such privileges are reported,
and find out who has access to privileged user IDs, to ensure that they cannot be used to
circumvent the security of the system.
3.6.2
Ask how many users have supervisory status and enquire how this is monitored.
3.6.3
Seek advice from an IT auditor regarding the management of SUPERVISOR users.
3.6.4
Check that staff with access to privileged facilities have adopted good password management
practices.
3.6.5
Consider seeking advice on whether the use of specialised software would be appropriate for
interrogating system files to review access rights to fundamental systems.
3.7 3.7.1
Find out if users are locked out after, say, three wrong attempts at logon.
 3.7.2
Ask who determines, within each installation, how TIMEOUT and LOGOUT should be used
(eg time lapse allowed when screen left unused) and establish when these procedures were
last updated.
3.7.3
Observe whether screens are left unattended.
3.7.4
Ask whether screensavers are required to be used.
3.8 3.8.1
Establish who determines, within each installation, how attempted violations should be
monitored and how often this is done. There should be evidence that logs are reviewed
regularly and that all attempted violations are investigated.
3.8.2
Consider seeking advice on whether the use of specialised software would be appropriate for
interrogating system files to review attempted violations.
3.9 3.9.1
Ask who determines, within each installation, how access rights to powerful editing software
are determined and when these procedures were last updated.
3.9.2
Check what commands and utilities are available to allow users to amend data, delete files
and bypass security, and ascertain how access to these facilities is controlled.
3.9.3
Consider seeking advice on whether such specialised software is likely to be available within
the installation.
4.1 4.1.1
Ensure that the organisation has formal procedures and mechanisms in place to help identify
published security weaknesses and vulnerabilities that may affect installed systems.
4.1.2
Ensure that the implementation of any change is adopted into the organisations build
instructions ensuring that all future builds will be appropriately configured and implemented.
4.1.3
Ensure documented default build/configuration instructions are in place for all of the
organisations major operating systems and applications.
4.2.1
Review any records that are maintained to control physical access to files and check that they
seem comprehensive and are sufficient to identify the specific location of files and the
electronic media on which they reside.
4.3.1
Check when the procedures governing the inventory of software were last updated and view
the documentation to assess whether it seems up to date and comprehensive.
5.1.1
Ask who has defined the arrangements for file back-up and check when they were they last
reviewed.
5.1.2
Review the error log to identify cases where recovery action was required. Identify what
action was taken and assess whether any problems were the result of inappropriate recovery
procedures.
5.1.3
Ask whether any problems have occurred recently when files were backed up and recovered
and find out what action was taken to prevent a recurrence of any such problems.
5.1.4
Determine whether back-up files are periodically verified against the original to confirm that
the back-up has worked correctly.
5.1.5
Where back-up files are stored off-site, determine when the security of the site was last
reviewed and what action was taken to correct any deficiencies.
PC Controls: Risk Identifier
CONTROL OBJECTIVE
TRANSACTION RECORDING AND PROCESSING
1 Responsibilities for managing and
using personal computing facilities
are clearly defined.
2 Access to PCs and to the data and
software stored on them is confined
to authorised personnel and is
appropriate to operational needs.
3 PCs are used in a secure manner
and the data and software are well
protected.
CONTROL RISK ICQ
REF
1.1 Responsibilities for the acquisition, 1.1
installation and maintenance of PCs
are clearly defined.
1.2 Responsibilities for acquiring or 1.2
developing PC business applications
are clearly defined.
1.3 Responsibilities for the day-to-day 1.3
operation of PC systems are clearly
defined.
1.4 An inventory of PC facilities is 1.4
maintained.
2.1 Physical access to PCs is restricted 2.1
to authorised staff.
2.4 Software controls are employed to 2.2
inhibit unauthorised access.
3.1 To minimise the risk of virus infection, 3.1
staff are prevented from introducing
unauthorised software into their PCs.
3.2 Environmental risks are minimised. 3.2
3.3 Data and programs held on PCs are 3.3
backed up regularly.
PC Controls: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Are responsibilities for the acquisition, installation and maintenance of 1.1.1
PCs clearly defined? 1.1.2
1.2 1.2 Are responsibilities for acquiring or developing PC business applications 1.2.1
clearly defined? 1.2.2
1.3 1.3 Are responsibilities for the day-to-day operation of PC systems clearly 1.3.1
defined?
1.4 1.4 Is an inventory of PC facilities maintained? 1.4.1
1.4.2
1.4.3
2.1 2.1 Is physical access to PCs restricted to authorised staff? 2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2 2.2 Are software controls employed to inhibit unauthorised access? 2.2.1
2.2.2
2.2.3
2.2.4
3.1 3.1 To minimise the risk of virus infection, are staff prevented from 3.1.1
introducing unauthorised software into their PCs? 3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.2 3.2 Are environmental risks minimised? 3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3 3.3 Are data and programs held on PCs backed up regularly? 3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
PC Controls: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Identify who has responsibility corporately and/or departmentally for the acquisition of PCs and
determine whether the arrangements are adequate (eg optimal technical specifications,
compatibility with other IT facilities).
1.1.2
Assess the acquisition procedures to ensure that responsibilities are defined adequately and
the procedures conform to good practice and the organisations financial procedures.
1.2 1.2.1
Identify who has responsibility corporately and/or departmentally for the acquisition of PC-
based applications and determine whether the arrangements are adequate.
1.2.2
Ascertain whether standards exist for end user and/or PC applications development and that
the standard of adequate scope and that it is clear who is responsible for specifying, writing,
testing, and implementing the system.
1.3 1.3.1
Identify who has responsibility corporately and/or departmentally for the day-to-day operation of
PCs and determine whether the arrangements are adequate.
1.4 1.4.1 Identify the arrangements for maintaining an inventory of PCs and of the software
installed on each PC.
1.4.2
Test records for completeness, accuracy and timeliness.
1.4.3
Examine records and evaluate the content and format and ascertain how records are kept up to
date.
2.1 2.1.1
Examine whether the environment in which PCs are used is generally secure.
2.1.2
Assess the content and relevance of guidance provided to staff on protecting PC facilities and
equipment.
 2.1.3
Ascertain physical protection features on PCs and determine whether locking devices are used
on freestanding PCs and assess their usefulness.
2.1.4
Check to see that equipment is clearly marked to provide evidence of ownership.
2.1.5
Visit selected work areas outside normal working hours to check that workstations are switched
off, that machines are locked and that the keys are not left in the machines.
2.2 2.2.1
Identify the software controls used to inhibit unauthorised access (logon and passwords,
restricted user facilities).
2.2.2
Test check logon procedures.
2.2.3
Ask how the safeguards are policed.
2.2.4
Determine whether specialised software is employed to control logon procedures.
3.1 3.1.1
Ask whether guidance has been issued to staff on virus risks and test that users are aware of
the procedures.
3.1.2
Determine responsibilities for determining anti-virus tactics and choosing anti-virus software
and managing its use.
3.1.3
Check that regular updates are implemented of anti-virus software.
3.1.4
Determine whether incoming and outgoing software is scanned for the presence of viruses.
Ideally a 'quarantine' machine should be used which is not used for any other purpose.
3.1.5
Ask whether all floppy disks containing COMMAND.COM or other system-related files are
write-protected.
3.1.6
Check that procedures for cleaning up a virus incident include notification, prescribed extent of
checking, advice, allocation of responsibility, attempts to trace the source, checking and
cleaning backed-up data.
3.2 3.2.1
Review the purposes for which PCs are used and the degree of vulnerability to the effects of
interruptions to service.
3.2.2
Review the appropriateness of locations of PCs and the general levels of threat and protection.
3.2.3
Ascertain the safeguards employed to protect against power supply disturbances.
3.2.4
Ascertain how security copies of data and programs are stored.
3.2.5
Check that that the network file server is not used as a workstation and is only used by the
system administrator.
3.3 3.3.1
Ascertain and evaluate the back-up regime for the purposes of short-term data recovery,
disaster recovery, and archiving for PCs.
3.3.2
Ascertain and evaluate procedures for taking backup, evidence that it is carried out, testing of
procedures, regular checking that successful recovery is possible.
3.3.3
Ascertain that the storage of back-up data is secure, accessible only to authorised personnel,
in a suitable location, with physical protection such as fire safes.
3.3.4
Evaluate guidance provided to users to ensure that they are aware of the need to back up and
the risks associated with different type. Assess how well users act on this guidance.
3.3.5
Check the procedures for the disposal of unwanted disks.
Network Controls: Risk Identifier
CONTROL OBJECTIVE
TRANSACTION RECORDING AND PROCESSING
1 A network strategy exists and
standards and policies are in place to
support its delivery.
2 Connections and access to the
network are approved and secure.
CONTROL RISK ICQ REF
1.1 A strategy exists for the continued 1.1
effective, efficient and secure use of
networking facilities.
1.2 Responsibility for the management 1.2
and operation of the network is
clearly defined.
1.3 Network users are adequately trained 1.3
on network usage and security.
1.4 Network administrators receive 1.4
adequate and appropriate training on
network security and control.
1.5 Technical standards and 1.5
configuration information for all
network facilities are clearly
documented.
1.6 Network activity is monitored to 1.6
ensure that security has not been
breached and performance is
optimised.
1.7 The commercial and service 1.7
arrangements for the network are
fully documented, supported,
monitored and agreed by all parties.
2.1 Procedures exist for the approval and 2.1
installation of network connections.
2.5 Only authorised users are able to 2.2
make network connections and
procedures are in place to check for
unauthorised connections.

3 Unauthorised access to data
transmitted over the network is
minimised.
4 The risk of network failure is
minimised.
2.3 Use of the network is monitored to 2.3
check for unauthorised network
connections and for equipment that is
functioning (or being used)
incorrectly.
3.2 Encryption is used to prevent 3.1
unauthorised access to data
transmitted over the network.
3.2 Controls are designed to safeguard 3.2
data and programs from loss,
misuse, theft, damage and accidental
or deliberate corruption and denial of
service attacks.
3.10 Networks are 3.3
designed and built to maximise the
effectiveness of data traffic.
4.5 Hardware and communication media 4.1
are protected against damage,
malfunction and misuse. Suitability of
locations is given due consideration.
4.6 Arrangements exist for the 4.2
maintenance and insurance of
hardware, communications
infrastructure, network management
software and consequential loss.
4.3 Network management software and 4.3
data files on each file server and
network device are backed up
regularly and the copies retained in a
safe place.
4.4 Recovery and business continuity 4.4
arrangements exist in the event of
failure of lines or nodes on the
network.
Network Controls: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Does a strategy exist for the continued effective, efficient and 1.1.1
secure use of networking facilities? 1.1.2
1.2 1.2 Is responsibility for the management and operation of the network 1.2.1
clearly defined?
1.3 1.3 Are network users adequately trained on network usage and 1.3.1
security? 1.3.2
1.3.3
1.4 1.4 Do network administrators receive adequate and appropriate 1.4.1
training on network security and control? 1.4.2
1.5 1.5 Are technical standards and configuration information for all network 1.5.1
facilities clearly documented? 1.5.2
1.5.3
1.6 1.6 Is network activity monitored to ensure that security has not been 1.6.1
breached and performance is optimised? 1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.7 1.7 Are the commercial and service arrangements for the network fully 1.7.1
documented, supported, monitored and agreed by all parties? 1.7.2
1.7.3
2.1 2.1 Do procedures exist for the approval and installation of network 2.1.1
connections? 2.1.2
2.1.3
2.2 2.2 Are only authorised users able to make network connections and 2.2.1
are procedures in place to check for unauthorised connections? 2.2.2
2.2.3
2.3 2.3 Is use of the network monitored to check for unauthorised network 2.3.1
connections and for equipment that is functioning (or being used) 2.3.2
incorrectly?
3.1 3.1 Is encryption used to prevent unauthorised access to data 3.1.1
transmitted over the network? 3.1.2
3.1.3
3.1.4
3.2 Are controls designed to safeguard data and programs from loss, 3.2.1
misuse, theft, damage and accidental or deliberate corruption and 3.2.2
denial of service attacks? 3.2.3
3.2.4
3.2.5
3.3 Are networks designed and built to maximise the effectiveness of 3.3.1
data traffic? 3.3.2
4.1 Are hardware and communication media protected against damage, 4.1.1
malfunction and misuse? Is suitability of locations given due 4.1.2
consideration?
4.2 Do arrangements exist for the maintenance and insurance of 4.2.1
hardware, communications infrastructure, network management 4.2.2
software and consequential loss? 4.2.3
4.2.4
4.2.5
4.3 Are network management software and data files on each file 4.3.1
server and network device backed up regularly and the copies 4.3.2
retained in a safe place? 4.3.3
4.4 Do recovery and business continuity arrangements exist in the 4.4.1
event of failure of lines or nodes on the network? 4.4.2
Network Controls: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS

1.1 1.1.1 Obtain a copy of the organisations IS/IT strategy and corporate business plans and assess
whether the IS/IT strategy will support them.
Determine whether the network strategy can meet the stated aims of the organisation,
1.1.2
whether it has the backing of senior management and whether its implementation is included
in an approved development programme.
1.2 1.2.1
Determine who has responsibilities for the network and whether they have received adequate
and appropriate training.

