Beruflich Dokumente
Kultur Dokumente
2.4.2
Check whether there is a defined training programme that seeks to match personal development
needs.
2.5 2.5.1
Check whether anyone has overall responsibility for monitoring contract staff and whether they
have details of work carried out and payments made in relation to the contract.
2.5.2
Ask about the procedures for deleting access facilities when contract staff leave.
3.1 3.1.1
Obtain a copy of the standards for IT in the organisation and ensure that they cover the range of
IT activities.
3.1.2
Ensure that there are adequate procedures for verifying adherence to the standards.
3.2 3.2.1
Find out whether there are formal arrangements for reviewing and updating the standards.
4.1 4.1.1
Examine the staffing structure, job descriptions and procedures of the organisation to ascertain
whether adequate separation of duties is achievable.
4.2 4.2.1
Where the organisation cannot support segregation of duties because of its size, consider what
alternative control mechanisms are employed.
4.2.2
Ask users about their responsibilities for maintaining the system/application to compensate for
known weaknesses in IT processing.
File Controls: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 Responsibilities for controlling access 1.1 Responsibilities for controlling files are 1.1
to and use of files are clearly defined. assigned and set down in a security
policy and in written procedures that
are kept up to date and communicated
to all staff.
1.2 Compliance with the policy is 1.2
monitored by IT and user management
2 Access to files through physical 2.1 Physical access to electronic media is 2.1
means is well controlled. restricted to authorised personnel.
3.9 3.9 Is access to general-purpose software and other software facilities, 3.9.1
such as utilities that can edit files, strictly controlled? 3.9.2
3.9.3
4.1 4.1 Are all IT systems built and configured to a documented baseline 4.1.1
standard that addresses known security weaknesses and 4.1.2
vulnerabilities? 4.1.3
4.2 4.2 Is there is an inventory of all electronic media showing its location, 4.2.1
movement, use, issue and receipt?
4.3 4.3 Is an up-to-date inventory maintained of all application and system 4.3.1
software?
5.1 5.1 Are there arrangements for backing up files within each installation 5.1.1
to ensure a secure storage environment, completeness and 5.1.2
accuracy, defined retention periods and to provide for the recovery 5.1.3
of files? 5.1.4
5.1.5
File Controls: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1 Ask who is responsible for defining procedures for protecting electronic files within the IT and
user departments and establish when such responsibilities were last defined to determine
whether they appear to have been reviewed reasonably frequently.
1.1.2 Ask to see the IT security policy and procedures and check when it was last updated
1.1.3 Check that the policy refers to the Data Protection Act and Computer Misuse Act and that it
identifies the users responsibilities for protecting their own files.
1.1.4 Discuss with staff whether file security is regarded as important and look for evidence of up-
to-date notices and instructions available to staff.
1.1.5
Find out what methods are used to inform staff of computer security issues and if they are
reasonably up to date.
1.2 1.2.1
Review the organisations staff handbook to see whether disciplinary procedures specify
computer security breaches as a disciplinary matter.
1.2.2 Determine how widely it has been distributed. Check with some users to see if they hold a
copy or are aware of it.
2.1 2.1.1 Ask how physical access to files held by the IT department is controlled and whether this
applies out of normal office hours.
2.1.2 Observe the storage arrangements (preferably without any pre-announcement of the visit)
and assess whether the general physical access appears to be well controlled.
2.1.3 Establish how many locations within the organisation hold files locally. Depending on the
number of locations and the available time, select some of the primary users and ask how
physical access to files is restricted and whether this applies out of normal office hours.
2.1.4 Review the procedures relating to the introduction of alien media to ensure that proper
authorisation and identification of all files takes place.
2.1.5 Determine how alien files are identified and what other physical files reside in the library and
then question the person responsible for storage of physical media about their use.
2.2 2.2.1 Establish who has custody of electronic media for each area where fundamental systems and
system software are held within the IT department and within key user departments with local
installations. Check whether their duties are defined in writing and that these seem to be
comprehensive and up to date.
2.2.2 View the arrangements for accessing electronic media where fundamental systems are
processed.
2.3 2.3.1 Review the procedures in place to discourage unauthorised copying of PC programs and data
files and assess their adequacy.
3.1 3.1.1
Establish who is responsible for the password facility within each IT installation and how they
allocate passwords. Check whether procedures are defined in the IT security policy.
3.1.2
Check that both a personal identifier and a password are required to enter the system.
3.1.3
Ask whether passwords for fundamental systems are made unique and cannot be shared.
3.2 3.2.1
Check whether there is evidence of passwords being displayed in offices or generally being
made public. Find out if users appreciate the need to protect their passwords and that they
have been given guidance on password construction.
3.2.2
Find out if passwords are displayed on screens.