1. 1.3. Determine what instruction users have received on general usage of the network are
3 1
instructions reflected in guidance on the use of specific applications?

1.3. Ask whether there is a defined training programme explaining users responsibilities when
2
using the network.

1.3.3
Examine whether there are instructions documented in an up-to-date user guide and whether
such guidance includes security issues.

1. 1.4. Find out if the network administration staff are experienced in the area of network
4 1
management and control.

1.4. Identify and assess the level of training provided and that planned.
2

1. 1.5. Identify what network device configuration documentation is available and what procedures
5 1
are in place to ensure that the documentation is kept up to date and accurate.

1.5. Check a sample of the configuration information available to ensure that it is actually up to
2
date.
 1.5.3
Ensure that the internet connection is properly documented and that the document is up to
date and includes all of the internet services in use, as specified in the internet policy.

1. 1.6. Ascertain what network usage information is available, the use to which it is put, what
6 1
reporting and forecasting takes place, and what remedial action is taken if performance of the
network and integrity of data is threatened.

1.6 1.6.2
Review network traffic reports to assess whether monitoring is adequate, eg do reports
include:

snapshots of activity at regular intervals throughout the day

average utilisation in the period

peak utilisation in the period.

1.6. Obtain details of monitoring information and review error logs. Select a sample of problems
3
and identify the time taken for their resolution. Assess whether this is appropriate given the
nature of the problem and the services affected.

1.6. Find out how the network has changed since its installation and how the network is to be
4
developed to meet future needs. Ask whether a network action plan is in place to ensure that
future needs will be met.

1.6.5
Identify whether active intrusion detection is used and what policies have been implemented.

1.6.6
Identify and review whether there is a security breach action plan for the organisation, ie
action to be taken by the organisation should network attacks be identified.

1. 1.7. Check that the appropriate contracts and service level agreements exist and have been
7 1
signed off by authorised representatives of all parties.
 1.7. Ensure that the contracts and service level agreements cover all aspects of the network
2
service provision and that the interests of the organisation are adequately protected as the
customer of the service.

1.7.3
Check that there is a regular review process for the service between the parties and that the
agreements are updated according to changes in business needs.

2. 2.1. Ask if there are explicit rules governing connection of equipment to the network. Check
1 1
whether this covers the types of equipment, associated software and staff carrying out the
work, and how details of the connection are recorded.

2.1. Identify controls in place to identify unauthorised network connections.

2

2.1.3
Identify whether there is a policy governing the use of the internet by employees, business
partners and clients. If there is a policy, identify how this is communicated, monitored and
enforced.

2. 2.2. Identify all permanent and temporary network connections in place and how connections are
2 1
controlled.

2.2. Assess the arrangements for allocating and monitoring user access. A listing of all users and
2
their access restrictions should be requested and examined for reasonableness.

2.2.3
Check arrangements for allocating lines and validating remote users, particularly where
modems are left switched on at all times.

2. 2.3. Ask what checks are made to detect unauthorised attachment to the network.
3 1
2.3.2
Ask whether any monitoring of the type and content of network traffic takes place.
 3. 3.1. Identify whether the organisation has a policy on the use of encryption for the transmission of
1 1
confidential data.

3.1. Ask whether encryption is used where sensitive or business-critical data is being transferred
2
across the network.

3.1.3
Identify whether the encryption key is adequately protected, and if not, whether the
protection provided by encryption is affected.

3.1.4
Identify whether controls are in place to ensure that passwords and data are only transmitted
across the network in an encrypted manner.

3. 3.2. Determine what the organisation has done to prevent service denial attacks.
2 1

3.2. Check that modems, routers and bridges are configured to minimise the risk of unauthorised
2
access.

3.2.3
Review a sample of routers to ensure that access to router configuration menus is restricted.

3.2.4
Ask whether the firewall has been configured to detect excessive network traffic from any one
source.

3.2.5
Ask whether the internal network has been configured or partitioned to protect particularly
sensitive business systems.

3. 3.3. Examine network diagrams (topologies) for evidence that shortest route methodologies have
3 1
been adopted.

3.3. Ensure all attempts have been made to direct data traffic along the most efficient route (if
2
possible use network traffic monitoring tools to help ensure this control).

4. 4.1. Consider the physical security afforded to file servers, workstations, terminals and lines and
1 1
other network equipment. Attempt to follow lines and note any vulnerable points.
 4.1. Get details of individuals who have access to vulnerable areas and assess the
2
reasonableness of this access and any security weaknesses this raises.

4. 4.2. Ask about arrangements for maintaining inventories of networked computer facilities and
2 1
keeping them up to date.

4.2. Obtain maintenance agreements and compare the equipment covered by them with the
2
inventories to ensure that an acceptable level of cover is available in the event of failure or
damage.
4.2. Ensure that all network devices are on the inventory.
3

4.2. Determine call-out arrangements for engineers, including agreed times for obtaining service.
4

4.2.5
Check insurance policies, the risks that they cover and whether networked and departmental
facilities outside the main computer centre are included. Also, compare insurance policies
with leasing agreements to check whether the latter include insurance cover.

4. 4.3. Ascertain whether any guidance is provided by the IT department on the creation of back-up
3 1
copies and the extent to which this is mandatory and followed at remote sites.

4.3. Determine the location, date and identity of the latest full back-up copy of the network
2
management software.

4.3.3
Find out what controls are in place to stop unauthorised examination and amendment of
networking protocols and settings.