3.3 3.3.1
Check whether the system can force compliance with a password policy through:
1.1 1.1.1 Obtain a copy of the organisations IS/IT strategy and corporate business plans and assess
whether the IS/IT strategy will support them.
Determine whether the network strategy can meet the stated aims of the organisation,
1.1.2
whether it has the backing of senior management and whether its implementation is included
in an approved development programme.
1.2 1.2.1
Determine who has responsibilities for the network and whether they have received adequate
and appropriate training.
1. 1.3. Determine what instruction users have received on general usage of the network are
3 1
instructions reflected in guidance on the use of specific applications?
1.3. Ask whether there is a defined training programme explaining users responsibilities when
2
using the network.
1.3.3
Examine whether there are instructions documented in an up-to-date user guide and whether
such guidance includes security issues.
1. 1.4. Find out if the network administration staff are experienced in the area of network
4 1
management and control.
1.4. Identify and assess the level of training provided and that planned.
2
1. 1.5. Identify what network device configuration documentation is available and what procedures
5 1
are in place to ensure that the documentation is kept up to date and accurate.
1.5. Check a sample of the configuration information available to ensure that it is actually up to
2
date.
1.5.3
Ensure that the internet connection is properly documented and that the document is up to
date and includes all of the internet services in use, as specified in the internet policy.
1. 1.6. Ascertain what network usage information is available, the use to which it is put, what
6 1
reporting and forecasting takes place, and what remedial action is taken if performance of the
network and integrity of data is threatened.
1.6 1.6.2
Review network traffic reports to assess whether monitoring is adequate, eg do reports
include:
1.6. Find out how the network has changed since its installation and how the network is to be
4
developed to meet future needs. Ask whether a network action plan is in place to ensure that
future needs will be met.
1.6.5
Identify whether active intrusion detection is used and what policies have been implemented.
1.6.6
Identify and review whether there is a security breach action plan for the organisation, ie
action to be taken by the organisation should network attacks be identified.
1. 1.7. Check that the appropriate contracts and service level agreements exist and have been
7 1
signed off by authorised representatives of all parties.
1.7. Ensure that the contracts and service level agreements cover all aspects of the network
2
service provision and that the interests of the organisation are adequately protected as the
customer of the service.
1.7.3
Check that there is a regular review process for the service between the parties and that the
agreements are updated according to changes in business needs.
2. 2.1. Ask if there are explicit rules governing connection of equipment to the network. Check
1 1
whether this covers the types of equipment, associated software and staff carrying out the
work, and how details of the connection are recorded.
2.1.3
Identify whether there is a policy governing the use of the internet by employees, business
partners and clients. If there is a policy, identify how this is communicated, monitored and
enforced.
2. 2.2. Identify all permanent and temporary network connections in place and how connections are
2 1
controlled.
2.2. Assess the arrangements for allocating and monitoring user access. A listing of all users and
2
their access restrictions should be requested and examined for reasonableness.
2.2.3
Check arrangements for allocating lines and validating remote users, particularly where
modems are left switched on at all times.
2. 2.3. Ask what checks are made to detect unauthorised attachment to the network.
3 1
2.3.2
Ask whether any monitoring of the type and content of network traffic takes place.
3. 3.1. Identify whether the organisation has a policy on the use of encryption for the transmission of
1 1
confidential data.
3.1. Ask whether encryption is used where sensitive or business-critical data is being transferred
2
across the network.
3.1.3
Identify whether the encryption key is adequately protected, and if not, whether the
protection provided by encryption is affected.
3.1.4
Identify whether controls are in place to ensure that passwords and data are only transmitted
across the network in an encrypted manner.
3. 3.2. Determine what the organisation has done to prevent service denial attacks.
2 1
3.2. Check that modems, routers and bridges are configured to minimise the risk of unauthorised
2
access.
3.2.3
Review a sample of routers to ensure that access to router configuration menus is restricted.
3.2.4
Ask whether the firewall has been configured to detect excessive network traffic from any one
source.
3.2.5
Ask whether the internal network has been configured or partitioned to protect particularly
sensitive business systems.
3. 3.3. Examine network diagrams (topologies) for evidence that shortest route methodologies have
3 1
been adopted.
3.3. Ensure all attempts have been made to direct data traffic along the most efficient route (if
2
possible use network traffic monitoring tools to help ensure this control).
4. 4.1. Consider the physical security afforded to file servers, workstations, terminals and lines and
1 1
other network equipment. Attempt to follow lines and note any vulnerable points.
4.1. Get details of individuals who have access to vulnerable areas and assess the
2
reasonableness of this access and any security weaknesses this raises.
4. 4.2. Ask about arrangements for maintaining inventories of networked computer facilities and
2 1
keeping them up to date.
4.2. Obtain maintenance agreements and compare the equipment covered by them with the
2
inventories to ensure that an acceptable level of cover is available in the event of failure or
damage.