4. 4.4. Look for evidence that management has considered risks and that back-up procedures and
4 1
up-to-date contingency plans exist. There should also be evidence that back-up procedures
are adhered to, that the contingency plans are tested and comprehensive, and that faults are
reported, recorded, and investigated promptly.
 4.4. Identify alternative routings available across the network and assess whether they are
2
adequate in the event of one or more lines or connection points failing. Ask whether automatic
re-routing in the event of failure is provided.
Internet Controls: Risk Identifier
CONTROL OBJECTIVE
TRANSACTION RECORDING AND PROCESSING
1 Use of the e-mail facility is well
defined and managed to minimise
inappropriate, inefficient and
insecure activities.
2 Access to and use of the internet for
information searching is well defined
and managed to minimise
inappropriate, inefficient and
insecure activities.
CONTROL RISK ICQ REF
1.1 An e-mail usage policy has been 1.1
documented, setting out a practical
framework for staff whilst ensuring
the confidentiality, availability and
integrity of the organisations network
and computer systems.
1.2 Guidance is given on personal use of 1.2
the e-mail facility.
1.3 Managerial and electronic processes 1.3
are in place to monitor and detect
inappropriate use of the e-mail
facility.
1.4 Action is taken when breaches of the 1.4
e-mail policy are detected.
2.1 An internet usage policy has been 2.1
documented, setting out a practical
framework for staff whilst ensuring
the confidentiality, availability and
integrity of the organisations network
and computer systems.
2.6 Procedures are defined for accessing 2.2
the internet and for downloading files.
2.3 Guidance is given on personal use of 2.3
the internet.
2.4 Action is taken when breaches of the 2.4
internet policy are detected.
Internet Controls: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Has an e-mail usage policy been documented, setting out a practical 1.1.1
framework for staff whilst ensuring the confidentiality, availability and 1.1.2
integrity of the organisations network and computer systems?
1.2 1.2 Is guidance given on personal use of the e-mail facility? 1.2.1
1.3 1.3 Are managerial and electronic processes in place to monitor and detect 1.3.1
inappropriate use of the e-mail facility?
1.4 1.4 Is action taken when breaches of the e-mail policy are detected? 1.4.1
1.4.2
2.1 2.1 Has an internet usage policy been documented, setting out a practical 2.1.1
framework for staff whilst ensuring the confidentiality, availability and 2.1.2
integrity of the organisations network and computer systems? 2.1.3
2.1.4
2.2 2.2 Are procedures defined for accessing the internet and for downloading 2.2.1
files? 2.2.2
2.3 2.3 Is guidance given on personal use of the internet? 2.3.1
2.4 2.4 Is action taken when breaches of the internet policy are detected? 2.4.1
2.4.2
Internet Controls: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Check that the organisation has a policy governing usage of e-mail by its members/non-
executives and employees. Ensure that it has been signed off by senior management.
1.1.2
Check that all users are made aware of the policy and, if they are, determine how this is kept
up to date.
1.2 1.2.1
Ask about the organisations approach to personal use of e-mails and check that that approach
has been communicated to all users.
1.3 1.3.1
Determine if monitoring software is used and if so, check that the arrangements are adequate
and communicated to all users.
1.4 1.4.1
Check that defined arrangements are in place to respond to breaches of the e-mail policy.
1.4.2 Check that users are aware of the policy for dealing with breaches of the e-mail
policy.
2.1 2.1.1
Check that the organisation has a policy governing usage of the internet by its members/non-
executives and employees and that it has been signed off by senior management.
2.1.2
Ensure that it clearly documents what internet services can be used and what they can be used
for.
2.1.3
Determine that all internet users are made aware of the policy and if so, check how this is kept
up to date.
2.1.4
Determine what training is made available for staff using the internet and whether it
emphasises the efficiency considerations.
2.2 2.2.1
Check that users have been given clear and unambiguous guidance on accessing the internet
and downloading and distributing data.
 2.2.2
Ascertain whether specialised monitoring software has been installed, how it is managed and
whether users have been made aware of its presence.
2.3 2.3.1
Ask about the organisations approach to private use of the internet and check that it has been
communicated to all users.
2.4 2.4.1
Check that defined arrangements are in place to respond to breaches of the internet policy.
2.4.2
Check that users are aware of the arrangements for dealing with breaches of the internet
policy.
E-commerce Controls: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 E-commerce is applied according to 1.1 There are clear business objectives 1.1
defined business decisions. for e-commerce.
1.2 There are defined contractual and 1.2
operational procedures for dealing
with external trading partners.
1.3 The legal conditions of e-commerce 1.3
transactions are clearly defined.
1.4 E-commerce facilities of trading 1.4
partners do not compromise the
organisation's own IT facilities.
1.5 Any data no longer required by third 1.5
parties is deleted in a timely and
secure manner.
2 All e-commerce processing is 2.1 The e-commerce applications are 2.1
secure. processed in a secure environment.
2.2 Users are identifiable. 2.2
2.3 Users and transactions can be 2.3
authenticated and authorised.
2.4 Transactions can be logged and are 2.4
traceable.
E-commerce Controls: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Are there clear business objectives for e-commerce? 1.1.1
1.1.2
1.2 1.2 Are there defined contractual and operational procedures for dealing 1.2.1
with external trading partners? 1.2.2
1.2.3
1.3 1.3 Are the legal conditions of e-commerce transactions clearly defined? 1.3.1
1.4 1.4 Do the e-commerce facilities of trading partners compromise the 1.4.1
organisation's own IT facilities?
1.5 1.5 Is any data no longer required by third parties deleted in a timely and 1.5.1
secure manner?
2.1 2.1 Are e-commerce applications processed in a secure environment? 2.1.1
2.1.2
2.1.3
2.2 2.2 Are users identifiable? 2.2.1
2.2.2
2.2.3
2.2.4
2.3 2.3 Can users and transactions be authenticated and authorised? 2.3.1
2.3.2
2.3.3
2.4 2.4 Can transactions be logged and are they traceable? 2.4.1
2.4.2
2.4.3
E-commerce Controls: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Ask to see the evaluation report and assess whether the objectives reflect a wider
consideration of the organisations business and IT strategies and whether costs and benefits
have been identified.
1.1.2
Ask who was involved in the considerations of e-commerce and whether they reflected the
wider business interests of the organisation.
1.2 1.2.1
Enquire whether a contractual agreement has been drawn up with the third party and ask
whether the organisation's legal department was involved in its compilation and agreement.
1.2.2
If the agreement has been active for some time, ask whether problems have arisen and been
resolved in accordance with the contract.
1.2.3
Ensure that the organisation has developed and documented a standard mechanism to gather
data and perform risk assessments of a third partys security controls.
1.3 1.3.1 Assess whether the legal status of computer-generated data has been evaluated by
the organisations legal department.
1.4 1.4.1
Check that consideration has been given to the facilities used by trading partners not
compromising the organisations own procedures.
1.5 1.5.1
Check that agreements exist with all data receivers concerning the timely and secure deletion
(or return) of data no longer required for processing or storage by third parties.
2.1 2.1.1
Check that the organisation has conducted a risk assessment and implemented appropriate
security and management of its external data links.
2.1.2
Ask whether the organisation has adopted or is actively engaged in adopting ISO 17799.
 2.1.3
Check that the overall IT environment where e-commerce processing is being performed is
secure.
2.2 2.2.1
Check whether the organisation has defined user identification processes for e-commerce
applications.
2.2.2
Check that during sign-on, procedures including identification and password verification are
sufficient.
2.2.3
Ascertain whether the allocation of passwords and PIN numbers is managed automatically and
is secure from human intervention.
2.2.4
Ask whether smart cards have been considered and, if so, how they are to be implemented.
2.3 2.3.1
Ask how the organisation has adopted authentication to protect its e-commerce activities.
2.3.2
Ask whether it has engaged with a certification authority and how it has satisfied itself that the
CA is accredited, complies with ISO 17799 and offers adequate support.
2.3.3
Check that procedures are sufficient to ensure that only valid and properly authorised
transactions are authenticated and processed.
2.4 2.4.1
Examine the facilities for logging e-commerce transactions.
2.4.2
Ask what tests have been undertaken to trace transactions to their source and identify users.
2.4.3
Ask whether the journal facilities have been called upon as a consequence of system failures
and whether they were satisfactory.
Environmental Controls: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 Responsibilities for controlling the 1.1 Responsibilities for controlling 1.1
physical security of computing physical security are assigned and
facilities are clearly defined. set down in a written IT security
policy which is kept up to date and
communicated to all staff.
1.2 Compliance with the policy is 1.2
monitored by IT and user
management.
1.3 An officer within the IT section has 1.3
been assigned responsibility for
security.
1.4 A business impact review has been 1.4
carried out to establish the criticality
of systems and the nature of risk to
which they are exposed.
2 IT equipment is securely located. 2.1 IT equipment is located in a 2.1
restricted access area.
2.2 Departmental machines are 2.2
securely located.
2.3 Network equipment such as servers 2.3
and routers are located in locked
areas.
2.4 A record of any security breaches is 2.4
maintained.
2.5 Staff have received instructions on 2.5
what to do in the event of a breach
of security.
3 Adequate precautions exist to protect 3.1 Fire, water and smoke detectors are 3.1
IT equipment. located near equipment.
3.2 Fire-fighting equipment is 3.2
maintained and tested periodically.
 3.3 Staff receive training in using fire- 3.3
fighting equipment.
3.4 The IT environment is kept clean 3.4
and no hazardous material is stored
close to equipment.
3.5 The IT equipment is protected 3.5
against the risks of flooding or
severe weather conditions.
3.6 Alternative power supplies are 3.6
installed where business-critical
applications are processed.
3.7 Equipment failures are minimised by 3.7
good internal housekeeping and
regular maintenance.
3.8 Food, drink and smoking in the 3.8
computer area are prohibited.
4 Only authorised persons have 4.1 An access control mechanism is 4.1
access to IT equipment. fitted to all doors leading to IT
facilities.
4.2 No unauthorised person has access 4.2
to IT equipment.
4.3 All persons such as engineers and 4.3
cleaners are accompanied at all
times in the computer area.
4.4 Suitable logical security is in place 4.4
to prevent unauthorised use of IT
facilities.
5 Adequate insurance cover exists for 5.1 Insurance cover is in place for IT 5.1
IT equipment. equipment.
5.2 All items of IT equipment are 5.2
recorded in an inventory that
records make, model, serial number,
cost and date of purchase.
5.3 Arrangements are in place to advise 5.3
the insurance company of any
changes in equipment.
6 The transfer of data and IT facilities
to and from the organisation is fully
secure.
7 IT processing undertaken at external
centres is fully secure.
8 Third-party access to IT facilities is
fully protected.
6.1 Arrangements exist for all data sent 6.1
off-site to be fully protected from
accidental or deliberate loss,
damage or disclosure.
6.2 Staff are instructed to secure fully all 6.2
IT facilities used off-site.
6.3 Any data and equipment for 6.3
disposal does not contain
information that should not be
disclosed.
6.4 The security provisions for data and 6.4
IT facilities which are exchanged
with other organisations are
reflected in a contractual agreement
between both parties.
7.1 IT security standards are defined 7.1
within a written contract for all
processing at external centres.
8.1 The risks of third-party connections 8.1
have been fully evaluated and
security procedures are reflected in
a written contract.
Environmental Controls: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Are responsibilities for controlling physical security assigned and set 1.1.1
down in a written IT security policy which is kept up to date and 1.1.2
communicated to all staff? 1.1.3
1.1.4
1.2 1.2 Is compliance with the policy monitored by IT and user management? 1.2.1
1.2.2
1.3 1.3 Has an officer within the IT section been assigned responsibility for 1.3.1
security? 1.3.2
1.4 1.4 Has a business impact review been carried out to establish the 1.4.1
criticality of systems and the nature of risk to which they are exposed? 1.4.2
1.4.3
1.4.4
2.1 2.1 Is IT equipment located in a restricted access area? 2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2 2.2 Are departmental machines securely located? 2.2.1
2.2.2
2.3 2.3 Is network equipment such as servers and routers located in locked 2.3.1
areas? 2.3.2
2.4 2.4 Is a record of security breaches maintained? 2.4.1
2.4.2
2.5 2.5 Have staff received instructions on what to do in the event of a breach 2.5.1
of security?
3.1 3.1 Are fire, water and smoke detectors located near equipment? 3.1.1
3.1.2
3.1.3
3.1.4
3.2 3.2 Is fire-fighting equipment maintained and tested periodically? 3.2.1
3.3 3.3 Do staff receive training in using fire-fighting equipment? 3.3.1
3.4 3.4 Is the computer environment kept clean and is hazardous material 3.4.1
stored away from equipment?
3.5 3.5 Is the IT equipment protected against the risks of flooding or severe 3.5.1
weather conditions? 3.5.2
3.5.3
3.5.4
3.6 3.6 Are alternative power supplies installed where business-critical 3.6.1
applications are processed? 3.6.2
3.6.3
3.7 3.7 Are equipment failures minimised by good internal housekeeping and 3.7.1
regular maintenance? 3.7.2
3.7.3
3.8 3.8 Are food, drink and smoking in the computer area prohibited? 3.8.1
3.8.2
3.8.3
4.1 4.1 Is an access control mechanism fitted to all doors leading to IT 4.1.1
facilities? 4.1.2
4.1.3
4.1.4
4.2 4.2 Have unauthorised persons access to IT equipment? 4.2.1
4.2.2
4.3 4.3 Are all persons such as engineers and cleaners accompanied at all 4.3.1
times in the computer area?
4.4 4.4 Is suitable logical security in place to prevent unauthorised use of IT 4.4.1
facilities? 4.4.2
5.1 5.1 Is insurance cover in place for IT equipment? 5.1.1
5.1.2
5.2 5.2 Are all items of IT equipment recorded in an inventory that records 5.2.1
make, model, serial number, cost and date of purchase?
5.3 5.3 Are arrangements in place to advise the insurance company of any 5.3.1
changes in equipment? 5.3.2
6.1 6.1 Do arrangements exist for all data sent off-site to be fully protected 6.1.1
from accidental or deliberate loss, damage or disclosure?
6.2 6.2 Are staff instructed to secure fully all IT facilities used off-site? 6.2.1
6.2.2
6.3 6.3 Does any data and equipment for disposal contain information that 6.3.1
should not be disclosed?
6.4 6.4 Are security provisions for data and IT facilities which are exchanged 6.4.1
with other organisations reflected in a contractual agreement between
both parties?
7.1 7.1 Are IT security standards defined within a written contract for all 7.1.1
processing at external centres? 7.1.2
7.1.3
8.1 8.1 Have the risks of third-party connections been fully evaluated and 8.1.1
security procedures reflected in a written contract? 8.1.2
Environmental Controls: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Ask to see the IT security policy and check when it was last updated.
1.1.2
Determine how widely it has been distributed. Check with some users to see if they hold a copy
or are aware of it.
1.1.3
Ask how IT security responsibilities are made known to staff and ask some users whether they
are aware of their responsibilities.
1.1.4
Check whether newly appointed staff are made aware of their responsibilities. This may be
done during any initial training sessions or in some form of starter pack.
1.2 1.2.1
Observation and conversations with staff should indicate whether physical security is regarded
as important and evidence should also be found in up-to-date notices and instructions available
to staff.
1.2.2
Identify where responsibility for physical security lies within the organisation and how the
different approaches to security are co-ordinated.
1.3 1.3.1
Ascertain who is responsible for IT security.
1.3.2
Obtain a copy of their job description and check that all aspects of security are included.
1.4 1.4.1
See Chapter 12, Business Continuity Planning.
1.4.2
Establish whether a business impact analysis or risk analysis exercise has been carried out
and ask to see the report.
1.4.3
If the risk assessment was recently undertaken, check to see if it has been updated in the
event of alterations to IT systems and hardware.
 1.4.4
Ask to see the organisation's strategy for the prevention, detection and recovery from
environmental hazards and check that it reflects the outcome of the impact/risk analysis
exercise.
2.1 2.1.1
Visit the computer room and record details of all entry/exit point.
2.1.2
Ascertain details of what methods are in place to restrict access.
2.1.3
Obtain a list of persons who have access to the equipment.
2.1.4
Check that any unissued swipe cards are securely held.
2.1.5
Ensure that numeric key pad codes are periodically changed.
2.1.6
Check that a procedure is in place to remove access rights to any member of staff who resigns
from the organisation.
2.2 2.2.1
Ascertain details of all equipment located within user departments.
2.2.2
Visit each department and establish that either the equipment is securely located or access to
the department is restricted.
2.3 2.3.1
Check that all communications equipment is located in secure areas or lockable cabinets or
cupboards.
2.3.2
Communications wiring should also be examined to ensure that it is secure.
2.4 2.4.1
Obtain the log of security breaches.
2.4.2
Examine each reported breach and ensure that management have investigated it and taken
action to prevent it from reoccurring.
2.5 2.5.1
Ask staff whether they have received instruction what to do if they think that there has been a
breach of security that affects an IT system.
3.1 3.1.1
Observe whether written instructions regarding the procedures to be followed in the event of a
fire are clearly posted throughout the building.
3.1.2
Establish the existence of fire protection equipment wherever IT equipment is located (including
office environments).
3.1.3
Establish whether the fire precautions in and around the IT sites and office areas where IT
equipment is used comply with the requirements of the fire service or other specialist
organisation and seek evidence that the fire-fighting equipment is regularly maintained.
3.1.4
Check that clear access to fire-fighting equipment is available.
3.2 3.2.1
Examine a sample of fire extinguishers to ensure that they have been checked within the last
12 months.
3.3 3.3.1
Establish the frequency of fire drills and ask staff if they are aware of the procedures to follow in
the event of a fire.
3.4 3.4.1
Visit the IT areas to check they are clean and tidy.
3.4.2
Check whether any hazardous materials are stored close to IT equipment.
3.5 3.5.1
From a plan of the building, identify water pipes or storage tanks on all floors and establish if
they pose a risk to the IT equipment.
3.5.2
If the IT sites are located in a flood risk area, establish whether flood warning devices are
installed.
3.5.3
Where water-pumping equipment is installed, check that an alternative power supply is
available in the case of electrical failure.
3.5.4
Ask to see the written procedures that staff have to follow in the event of a flood or other water
damage.
3.6 3.6.1
Check whether critical equipment is protected from power fluctuations.
3.6.2
Ascertain whether the computer site has an uninterruptable power supply and determine
whether it is regularly tested.
3.6.3
Check that the equipment is regularly maintained and tested.
3.7 3.7.1
Establish the recommended schedule for equipment maintenance and ask to see evidence that
the maintenance is carried out as required.
3.7.2
Determine the procedures for logging equipment failures and calling out maintenance
personnel and establish that maintenance is available during all operating shifts.
3.7.3
Where on-line maintenance techniques are used by maintenance companies, review the
controls over the on-line access.
3.8 3.8.1
Determine whether there are restrictions against food, drink and smoking within IT areas.
3.8.2
Observe activity in the IT areas to establish whether these restrictions are adhered to.
3.8.3
Establish whether guidance is provided for staff on these issues and ask to see a copy.
4.1 4.1.1
Ask how physical access to the computer site is restricted and whether this also applies out of
normal office hours.
4.1.2
Observe the security arrangements (preferably without any pre-announcement of the visit) and
assess whether the general physical access appears to be well controlled.
4.1.3
Where keys, badges, entry codes, etc are in use, ensure that their use is monitored and
changes are made to reflect staff movements.
4.1.4
Ensure that security alarms are fitted and activated outside working hours.
4.2 4.2.1
Check that no unauthorised staff can gain access to IT equipment.
 4.2.2
Check that procedures exist for protecting mobile PC equipment.
4.3 4.3.1
Ensure that procedures are in place for all visitors to be accompanied.
4.4 4.4.1
Ascertain whether use is made of any logical security system.
4.4.2
Obtain details of the facilities provided by the security system and who is responsible for
security.
5.1 5.1.1
Determine the method used by the organisation to assess the level of cover and assess
whether all the risks have been considered, especially consequential loss and the cost of
reconstituting data.
5.1.2
Establish if a procedure exists to notify the person responsible for insurance arrangements of
all new acquisitions so that insurance records can be kept up to date and test the procedure.
5.2 5.2.1
Establish who has responsibility for maintaining the inventory and reviewing the procedures for
keeping it up to date and accurate.
5.3 5.3.1
Obtain details of the insurance cover provided.
5.3.2
Check the details of equipment insured against the asset register.
5.3.3
Check that a procedure exists to advise the insurance company of all changes to IT equipment.
6.1 6.1.1
Check that the organisation has assessed the classification of all data sent off-site and
employed appropriate means such as encryption to minimise the risk of accidental or malicious
data disclosure.
6.2 6.2.1
Check that written instructions are given to all staff making them aware of the need to secure
all equipment used off premises.
6.2.2
Check that insurance cover is not invalidated if equipment is taken off premises.
6.3 6.3.1
Check that procedures are defined for the disposal of equipment and that particular mention is
made of erasing sensitive data.
6.4 6.4.1
Check that software exchange agreements are used and fully reflect security considerations.
7.1 7.1.1
Check that the outsourcing contract refers to IT security arrangements.
7.1.2
Consider software checks at the outsourced site to ensure that the security of the
organisations files and data is not compromised.
7.1.3
Check if internal audit has visited the site and checked the security arrangements.
8.1 8.1.1
Establish whether third-party connections are permitted and, if so, whether a risk analysis has
been undertaken in respect of any connections.
8.1.2
Check that arrangements by maintenance organisations to utilise remote diagnostic facilities do
not compromise security.
Business Continuity Planning: Risk Identifier
CONTROL OBJECTIVE
TRANSACTION RECORDING AND PROCESSING
1 An effective risk assessment has
been carried out to identify the
business and IT systems critical to
the organisation.
2 A continuity plan has been prepared
that details the procedures to allow
recovery from a partial or total loss of
IT and business services in a
controlled manner.
CONTROL RISK ICQ REF
1.1 A business impact review has been 1.1
carried out and an assessment
made of the risks.
2.1 A disaster recovery plan has been 2.1
prepared and approved by
management.
2.2 Contingency plans have been 2.2
prepared for non-critical failures.
2.3 Plans have been documented and 2.3
circulated to key staff.
2.4 Responsibility for dealing with a 2.4
disaster has been assigned to a
disaster recovery team and the
respective roles and responsibilities
of the team are documented and
understood by all team members.
2.5 The disaster recovery plan is tested 2.5
periodically, reappraised and kept
up to date in the light of changes to
the risk assessment.
2.6 Standby disaster recovery facilities 2.6
have been arranged and are
periodically tested to ensure that
they are effective, workable and
current.
2.7 Disaster recovery procedures are 2.7
considered during the specification
of any new computer applications
and to safeguard systems under
development.
Business Continuity Planning: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Has a business impact review been carried out and an assessment 1.1.1
made of the risks? 1.1.2
1.1.3
2.1 2.1 Has a disaster recovery plan been prepared and approved by 2.1.1
management? 2.1.2
2.1.3
2.1.4
2.2 2.2 Have contingency plans been prepared for non-critical failures? 2.2.1
2.3 2.3 Have plans been documented and circulated to key staff? 2.3.1
2.4 2.4 Has responsibility for dealing with a disaster been assigned to a 2.4.1
disaster recovery team and are the respective roles and responsibilities 2.4.2
of the team recorded? 2.4.3
2.5 Is the disaster recovery plan tested periodically, re-appraised and kept 2.5.1
up to date in the light of changes to the risk assessment? 2.5.2
2.5.3
2.5.4
2.6 Have standby disaster recovery facilities been arranged and are they 2.6.1
periodically tested to ensure that they are effective, workable and 2.6.2
current? 2.6.3
2.6.4
2.7 Are disaster recovery procedures considered during the specification of 2.7.1
any new computer applications and to safeguard systems under 2.7.2
development? 2.7.3
Business Continuity Planning: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Assess whether an effective business impact review has been carried out and documented.
1.1.2
Review the conclusions arising from the review and action taken.
1.1.3
Assess the adequacy of the arrangements.
2.1 2.1.1
Ask to see a copy of the disaster plan and evaluate its currency and completeness.
2.1.2
Check that the plan identifies the critical business and IT systems, resources, the interlinkages
of corporate and local processes and systems and logistical aspects fundamental to the
recovery and survival of the business.
2.1.3 Review the emergency arrangements for completeness and comprehensive coverage of
all the emergencies that might occur.
2.1.4
Verify that the plan is documented in sufficient depth to ensure recovery procedures will be
executed correctly and in the right sequence.
2.2 2.2.1
Confirm that contingency plans cater for all eventualities.
2.3 2.3.1
Check that appropriate staff have been issued with a copy of the plan. Confirm that copies of
the plan are held securely at relevant off-site locations.
2.4 2.4.1
Identify responsibilities for contingency planning and roles and responsibilities of all involved.
2.4.2
Interview selected staff to establish their knowledge and understanding of the plan.
2.4.3
Review the emergency procedures in the plan for completeness and comprehensive coverage
of all the emergencies that might occur at the site.
2.5 2.5.1
Obtain a copy of the computer disaster recovery plan.
2.5.2
Review the frequency of testing, the testing process and review the results.
 2.5.3
Check that any failures of the plan are acted upon.
2.5.4
Ask staff who is responsible for maintaining the document.
2.6 2.6.1
Check that the installation standby and recovery plans are well documented.
2.6.2
Ask to see a copy of the standby agreement and check that it is reviewed periodically.
2.6.3
Establish the arrangements that exist to keep all parties to a standby agreement informed of
any hardware or software changes which would impact upon the agreement.
2.6.4
Check that standby arrangements are tested from time to time in circumstances as near as
possible to those that would prevail in a real emergency.
2.7 2.7.1
Obtain a copy of the organisations system development methodology and check whether
disaster recovery should be considered as part of the system specification.
2.7.2
Request details for a recent system development and ask staff about any system recovery
procedures.
2.7.3
Obtain a copy of the disaster recovery plan and check that consideration has been given to test
and development libraries.
Data Protection: Risk Identifier
CONTROL OBJECTIVE
TRANSACTION RECORDING AND PROCESSING
1 All processing of personal data is
notified under the Data Protection Act
1998.
2 All registered data controllers comply
with the eight data protection
principles in relation to the data they
hold.
CONTROL RISK ICQ
REF
1.1 Responsibility has been assigned 1.1
for ensuring that all processing of
personal data is notified under the
Data Protection Act. Procedures are
in place for ensuring that the person
responsible is advised of new
processing or changes to existing
processing and there are
procedures in place to ensure the
notification entry is kept up to date.
1.2 Where sensitive personal data is 1.2
being processed, procedures are in
place to ensure that the conditions
for processing are complied with.
2.1 All processing of personal data 2.1
complies with best practice as
defined in the eight principles of the
Data Protection Act.
Data Protection: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Has responsibility been assigned for ensuring that all processing of 1.1.1
personal data is notified under the Data Protection Act? Are procedures
in place for ensuring that the person responsible is advised of new
processing or changes to existing processing and are there procedures
in place to ensure the notification entry is kept up to date?
1.2 1.2 Where sensitive personal data is being processed, are procedures in 1.2.1
place to ensure that the conditions for processing are complied with?
2.1 2.1 Does all processing of personal data comply with best practice as 2.1.1
defined in the eight principles of the Data Protection Act?
Data Protection: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.2 1.2.1 Establish who is responsible for data protection within the organisation and discuss
the extent of their role.
1.2.2
Obtain a copy of a register entry and review it.
1.2.3 Review the arrangements in place for notifying the person or persons responsible for
data protection of:

processing of personal data which may need to be registered

changes to existing processing which may require an amendment to the register entry

sensitive personal data which is being processed.

2.1 2.1.1
Check that there are processes in place to:
review procedures for collecting personal information to ensure that persons
supplying information are clear as to who the information is for, why it is being held and to
whom it will be disclosed
identify personal data held in manual files which could be classified as relevant filing
systems and which are subject to the provisions of the 1998 Act
ensure that systems using personal data have registered all the intended purposes
for that data
ensure that personal data is not used or disclosed in a way that is incompatible with
the registered purpose
review the safeguards in place to ensure that only the minimum amount of personal
data required to satisfy a specific purpose is collected
monitor the forms used for collecting personal information to ensure that they collect
only the right amount and type of information
check that all reasonable steps are taken to ensure that personal data collected by
the data controller is accurate
check that systems reviews include checks to ensure that procedures for data entry do not
introduce inaccuracies into personal data, and that the system itself does not introduce
inaccuracies into personal data
 check that installed procedures ensure that personal data is kept up to date where not to
do so might cause damage or distress to the individual
check that guidance on the accepted 'life' of personal data is provided to all data
controllers and is regularly reviewed and updated
check that arrangements are in place, for all systems registered under the Data
Protection Act, to produce all the information held about an individual in a format that can
be easily read and understood
review the process for assessing the risk of damage or distress to individuals from a
breach of security to determine appropriate security measures
check that all staff are aware of their responsibilities with regard to the security of
personal data
check that all security breaches are investigated and remedied

check that disciplinary procedures take account of the requirements of the Data
Protection Act and are enforced
check that printed output containing personal data is stored and disposed of securely.
Project Management: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ
REF
TRANSACTION RECORDING AND PROCESSING
1 All proposed projects comply with the 1.1 Projects comply with the IS/IT 1.1
IS/IT and business strategies. strategy and respond to business
needs.
1.2 Project development standards and 1.2
policies have been defined and
adopted.
2 Ownership and management of the 2.1 An IS/IT strategy team reviews and 2.1
project are clearly defined. approves projects.
2.2 A project management team is 2.2
appointed.
2.3 A project manager is appointed for 2.3
each project.
3 A business case and project plan are 3.1 A business case is compiled by the 3.1
prepared. budget holder/user and reflects all
direct and indirect costs and
benefits.
3.2 A comprehensive feasibility study is 3.2
prepared for approval.
3.3 A project plan is agreed by the 3.3
budget holder/user and
developer/provider.
3.4 Structured procedures exist for 3.4
small-scale projects.
3.5 Financial control is exercised 3.5
throughout the project.
3.6 The project has appropriate 3.6
approval to proceed.
4 Design, development, testing and 4.1 The selection of the 4.1
implementation phases are clearly developer/provider complies with
defined. sound tendering practice.
 4.2 A contract/SLA is agreed between 4.2
the budget holder and
developer/provider.
4.3 All legal obligations are known to all 4.3
parties and are complied with.
4.4 Project design reflects the optimum 4.4
use of available technology and
techniques and security and control
considerations.
4.5 Installation, testing and acceptance 4.5
are agreed by the user and provider.
4.6 Documentation is developed to the 4.6
agreed standard and delivered
within the agreed timescale.
4.7 Staff are properly trained in the 4.7
system.
5 A post-implementation review is 5.1 A post-implementation review is 5.1
planned and undertaken. undertaken within an agreed period.
Project Management: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Do projects comply with the IS/IT strategy and respond to business 1.1.1
needs? 1.1.2
1.2 1.2 Have project development standards and policies been defined and 1.2.1
adopted? 1.2.2
2.1 2.1 Does an IS/IT strategy team review and approve projects? 2.1.1
2.1.2
2.2 2.2 Is a project management team appointed? 2.2.1
2.2.2
2.3 2.3 Is a project manager appointed for each project? 2.3.1
2.3.2
2.3.3
3.1 3.1 Is there a business case compiled by the budget holder/user and does 3.1.1
it reflect all direct and indirect costs and benefits? 3.1.2
3.1.3
3.2 3.2 Is a comprehensive feasibility study prepared for approval? 3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.3 3.3 Is a project plan agreed by the budget holder/user and 3.3.1
developer/provider? 3.3.2
3.3.3
3.4 3.4 Do structured procedures exist for small-scale projects? 3.4.1
3.4.2
3.4.3
3.5 3.5 Is financial control exercised throughout the project? 3.5.1
3.5.2
3.6 3.6 Has the project appropriate approval to proceed? 3.6.1
3.6.2
3.6.3
4.1 4.1 Does the selection of the developer/provider comply with sound 4.1.1
tendering practice?
4.2 4.2 Is a contract/SLA agreed between the budget holder and 4.2.1
developer/provider?
4.3 4.3 Are all legal obligations known to and complied with by all parties? 4.3.1
4.4 4.4 Does project design reflect the optimum use of available technology 4.4.1
and techniques and security and control considerations? 4.4.2
4.4.3
4.4.4
4.5 4.5 Are installation, testing and acceptance agreed by the user and 4.5.1
provider? 4.5.2
4.5.3
4.5.4
4.5.5
4.6 4.6 Is documentation developed to the agreed standard and delivered 4.6.1
within the agreed timescale? 4.6.2
4.6.3
4.7 4.7 Are staff properly trained in the system? 4.7.1
4.7.2
4.7.3
5.1 5.1 Is a post-implementation review undertaken within an agreed period? 5.1.1
Project Management: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Test a selection of recently developed systems against the IS/IT strategy; if any appear not to
comply, ask for an explanation.
1.1.2
Test a selection of projects under development against the IS/IT strategy; and if any appear not
to comply, ask for an explanation.
1.2 1.2.1
Establish whether PRINCE2 or a similar defined project management methodology has been
adopted by the organisation.
1.2.2
Where project development standards and procedures have not been defined, ask how project
management is controlled and reviewed.
2.1 2.1.1
Enquire whether a corporate IT strategy group reviews significant project proposals and, if so,
review the process for a recent bid.
2.1.2 Enquire whether departmental IT strategy groups review significant project proposals
within their own departments and, if so, review the process for a recent bid.
2.2 2.2.1
Ask whether project management teams are created and identify their responsibilities.
2.2.2
Select a particular project and identify the activities of the team and their management of the
project.
2.3 2.3.1
Check whether a project manager is appointed for significant projects.
2.3.2
Identify a current project and discuss the project managers approach to the project.
2.3.3
Assess whether the project manager has the necessary skills.
3.1 3.1.1
Ask for a copy of a recently completed projects business case and assess whether it provided
sufficient information on which to base a decision to proceed or not.
 3.1.2
Check whether the milestones appear viable.
3.1.3
Determine whether control and auditability issues have been considered.
3.2 3.2.1
Determine whether there are formal procedures for preparing a feasibility study.
3.2.2
Determine who has responsibility for the preparation of such studies.
3.2.3
Ask for a copy of a recently completed project's feasibility study and assess whether it provided
sufficient information on which to base a decision to proceed or not.
3.2.4
Ask for a copy of a current projects feasibility study and assess whether it provides sufficient
information on which to base a decision to proceed or not.
3.2.5
Determine whether the study includes all relevant subject areas.
3.2.6
Check whether the milestones appear viable.
3.2.7
Determine whether control and auditability issues have been considered.
3.2.8
Identify whether decisions are taken on the way forward as a consequence of the feasibility
study.
3.3 3.3.1
Check that the project plan includes clearly defined milestones and that the project manager
uses a sound process for tracing progress against these milestones.
3.3.2
Check that appropriate implementation plans have been drawn up.
3.3.3
Review the methods used to estimate the time and resources required to complete tasks.
3.4 3.4.1
Establish what procedures are followed by user departments for small-scale acquisitions.
3.4.2
Determine whether there are adequate procedures to ensure that all equipment is compatible
and conforms to the IT strategy.
 3.4.3
Determine whether the user has provided a specification of requirements, that the tendering
and selection procedures are adequate, and that adequate maintenance and insurance cover
is arranged.
3.5 3.5.1
Check that the project plan includes budgetary milestones and that these are monitored by the
project manager.
3.5.2
Enquire what process is adopted if the costs exceed the budget.
3.6 3.6.1
Determine whether formal approval has been given to proceed with the acquisition.
3.6.2
Check that approvals are sought, where necessary, in accordance with the organisations
policy.
3.6.3
Check that those giving approval have the required level of authority.
4.1 4.1.1
Refer to the guidance in Chapter 21, Procurement of IT Facilities, and check that the selection
and tendering procedures follow good practice.
4.2 4.2.1
Refer to Chapter 23, Outsourcing, and Chapter 21, Procurement of IT Facilities, for information
on SLAs and IT contracts and check that all business-critical projects have such arrangements
effectively in place.
4.3 4.3.1
Check that the project manager is aware of any legal obligations relating to the acquisition and
use of IT facilities.
4.4 4.4.1
Check that the functional specification:
adequately reflects and defines user requirements
includes requirements for security and controls
has been agreed and accepted by all parties concerned.
 4.4.2
Check the specification and other documentation to see that:
all objectives have been stated and quantified
the specification conforms to standards
all agreements are evidenced in writing.
4.4.3
Examine the technical design documents and verify that:
the design specification complies with IT standards
the design specification reflects the user requirements and that all changes have
been agreed and documented
all technical controls governing file and data organisation have been defined
all security controls over input, processing and output have been included.
4.4.4
Check that externally acquired software will meet the requirements of the user; also check the
operational requirements of the IT facilities and that the package provides satisfactory security
and control features.
4.5 4.5.1
Check the extent of the test plan including interfaces, restarts, re-runs, and back-ups.
4.5.2
See evidence that all the tests have been satisfactorily completed and conducted in
accordance with established standards.
4.5.3
Check that manual procedures are tested.
4.5.4
Establish that users are aware of the significance of controls, their control responsibilities and
the requisite error correction procedures.
4.5.5
Ensure that the recovery and back-up procedures have been adequately tested.
4.6 4.6.1
Check that documentation is identified within the project plan and that it is completed on time
and to the agreed standard.
4.6.2
Ensure that the user guides are clear, unambiguous and easy to understand.
4.6.3
Check that there are procedures for ensuring that the documentation is monitored and
improved.
4.7 4.7.1
Check that training requirements have been identified, and a training plan established.
4.7.2
Ask whether a system has been established to review the effectiveness of training.
4.7.3
Interview a sample of users and obtain their opinion on the effectiveness of the training
received.
5.1 5.1.1
Refer to Chapter 18, Post-Implementation Review, and Chapter 17, Change Control.
Application Controls: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 Each transaction is authorised, 1.1 Transactions are from recognised 1.1
complete, accurate, timely and input sources.
once only.
1.2 Control is established over 1.2
transactions at the earliest
opportunity.
1.3 Transactions are explicitly authorised 1.3
by either manual or electronic
means.
1.4 Proper control is exercised over 1.4
access to application systems.
1.5 Input and authorisation functions are 1.5
restricted and separated.
1.6 Input of parameters for processing 1.6
and other standing data is strictly
controlled.
1.7 Data is subject to validation for 1.7
completeness and accuracy at input
stage.
1.8 There are clear procedures for data 1.8
items rejected on input.
1.9 Clear timetables for input exist and 1.9
are adhered to.
1.10 Checks are made to detect possible 1.10
duplicate input records.
2 An appropriate level of control is 2.1 A clear processing schedule exists 2.1
maintained during processing to and is understood by users and
ensure completeness and accuracy operations staff.
of data.
2.2 All data, including that transferred 2.2
from other systems, is subject to
appropriate validation during
processing.

3 Controls ensure the accuracy,
completeness, confidentiality and
timeliness of output reports and
interfaces.
4 A complete audit trail is maintained
which allows an item to be traced
from input through to its final resting
place, and a final result broken
down into its constituent parts.
2.3 Data is processed by the correct 2.3
programs and written to the correct
files.
2.4 Programs provide confirmation that 2.4
processing has been completed
successfully, or recovery and
resubmission procedures exist to
deal with abnormal terminations.
2.5 Assurance is provided that all 2.5
records have been processed.
2.6 Procedures exist for handling 2.6
records rejected by application
programs.
3.1 Staff responsible for handling output 3.1
carry out checks to ensure its
completeness and reasonableness.
3.2 Output is identified and includes 3.2
information that demonstrates
completeness.
3.3 Distribution of output procedures 3.3
ensure that it goes to the correct
location/users and that confidentiality
is maintained.
3.4 The usefulness of output is kept 3.4
under review.
3.5 Confidential output is disposed of 3.5
securely.
4.1 Unique source information is 4.1
retained for all transactions.
4.2 Input documents and output reports 4.2
are filed in such a way as to facilitate
tracing transactions through the
system.

5 Arrangements exist for creating
back-up copies of data and
programs, storing and retaining
them securely, and recovering
applications in the event of failure.
4.3 Totals on control reports can be 4.3
broken down into the transactions
that form the totals.
4.4 When records are posted from one 4.4
financial system to another, those
input to the second are agreed with
those output by the first.
4.5 Records rejected when transferred 4.5
between systems can be identified
and investigated.
4.6 The users responsible for input, 4.6
amendment or deletion of
transactions are recorded within the
system.
4.7 Where audit trail reports are 4.7
provided, they are complete and
journals indicate if and when trail
mechanisms switched off.
5.1 Files are backed up at intervals 5.1
during processing to allow recovery
of jobs.
5.2 Database integrity checks are run 5.2
periodically and back-up copies of
the database are retained from one
check to the next.
5.3 Operators and users instructions 5.3
clearly state the procedures to follow
in the event of an application failing
during processing.

Application Controls: Internal Control Questionnaire

RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Are transactions from recognised sources? 1.1.1
1.1.2
1.1.3
1.2 1.2 Is control established over transactions at the earliest opportunity? 1.2.1
1.3 1.3 Are transactions explicitly authorised by either manual or electronic 1.3.1
means? 1.3.2
1.4 1.4 Are password controls effective in restricting access? 1.4.1
1.5 1.5 Are input and authorisation functions restricted and separated? 1.5.1
1.6 1.6 Is input of parameters for processing and other standing data strictly 1.6.1
controlled? 1.6.2
1.6.3
1.6.4
1.7 1.7 Is data subject to validation for completeness and accuracy at input 1.7.1
stage? 1.7.2
1.7.3
1.8 1.8 Are there clear procedures for data items rejected on input? 1.8.1
1.8.2
1.8.3
1.9 1.9 Do clear timetables exist for input and are they adhered to? 1.9.1
1.9.2
1.10 1.10 Are checks made to detect possible duplicate input records? 1.10.1
1.10.2
2.1 2.1 Does a clear processing schedule exist and is it understood by users 2.1.1
and operations staff? 2.1.2
2.2 2.2 Is all data, including that transferred from other systems, subject to 2.2.1
appropriate validation during processing?
2.3 2.3 Is data processed by the correct programs and written to the correct 2.3.1
files? 2.3.2
2.3.3
2.4 2.4 Do programs provide confirmation that processing has been completed 2.4.1
successfully, or do recovery and resubmission procedures exist to deal
with abnormal terminations?
2.5 2.5 Is assurance provided that all records have been processed? 2.5.1
2.5.2
2.6 2.6 Do procedures exist for handling records rejected by application 2.6.1
programs?
3.1 3.1 Are staff responsible for handling output, carrying out checks to ensure 3.1.1
its completeness and reasonableness? 3.1.2
3.1.3
3.1.4
3.1.5
3.2 3.2 Is output identified and does it include information that demonstrates 3.2.1
completeness?
3.3 3.3 Do distribution of output procedures ensure that it goes to the correct 3.3.1
location/users and that confidentiality is maintained? 3.3.2
3.3.3
3.4 3.4 Is the usefulness of output kept under review? 3.4.1
3.5 3.5 Is confidential output disposed of securely? 3.5.1
3.5.2
4.1 4.1 Is unique source information retained for all transactions? 4.1.1
4.1.2
4.2 4.2 Are input documents and output reports filed in such a way as to 4.2.1
facilitate tracing transactions through the system?
4.3 4.3 Can totals on control reports be broken down into the transactions that 4.3.1
form the totals?
4.4 4.4 When records are posted from one financial system to another, are 4.4.1
those input to the second agreed with those output by the first? 4.4.2
4.5 4.5 When records are rejected when transferred between systems, can 4.5.1
they be identified and investigated?
4.6 4.6 Are the users responsible for input, amendment or deletion of 4.6.1
transactions recorded within the system?
4.7 4.7 Where audit trail reports are provided, are they complete, and do 4.7.1
journals indicate if and when trail mechanisms are switched off?
5.1 5.1 Are files backed up at intervals during processing to allow recovery of 5.1.1
jobs?
5.2 5.2 Are database integrity checks run periodically and are back-up copies 5.2.1
of the database retained from one check to the next? 5.2.2
5.3 5.3 Do operators and users instructions clearly state the procedures to 5.3.1
follow in the event of an application failing during processing? 5.3.2
Application Controls: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Whatever the input medium, ascertain the audit trail for documents prior to input to an
application.
1.1.2
Seek information on and consider appropriateness of any scheme of unique source identifiers.
1.1.3
Follow through a sample of documents to check that controls ensure that input is only accepted
from recognised sources.
1.2 1.2.1
For each application, ascertain controls enforced over input and the extent to which they are
designed to prevent or detect unauthorised, inaccurate or duplicate input. Test check a sample
of input documents or batches to ensure that these controls are effective.
1.3 1.3.1
For each application, ascertain the means of authorising input bearing in mind the above points
and test to ensure that it is imposed on all documents. Where such authorisation is electronic,
observe it in practice and consider the access level framework.
1.3.2
Ask whether a record is maintained of authorised signatories for each system for authorisation
of processing.
1.5 1.5.1
Ascertain:

how access controls are set up within the application, and whether the person responsible
is able to obtain access to input and authorisation transactions

whether the access hierarchy in existence reflects responsibilities and desired separation
of duties

whether high-level access automatically allows access to transactions at a lower

level, and if so, whether this compromises separation of duties
 whether all controls over access to the application can be overridden by access to
data and programs via the operating system

where authorisation is a manual process, consider the appropriateness of

segregation of duties and seek evidence that controls are adhered to.
1.6 1.6.1
Check that the level of access control over system parameters and standing data is in line with
the critical nature of these records.
1.6.2
Examine the facility to report changes to standing data and confirm regular reviews of reports.
1.6.3
Check the correctness of values and, if possible, find out when these values were last changed
and whether a change might have been expected at that time.
1.6.4
Review the arrangements for monitoring changes to standing data, including production and
review of post-input reports.
1.7 1.7.1
Establish if key fields are verified, what the criteria are and who ensures that this is carried out.
Find out if there are documented procedures.
1.7.2
Ascertain from user manuals and any other sources what validation checks are imposed on
input and consider whether these are likely to ensure the completeness and accuracy of data.
Ask staff whether this information is clear enough for them to know what data is required on
online input screens, whether they have been trained in their job, and whether it is checked.
1.7.3
Examine input screens on a workstation and consider whether they are clear and easy to use,
with help screens available if required.
1.8 1.8.1
Ascertain how rejections are treated and reported. Follow through a sample of rejected records
to ensure that they are amended and successfully re-input.
 1.8.2
Where errors are placed in a suspense file, examine reports listing the records in the file and
consider whether the time taken to clear them causes an undue delay to processing. (Retrieval
software might be used to list records in suspense and sort them by age.)
1.8.3
Ensure that users authorising exceptions to be processed do not have input access.
1.9 1.9.1
Ascertain who is responsible for authorising the processing of jobs and what procedures are in
place. Are they reviewed on a regular basis?
1.9.2
Find out whether there are timetables for the input of data (where this is necessary) and
whether users are aware of them and adhere to them.
1.10 1.10.1
Ascertain what checks for duplicate input are carried out by the application itself, and the extent
to which the results of these checks are reported and followed up. Follow through a sample of
reported records to find out the action taken and the reason for the duplicates arising.
1.10.2
If necessary, use retrieval software to carry out independent checks for duplicate input and
follow up the results.
2.1 2.1.1
Ask who is responsible for job scheduling. Is it a manual process or has it been automated?
What are the procedures for scheduling jobs? Are they up to date and reviewed on a regular
basis?
2.1.2
From the application systems documentation (suppliers operations manual or similar),
ascertain the recommended sequence for running processing jobs. Compare this with the
operators schedules, or jobs set up within scheduling software, to check whether processing is
following the recommended sequence. Find out the reasons for any divergences. Compare,
also, with job journals or system logs to ensure that scheduled jobs are being run and are being
completed successfully.
2.2 2.2.1
Ascertain the checks carried out on data during processing and the reports produced. Follow
up a sample of reports and find out the reasons for any abnormal messages or failure to
process all data. Ascertain how transfer/interface interruptions are managed; whether transfer
starts again or starts where it left off.
2.3 2.3.1
Compare job journals with system documentation and operations manuals to check that
programs and files used are those stated in the latter.
2.3.2
Ensure that control reports are produced and checked for correctness of files used.
2.3.3
Consider the effect of user-determined parameters and support by external suppliers.
2.4 2.4.1
Examine job journals and system logs for explicit evidence that programs have been completed
successfully, or if they have failed, that a clear error message is provided. In the latter case,
check for evidence that failed jobs are subsequently re-run and completed successfully and
have not resulted in incomplete or duplicate processing.
2.5 2.5.1
Identify the control totals and other checks provided during processing to ensure completeness.
Follow through a sample of control reports to ensure that totals carried forward at the end of
one run equal those brought forward at the start of the next. Investigate any discrepancies or
other errors or warnings on control reports.
2.5.2
Use retrieval software to verify control totals by producing independent totals of the relevant
records.
3.1 3.1.1
Review any records that are maintained to control output distribution and check that they seem
comprehensive and are sufficient to identify who has received authorised output.
3.1.2
Ask whether there are special procedures for controlled stationery, eg cheques.
3.1.3
Conversations with staff should indicate whether output controls are regarded as important and
evidence should also be found in up-to-date notices and instructions to staff.
 3.1.4
Observe storage arrangements for output and check that physical access is controlled.
3.1.5
Find out what information is available that might indicate that output is complete and
reasonable, including canvassing users of the information (where it is hard copy or stored) for
their views on completeness, reasonableness and timeliness. See if it is actually used for this
purpose and test check a sample of reports.
3.2 3.2.1
Examine reports for the above information and consider whether it is sufficient to indicate
completeness and uniquely identify the report.
3.3 3.3.1
Ascertain and observe arrangements for distributing output and consider whether full
precautions are taken when handling valuable or confidential output.
3.3.2
Check any viewing software to ensure appropriate viewing profiles are set up.
3.3.3
Ascertain whether guidance exists for users of smaller local systems on maintaining
confidentiality of output.
3.4 3.4.1
Review the output from an application and ask users what purpose each report serves. Assess
the extent to which output is determined by users. Pay particular attention to:

bulky printouts, and consider whether they are needed in full, eg whether summary
information is all that is used, while details could be suppressed

regular reports that could be produced only when required

paper output that is keyed into a spreadsheet, and could be downloaded direct to the
PC

ensuring that all appropriate reports are enabled within packaged systems.
3.5 3.5.1
Find out whether retention and disposal of confidential output is included in IT security
guidelines and user instructions for specific applications. Assess the appropriateness of this
guidance.
3.5.2
Review procedures for disposing of confidential output, whether it is held on paper or other
media.
4.1 4.1.1
Examine listings of input records to see what identifiers are used for the origin of each record
and consider whether these provide unique and sufficient information for each. If the
information does not appear to be adequate, examine the appropriate record definitions to see
if further fields are held on the file but not printed. The audit trail might then be followed by use
of retrieval software.
4.1.2
Establish how the listings/trails are used and consider where they are reviewed sufficiently
regularly.
4.2 4.2.1
Attempt to trace input documents to data held on computer files, and records on output reports
to original documents. Use retrieval software if necessary.
4.3 4.3.1
Review the output from an application and find out whether listings are produced or can be
generated which substantiate reported control totals. If there is none, consider the use of
retrieval software to extract the necessary records, though if this is necessary, it is clear that
the auditor must conclude that controls are not operating effectively.
4.4 4.4.1
Follow up and agree reconciliations between financial systems. Where none has been carried
out, attempt them using standard reports or retrieval software if necessary.
4.4.2
Examine the extent to which such reconciliations are or could be automated and whether error
reports or rejections are generated as a result.
4.5 4.5.1
Walk through the interfacing procedures between systems to establish the effect of rejections
on both the sending and the receiving systems.
4.6 4.6.1
Ascertain how amendment and deletion facilities function within the system and the method by
which the history of transactions is maintained.
4.7 4.7.1
Ascertain from systems manuals the options for maintaining audit trail facilities, printing reports
and retention of trail files.
5.1 5.1.1
Examine operations manuals and other system documentation to ascertain whether files are
backed up during processing and programs include restart points. Check that they are used in
practice by examining job journals for a sample of procedures.
5.2 5.2.1
Ascertain what database integrity checks are available from system documentation. Find out
from operations staff how often they are run and whether a complete back-up of the database
is retained from one check to the next.
5.2.2
Check from the appropriate job journal (if available) whether the integrity check was completed
successfully and, if not, what rectification action was taken.
5.3 5.3.1
Examine operators instructions to see whether procedures are laid down for dealing with failed
jobs. Also, check with users to ensure that they are aware of these procedures and know what
their responsibilities are in such circumstances.
5.3.2
Seek evidence that procedures have been successfully tested, including the use of stored,
back-up data and programs to restore systems.
Change Control: Risk Identifier
CONTROL OBJECTIVE
TRANSACTION RECORDING AND PROCESSING
1 Arrangements for amending
production software conform to
agreed standards.
2 Program changes are authorised and
actioned in a controlled environment.
CONTROL RISK ICQ
REF
1.1 Change control standards exist and 1.1
define how amendments should be
carried out and documented.
1.2 All IT support staff have a copy of 1.2
standards detailing how program
changes should be recorded.
1.3 Documentation is updated. 1.3
1.4 A quality assurance procedure is 1.4
undertaken to ensure compliance
with standards.
2.1 Owners of data are responsible for 2.1
authorising changes, accepting
amendments for testing, and
authorising implementation.
2.2 Development and maintenance 2.2
work is performed in a separate
environment from production work.
The movement of files between
these areas is strictly controlled.
2.3 When program amendments are 2.3
made outside normal working hours,
a log of activities is maintained and
checked by management.
Change Control: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Do change control standards exist and define how amendments should 1.1.1
be carried out and documented? 1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2 1.2 Do all IT support staff have a copy of standards detailing how program 1.2.1
changes should be recorded?
1.3 1.3 Is documentation updated? 1.3.1
1.4 1.4 Is a quality assurance procedure undertaken to ensure compliance with 1.4.1
standards?
2.1 2.1 Are owners of data responsible for authorising changes, accepting 2.1.1
amendments for testing, and authorising implementation? 2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.2 2.2 Is development and maintenance work performed in a separate 2.2.1
environment from production work? Is the movement of files between 2.2.2
these areas strictly controlled? 2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.3 2.3 When program amendments are made outside normal working hours, 2.3.1
is a log of activities maintained and checked by management? 2.3.2
Change Control: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Request a copy of the change control standard and check when it was last updated to see if it
appears up to date.
1.1.2
Review standards to assess whether initiation, programming and updating processes are
adequately separated and cannot be undertaken by a single user in smaller systems.
1.1.3
Establish who is responsible for defining change control standards and when the arrangements
were last reviewed.
1.1.4
Check whether the standards have been made known to all development staff and to any staff
in user departments who may undertake development work.
1.1.5
Verify that suitable arrangements exist for packaged software support to be provided securely
over remote dial-in by vendors.
1.1.6
Ask some staff whether they are aware of their responsibilities.
1.1.7
Check whether newly appointed staff are made aware of their responsibilities. (This may be
done during any initial training sessions.)
1.1.8
Observation and conversations with staff should indicate whether change control procedures
are regarded as important and evidence of compliance should be found in review of change
control request forms and user sign-off of program changes.
1.1.9
Ensure that arrangements are in place for smaller-scale changes and that these are used
appropriately.
1.2 1.2.1
Ask to see the program standards and check when they were last updated to determine if they
seem up to date.
1.3 1.3.1
Examine a sample of system documentation for a number of recent program changes.
1.4 1.4.1
Determine whether a quality assurance function is in place and, if so, consider its adequacy;
review a sample of program changes to ensure that they have been subject to the formal
quality assurance process.
2.1 2.1.1
Check that the system permits amendments to the masterfile.
2.1.2
Check that the system provides different levels of password control to authorise master file
amendments (eg superuser).
2.1.3
Ask if details of all master file amendments are automatically printed and that these are shown
to be a complete record of such changes.
2.1.4
Check who is responsible within each installation for testing amendments, who supervises such
activities and when these arrangements were last reviewed.
2.1.5
Check who is responsible within each installation for signing off program amendments and
when the arrangements were last reviewed.
2.1.6
Select a recent amendment and check that the correct processes were followed.
2.1.7
Ask if the audit trail is sufficiently protected so as to prevent it from being edited or deleted.
2.1.8
Examine a selection of change request forms to ensure that the proposals for change have
been costed and timetabled. These details should be recorded on the change request form.
2.2 2.2.1
Ask the development manager and system programmer how access to production programs
and data is restricted.
2.2.2
Establish who is responsible within each installation for separating test and production libraries
and when the arrangements were last reviewed.
2.2.3
Check whether a statement of responsibilities has been distributed and whether it is up to date.
 2.2.4
Establish who is responsible within each installation for moving test files to production libraries
and when the arrangements were last reviewed.
2.2.5
Establish who is responsible within each installation for copying production files to test libraries
and when the arrangements were last reviewed.
2.2.6
Establish whether such procedures apply in user departments applying their own change
control.
2.2.7
Obtain details of recent program changes and check to see that the previous copies of the
programs are stored on the system and that other laid-down procedures have been followed.
2.3 2.3.1
Establish who is responsible within each installation for emergency amendments and who
subsequently verifies the amendments. Check when these arrangements were last reviewed.
2.3.2
Review a selection of out-of-hours activities to ensure that these relate to valid program
changes.
Post-Implementation Review: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 The project complied with the 1.1 Procedures are in place and 1.1
organisation's project management followed to ensure compliance with
standards and processes. the IT strategy, procurement policy
and project management
procedures.
1.2 The system was fully tested and 1.2
documented.
1.3 Agreed changes have been properly 1.3
authorised and implemented.
1.4 Processes are in place to ensure 1.4
that all staff are adequately trained.
2 The project outcome met the 2.1 Users are satisfied that the project 2.1
requirements of users. outcome provides the level of
functionality expected.
2.2 The performance of the project 2.2
outcome met expectations.
3 The project justified the cost in terms 3.1 Actual costs and benefits matched 3.1
of actual benefits. expectations.
Post-Implementation Review: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Are procedures in place and followed to ensure compliance with the IT 1.1.1
strategy, procurement policy and project management procedures? 1.1.2
1.1.3
1.2 1.2 Was the system fully tested and documented? 1.2.1
1.3 1.3 Have agreed changes been properly authorised and implemented? 1.3.1
1.3.2
1.4 1.4 Are processes in place to ensure that all staff are adequately trained? 1.4.1
2.1 2.1 Are users satisfied that the project outcome provided the level of 2.1.1
functionality expected? 2.1.2
2.1.3
2.1.4
2.1.5
2.2 2.2 Has the performance of the project outcome met expectations? 2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
3.1 3.1 Have actual costs and benefits matched expectations? 3.1.1
3.1.2
3.1.3
Post-Implementation Review: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Ask to see the IT strategy and procurement policy and confirm that the project complies with
them. Any deviations from the strategy and policy should have been identified, documented
and their implications understood.
1.1.2
Review the adequacy of the organisations procurement policy/regulations.
1.1.3
Enquire whether the regulations have been followed and any deviations properly documented
and authorised.
1.2 1.2.1
Ensure that test plans have been compiled covering all functions. The plans should detail the
test, the expected result and the actual result. By observation and conversation the auditor
should ensure that staff responsible for testing have the appropriate skills and business
knowledge.
1.3 1.3.1
Examine any requested amendments to the system.
1.3.2 Enquire whether:

a project change procedure has been established

the cost and benefits of each project change request are reviewed

changes are authorised by persons with the appropriate authority

appropriate systems exist to track approved changes.

1.4 1.4.1
Ascertain that:

training requirements have been identified, and a training plan established

training methodologies have been identified evaluated and the most appropriate
selected
 a system has been established to review the effectiveness of training.

In addition, it may be beneficial for the auditor to interview a sample of users and obtain their
opinion on the effectiveness of the training received.
2.1 2.1.1
Ask to see a copy of the system specification and check with users that the project was well
understood and the primary objectives and scope of the system had been identified; that a
project appraisal and selection team was established; and that the members of the project
appraisal and selection team had appropriate skills and abilities.
2.1.2
Check that the requirements were signed off as acceptable by the users of the system. Seek
explanations of the reasons why individual requirements were excluded.
2.1.3
Consider whether the functionality delivered has been accompanied by adequate controls in
such areas as application control and security.
2.1.4
Observation of and conversation with staff about day-to-day operations should identify, for
example, whether the incidence of errors has diminished, whether working conditions have
improved and whether the improvements promised in the specification stage have been
realised.
2.1.5
Determine whether a systematic survey of users has been undertaken to establish user
satisfaction.
2.2 2.2.1
Critically examine the operational running costs of the system.
2.2.2
Assess the staff resources required to support the system. Compare with estimates made at
the feasibility requirements stage.
2.2.3
Identify any system turnaround delays.
2.2.4
Review error rates for input data capture.
 2.2.5
Review the number of reported programming errors.
3.1 3.1.1
Check that a cost benefit analysis has been carried out and any assumption documented. The
cost benefit analysis should have ensure that:

all costs have been identified (one-off and recurring)

the costs are assessed over a period greater than one year

all benefits have been identified (direct and social benefits).

3.1.2
Check that reporting systems were in place to monitor the progress of the project.
3.1.3
Ascertain how total costs have been captured, whether a comparison has been made against
original costs and whether cost comparisons have been reported to management and what
action was taken.
IS/IT Strategy: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 An integrated strategy has been 1.1 A strategy has been developed and 1.1
developed and formally approved. approved by the management
board.
1.2 The strategy has been documented. 1.2
2 The integrated strategy is 2.1 The organisation has prepared a 2.1
appropriate and up to date. corporate business plan and the
strategy fully supports it.
2.2 Strategies are prepared by 2.2
individual departments which
support service plans and the
corporate plan.
2.3 The strategy is up to date. 2.3
2.4 The strategy clearly defines where 2.4
the organisation wants to be and the
steps necessary to get there.
3 Arrangements exist to manage its 3.1 The strategy has been 3.1
implementation and maintain the communicated to key staff at all
strategy as required. levels throughout the organisation.
3.2 Departmental management is fully 3.2
committed to implementation of the
strategy.
3.3 The appropriate management 3.3
structures are in place to manage
and monitor implementation.
3.4 A strategy group is responsible for 3.4
the maintenance of the strategy.
3.5 Corporate standards have been 3.5
defined and adherence is
monitored.
IS/IT Strategy: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Has a strategy been developed and approved by the management 1.1.1
board? 1.1.2
1.1.3
1.1.4
1.2 1.2 Has the strategy been documented? 1.2.1
2.1 2.1 Has the organisation prepared a corporate business plan and does the 2.1.1
strategy fully support it? 2.1.2
2.2 2.2 Are strategies prepared by individual departments and do these 2.2.1
support service plans and the corporate plan?
2.3 2.3 Is the strategy up to date? 2.3.1
2.3.2
2.4 2.4 Does the strategy clearly define where the organisation wants to be 2.4.1
and the steps necessary to get there?
3.1 3.1 Has the strategy been communicated to key staff at all levels 3.1.1
throughout the organisation? 3.1.2
3.2 3.2 Is departmental management fully committed to implementation of the 3.2.1
strategy?
3.3 3.3 Are the appropriate management structures in place to manage and 3.3.1
monitor implementation?
3.4 3.4 Is a strategy group responsible for the maintenance of the strategy? 3.4.1
3.4.2
3.5 3.5 Have corporate standards been defined and is adherence monitored? 3.5.1
3.5.2
IS/IT Strategy: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Ask whether the management board has been briefed about the potential of IT.
1.1.2
Ascertain whether an IT strategy group (or equivalent) is responsible for the formulation of the
strategy.
1.1.3
Discuss with the chair of the group and check the minutes to determine its constitution and
reporting lines.
1.1.4
Check board minutes to determine whether the strategy has been formally considered and
approved.
1.2 1.2.1
Obtain a copy of the strategy and check that it reflects the organisation as a whole, including
any departmental strategies.
2.1 2.1.1
Obtain a copy of the corporate business plan or strategic policy documents and identify the
main objectives.
2.1.2
Check whether the IT strategy fully considers the business objectives and supports their
achievement.
2.2 2.2.1
Obtain a sample of departmental IT strategies and ensure that they are consistent with their
own plans and corporate objectives.
2.3 2.3.1
Review progress in implementing the strategy.
2.3.2
Check whether the strategy reflects a current view of IT developments by discussing the
strategy with IT professionals.
2.4 2.4.1
Review the strategy and confirm that it defines the current state of IT, the proposed future state
of IT and the means of moving from the current to the future state.
3.1 3.1.1
Ask whether copies of the IT strategy have been distributed to all relevant parties.
3.1.2
Determine, through discussion, whether top management and staff are aware of the strategy
content and its implications for IT development within their business area.
3.2 3.2.1
Review current departmental plans and ensure they are consistent with corporate standards
and strategy.
3.3 3.3.1
Ensure that proper project management structures are in place to oversee strategy
implementation and delivery.
3.4 3.4.1
Check that a group is responsible for maintaining the strategy.
3.4.2
Review their terms of reference and minutes.
3.5 3.5.1
Obtain a copy of standards and ensure through discussion that users are aware of them.
3.5.2
Ascertain through discussion with IT staff whether they are aware of any recent breaches of
standards.
Procurement of IT Facilities: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ
REF
TRANSACTION RECORDING AND PROCESSING
1 IT procurements are consistent with 1.1 There is an overall group 1.1
the organisation's business and IT responsible for reviewing IT
strategy. procurements for appropriateness to
the organisations IS/IT strategy.
1.2 Guidelines exist to assist in the 1.2
procurement process.
2 The procurement conforms to 2.1 The organisation has appropriate 2.1
internal regulations and to EU knowledge of and expertise in EU
regulations and directives. regulations and directives.
2.2 The procurement adheres to EU 2.2
regulations are directives on
threshold values, estimates and
aggregation rules.
2.3 The procurement complies with EU 2.3
regulations and directives relating to
procurement, publishing notices,
selecting suppliers and awarding
contracts.
2.4 Technical specifications and 2.4
references to standards in the
requirements specification conform
to EU regulations and directives.
3 Method of financing is appropriate for 3.1 Methods of financing have been 3.1
the facilities being acquired. investigated.
3.2 Method chosen is sound and is in 3.2
line with the organisations overall
financial strategy.
3.3 Appropriate approval is given to the 3.3
method chosen.
4 The method for selecting the 4.1 The method of tender evaluation is 4.1
successful tender is sound. approved and is consistent with the
criteria for award of contract
specified within contents of any
published notice.
4.2 The proposal meets the technical 4.2
requirements of the specification.
4.3 A business appraisal is undertaken. 4.3
4.4 The method of tender comparison is 4.4
sound.
4.5 A contract appraisal is undertaken. 4.5
4.6 A recommendation and decision is 4.6
made based on the evaluation of the
tenders.
5 The installation and implementation 5.1 The installation/implementation 5.1
of the procurement is effectively programme is planned.
managed
5.2 Facilities are tested prior to 5.2
acceptance.
5.3 Appropriate resources are available 5.3
to achieve the implementation plan.
6 Procurements are reviewed, post- 6.1 Post-implementation reviews are 6.1
implementation, to ensure the undertaken within agreed
objectives of the procurement are timescales.
met
Procurement of IT Facilities: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Is there an overall group responsible for reviewing IT procurements 1.1.1
appropriate to the organisation's IS/IT strategy? 1.1.2
1.1.3
1.2 1.2 Do guidelines exist to assist in the procurement process? 1.2.1
1.2.2
1.2.3
2.1 2.1 Has the organisation appropriate knowledge of and expertise in EU 2.1.1
regulations and directives?
2.2 2.2 Does the procurement adhere to EU regulations and are directives on 2.2.1
threshold values, estimates and aggregation rules?
2.3 2.3 Does the procurement comply with EU regulations and directives 2.3.1
relating to procurement, publishing notices, selecting suppliers and
awarding contracts?
2.4 2.4 Do technical specifications and references to standards in the 2.4.1
requirements specification conform to EU regulations and directives?
3.1 3.1 Have methods of financing been investigated? 3.1.1
3.2 3.2 Is the method chosen sound and in line with the organisations overall 3.2.1
financial strategy?
3.3 3.3 Is appropriate approval given to the method chosen? 3.3.1
3.3.2
4.1 4.1 Is the method of tender evaluation approved and consistent with the 4.1.1
criteria for award of contract specified within contents of any published 4.1.2
notice? 4.1.3
4.1.4
4.2 4.2 Does the proposal meet the technical requirements of the 4.2.1
specification?
4.3 4.3 Is a business appraisal undertaken? 4.3.1
4.4 4.4 Is the method of tender comparison sound? 4.4.1
4.5 4.5 Is a contract appraisal undertaken? 4.5.1
4.6 4.6 Is a recommendation and decision made based on the evaluation of 4.6.1
the tenders? 4.6.2
5.1 5.1 Is an installation/implementation programme planned? 5.1.1
5.1.2
5.2 5.2 Are facilities tested prior to acceptance? 5.2.1
5.3 5.3 Are appropriate resources available to achieve the implementation 5.3.1
plan?
6.1 6.1 Are post-implementation reviews undertaken within agreed timescales? 6.1.1
Procurement: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Obtain a copy of the IS/IT strategy and other related documents to determine whether the
procurement process is consistent with that strategy.
1.1.2
Identify who has responsibility for defining and implementing the computer facilities
procurement strategy.
1.1.3
Determine the terms of reference for those involved in the decision making and implementation
process.
1.2 1.2.1
Ensure that the organisation has documented and up-to-date guidelines to assist staff in the
procurement process.
1.2.2
Check that the procurement complies with internal financial regulations and standing orders.
1.2.3 Check that the procurement complies with sectoral rules and procedures.
2.1 2.1.1
Ask whether the organisation has made an officer responsible for assimilating and interpreting
EU directives and regulations and offering guidance to appropriate heads of department. Ask
how the officer responsible keeps up to date with changes in them.
2.2 2.2.1
Ensure that all IT procurements are subject to review to ensure that they conform to the EU
threshold regulations.
2.3 2.3.1
Check that all IT procurements are subject to review to ensure that they conform to the EU
advertising and tendering requirements.
2.4 2.4.1
Check that requirement specifications adhere to directives and regulations in referring to
standards.
3.1 3.1.1
Determine whether different methods of financing the procurement have been investigated and
assess whether the most financially advantageous deals have been made.
3.2 3.2.1
For a procurement determine the financing method chosen. Check to see that advice was
sought from the finance department or an independent external specialist and that the method
chosen was justified.
3.3 3.3.1
Check whether all avenues for funding have been explored.
3.3.2
Ensure that approvals have the appropriate level of authorisation.
4.1 4.1.1
Identify the tendering procedures and how responsibility over the selection of appraisal of
tenders has been allocated.
4.1.2
Determine the arrangements for evaluating tenders.
4.1.3
Confirm whether the evaluation process includes, a technical appraisal, a financial appraisal, a
comparison of tenders submitted and a contract appraisal.
4.1.4
Assess compliance with EU directives, where appropriate.
4.2 4.2.1
Obtain a copy of the technical evaluation. Review it to ensure completeness. Ensure the results
are calculated correctly.
4.3 4.3.1
Ensure that a business appraisal is undertaken and ensure its calculation is valid.
4.4 4.4.1
Establish the method for comparison of tenders. Check the calculations to ensure that the
results are sound.
4.5 4.5.1
Determine the procedures for the preparation of IT contracts. Examine a sample of contracts to
ensure that the organisation is properly protected and the contents are adequate.
4.6 4.6.1
Determine who has responsibility for selecting the successful supplier.
 4.6.2
Assess the justification for the selection of a particular tender over other bids.
5.1 5.1.1
Establish whether an implementation plan is produced as part of the procurement process.
Assess the reasonableness of the implementation plans.
5.1.2
Check whether insurance cover is affected.
5.2 5.2.1
Ensure that facilities are adequately tested prior to acceptance of the procurement.
5.3 5.3.1
Ensure that appropriate resources are available to achieve the implementation plan. Ensure
that staff are adequately trained and skilled.
6.1 6.1.1
Post-implementation reviews are undertaken within agreed timescales.
Financial Management of IT: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 A costing policy has been defined. 1.1 A defined costing policy exists. 1.1
1.2 Cost centres are identified and 1.2
operated.
1.3 The basis of cost allocation to cost 1.3
centres is sound.
1.4 Unit costs and resource units for 1.4
each cost centre are defined.
2 A charging policy has been defined. 2.1 A defined charging policy exists. 2.1
2.2 The method of charging is 2.2
reasonable.
3 Users are accountable for their use 3.1 Users receive information on services 3.1
of the IT resources. provided.
3.2 Information provided is sufficient and 3.2
timely.
3.3 Adequate performance monitoring is 3.3
in place.
Financial Management of IT: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Does a defined costing policy exist? 1.1.1
1.2 1.2 Are cost centres identified and operated? 1.2.1
1.2.2
1.2.3
1.3 1.3 Is the basis of cost allocation to cost centres sound? 1.3.1
1.4 1.4 Are unit costs and resource units for each cost centre defined? 1.4.1
1.4.2
2.1 2.1 Does a defined charging policy exist? 2.1.1
2.1.2
2.1.3
2.2 2.2 Is the method of charging reasonable? 2.2.1
3.1 3.1 Do users receive information on services provided? 3.1.1
3.2 3.2 Is this information sufficient and timely? 3.2.1
3.3 3.3 Is adequate performance monitoring in place? 3.3.1
3.3.2
3.3.3
3.3.4
Financial Management of IT: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Obtain a copy of the costing policy and ensure that it covers the objectives and the mechanics
of how the costing will operate, and the regularity of reviews.
1.2 1.2.1
Establish what cost centres have been identified and are operating.
1.2.2
Establish whether these meet the needs of the organisation and reflect the nature of the IT
facilities.
1.2.3
Verify that the relevant usage statistics are collected.
1.3 1.3.1
Establish how costs are allocated to the individual cost centres. Assess whether the basis of
allocation appears reasonable.
1.4 1.4.1
Establish how unit costs are calculated.
1.4.2
Establish what resource units are used for each cost centre and consider their appropriateness.
2.1 2.1.1
Obtain a copy of the charging policy/establish the charging policy, and ensure that it covers the
objectives clearly.
2.1.2
Assess the adequacy of the management arrangements.
2.1.3
Check that the relevant objectives of the charging policy are included within the IT strategy.
2.2 2.2.1
Establish total costs for an IT service and check to ensure the charges for that service meet the
objectives of the policy. Where total costs for a service are not fully recovered, examine
reasons for this to ensure their validity.
3.1 3.1.1
Determine how information is provided to users to enable them to control, monitor and
influence the levels of charges applicable to them.
3.2 3.2.1
Examine the various documents provided to users to ensure that they provide sufficient
information to users to control and influence usage.
3.3 3.3.1
Ensure that performance indicators are established and that performance against agreed
service levels is monitored.
3.3.2
Ensure that cost centre managers receive regular reports on performance.
3.3.3
Ensure that trading accounts are used to record costs and charges and that the accounts
include all relevant items.
3.3.4
Ensure that imbalances can be promptly identified and are investigated.

Outsourcing: Risk Identifier

CONTROL OBJECTIVE
TRANSACTION RECORDING AND PROCESSING
1 The organisation has fully
considered the implications of
outsourcing and is satisfied that this
is the best option.
2 The most appropriate supplier is
selected on terms that meet the best
interests of the organisation.
CONTROL RISK ICQ REF
1.1 An IS/IT strategy has been prepared 1.1
so that the organisation has a clear
vision of what it wants to achieve
from IT services.
1.2 The organisation has fully evaluated 1.2
the different options for provision of
the outsourcing service.
1.3 Service levels and costs, both for 1.3
current and likely future levels of
need, are well defined.
2.1 A project team has been established 2.1
and is responsible for evaluating the
options and managing the transition.
2.2 The tender process was handled in 2.2
accordance with the organisations
own regulations and the appropriate
EU Directives.
2.3 Checks are made as to the financial 2.3
and technical capability of the
tenderer to complete the contract.
3 The service provider delivers 3.1 Benchmarks are established and 3.1
services to the quality specified. performance is monitored to ensure
that the defined service levels are
being achieved. These are
independently verifiable.
3.2 All invoices received from the 3.2
service provider are reviewed prior
to payment. Any amounts due for
additional services are properly
authorised.
3.3 Management is provided with 3.3
regular feedback showing the level
of service achieved.
3.4 Any penalty or cessation clauses 3.4
are clearly understood and the
processes for instituting them are
automatically triggered.
3.5 The outsourcing provider has 3.5
adequate controls to ensure the
confidentiality, integrity and
availability of systems and data.
3.6 The access rights of management 3.6
and audit are clearly defined and
are regularly exercised.
Outsourcing: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Has an IS/IT strategy been prepared so that the organisation has a 1.1.1
clear vision of what it wants to achieve from IT services? 1.1.2
1.2 1.2 Has the organisation fully evaluated the different options for provision 1.2.1
of the outsourcing service? 1.2.2
1.3 1.3 Are service levels and costs, both for current and likely future levels of 1.3.1
need, well defined? 1.3.2
2.1 2.1 Has a project team been established and made responsible for 2.1.1
evaluating the options and managing the transition? 2.1.2
2.1.3
2.1.4
2.1.5
2.2 2.2 Was the tender process handled in accordance with the organisations 2.2.1
own regulations and the appropriate EU Directives? 2.2.2
2.2.3
2.3 2.3 Are checks made as to the financial and technical capability of the 2.3.1
tenderer to complete the contract? 2.3.2
2.3.3
3.1 3.1 Are benchmarks established and is performance monitored to ensure 3.1.1
that the defined service levels are being achieved? Are these are 3.1.2
independently verifiable? 3.1.3
3.2 3.2 Are all invoices received from the service provider reviewed prior to 3.2.1
payment? Are amounts due for additional services properly authorised?
3.3 3.3 Is management provided with regular feedback showing the level of 3.3.1
service achieved?
3.4 3.4 Are penalty or cessation clauses clearly understood and the processes 3.4.1
for instituting them automatically triggered? 3.4.2
3.4.3
3.5 3.5 Has the outsourcing provider adequate control to ensure the 3.5.1
confidentiality, integrity and availability of systems and data? 3.5.2
3.5.3
3.6 3.6 Are the access rights of management and audit clearly defined and 3.6.1
regularly exercised? 3.6.2
Outsourcing: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Review the strategy and ensure that it provides a clear vision for IT and the resources required
to fulfil the strategy whilst reflecting the external provision of services.
1.1.2
Review the arrangements for maintaining strategic direction for IS/IT within the organisation (eg
role of steering groups).
1.2 1.2.1
Review the business case for outsourcing.
1.2.2
Ensure that clear objectives have been set for the use of outsourcing managers.
1.3 1.3.1
Review any service level agreement (SLA).
1.3.2
Ensure that the SLA includes all audit requirements including access rights and ability to
download data from key systems.
2.1 2.1.1
Appraise the arrangements for establishment of a project team and involvement of users in the
process.
2.1.2
Review the terms of reference for the project team and ensure that they cover all of the areas
listed above.
2.1.3
Review the minutes for the project team to ensure that it meets regularly and considers the
above issues in practice.
2.1.4
Review the project and implementation plans prepared by the project team.
2.1.5
Review the contract.
2.2 2.2.1
Review compliance with the organisations own contracting regulations.
2.2.2
Ensure that independent legal advice has been obtained and followed.
 2.2.3
Review the advertisements placed and ensure that they are in accordance with the relevant
directives.
2.3 2.3.1
Review the arrangements for taking up financial and other references.
2.3.2
Review the arrangements for reviewing the financial position of the service provider. If
necessary, obtain independent verification of the companys current financial status, either from
a financial review agency or by obtaining a copy of the latest filed accounts from Companies
House.
2.3.3
If possible discuss the performance of the company with the auditors of other clients of the
service provider.
3.1 3.1.1
Review the benchmarks and ensure that they cover all areas defined within the SLA.
3.1.2
Review the contractors arrangements for collecting and reporting benchmarks. Identify, assess
and test the controls to ensure the adequacy and completeness of benchmark data.
3.1.3
Assess the arrangements within the organisation for receiving, reviewing and identifying action
based upon the reported benchmark information.
3.2 3.2.1
Review the arrangements for clearance of invoices and agreeing any amendments to regular
sums due prior to payment of invoices.
3.3 3.3.1
Identify whether any independent reviews have been undertaken. If so, review the results and
ensure that any recommendations have been implemented.
3.4 3.4.1
Review the contract and identify the arrangements for triggering penalty payments and early
termination of the contract.
3.4.2
Ensure that the benchmarks to trigger this process are reviewed by the organisation and that
the correct processes are followed.
 3.4.3
Recalculate any penalty payments and ensure that the correct amounts have been deducted.
3.5 3.5.1
Obtain and review the contractors procedure manuals.
3.5.2
Undertake a site inspection and review controls (subject to access rights see 3.6.2 below).
3.5.3
Ascertain whether independent quality audits have been undertaken.
3.6 3.6.1
Review the contract to ensure that it contains adequate access rights.
3.6.2
Undertake site visits in accordance with the contractual procedure.