4.2. Ensure that all network devices are on the inventory.
3
4.2. Determine call-out arrangements for engineers, including agreed times for obtaining service.
4
4.2.5
Check insurance policies, the risks that they cover and whether networked and departmental
facilities outside the main computer centre are included. Also, compare insurance policies
with leasing agreements to check whether the latter include insurance cover.
4. 4.3. Ascertain whether any guidance is provided by the IT department on the creation of back-up
3 1
copies and the extent to which this is mandatory and followed at remote sites.
4.3. Determine the location, date and identity of the latest full back-up copy of the network
2
management software.
4.3.3
Find out what controls are in place to stop unauthorised examination and amendment of
networking protocols and settings.
4. 4.4. Look for evidence that management has considered risks and that back-up procedures and
4 1
up-to-date contingency plans exist. There should also be evidence that back-up procedures
are adhered to, that the contingency plans are tested and comprehensive, and that faults are
reported, recorded, and investigated promptly.
4.4. Identify alternative routings available across the network and assess whether they are
2
adequate in the event of one or more lines or connection points failing. Ask whether automatic
re-routing in the event of failure is provided.
Internet Controls: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 Use of the e-mail facility is well 1.1 An e-mail usage policy has been 1.1
defined and managed to minimise documented, setting out a practical
inappropriate, inefficient and framework for staff whilst ensuring
insecure activities. the confidentiality, availability and
integrity of the organisations network
and computer systems.
1.2 Guidance is given on personal use of 1.2
the e-mail facility.
1.3 Managerial and electronic processes 1.3
are in place to monitor and detect
inappropriate use of the e-mail
facility.
1.4 Action is taken when breaches of the 1.4
e-mail policy are detected.
2 Access to and use of the internet for 2.1 An internet usage policy has been 2.1
information searching is well defined documented, setting out a practical
and managed to minimise framework for staff whilst ensuring
inappropriate, inefficient and the confidentiality, availability and
insecure activities. integrity of the organisations network
and computer systems.
changes to existing processing which may require an amendment to the register entry
check that disciplinary procedures take account of the requirements of the Data
Protection Act and are enforced
check that printed output containing personal data is stored and disposed of securely.
Project Management: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ
REF
TRANSACTION RECORDING AND PROCESSING
1 All proposed projects comply with the 1.1 Projects comply with the IS/IT 1.1
IS/IT and business strategies. strategy and respond to business
needs.
1.2 Project development standards and 1.2
policies have been defined and
adopted.
2 Ownership and management of the 2.1 An IS/IT strategy team reviews and 2.1
project are clearly defined. approves projects.
2.2 A project management team is 2.2
appointed.
2.3 A project manager is appointed for 2.3
each project.
3 A business case and project plan are 3.1 A business case is compiled by the 3.1
prepared. budget holder/user and reflects all
direct and indirect costs and
benefits.
3.2 A comprehensive feasibility study is 3.2
prepared for approval.
3.3 A project plan is agreed by the 3.3
budget holder/user and
developer/provider.
3.4 Structured procedures exist for 3.4
small-scale projects.
3.5 Financial control is exercised 3.5
throughout the project.
3.6 The project has appropriate 3.6
approval to proceed.
4 Design, development, testing and 4.1 The selection of the 4.1
implementation phases are clearly developer/provider complies with
defined. sound tendering practice.
4.2 A contract/SLA is agreed between 4.2
the budget holder and
developer/provider.
4.3 All legal obligations are known to all 4.3
parties and are complied with.
4.4 Project design reflects the optimum 4.4
use of available technology and
techniques and security and control
considerations.
4.5 Installation, testing and acceptance 4.5
are agreed by the user and provider.
4.6 Documentation is developed to the 4.6
agreed standard and delivered
within the agreed timescale.
4.7 Staff are properly trained in the 4.7
system.
5 A post-implementation review is 5.1 A post-implementation review is 5.1
planned and undertaken. undertaken within an agreed period.
Project Management: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Do projects comply with the IS/IT strategy and respond to business 1.1.1
needs? 1.1.2
1.2 1.2 Have project development standards and policies been defined and 1.2.1
adopted? 1.2.2
2.1 2.1 Does an IS/IT strategy team review and approve projects? 2.1.1
2.1.2
2.2 2.2 Is a project management team appointed? 2.2.1
2.2.2
2.3 2.3 Is a project manager appointed for each project? 2.3.1
2.3.2
2.3.3
3.1 3.1 Is there a business case compiled by the budget holder/user and does 3.1.1
it reflect all direct and indirect costs and benefits? 3.1.2
3.1.3
3.2 3.2 Is a comprehensive feasibility study prepared for approval? 3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.3 3.3 Is a project plan agreed by the budget holder/user and 3.3.1
developer/provider? 3.3.2
3.3.3
3.4 3.4 Do structured procedures exist for small-scale projects? 3.4.1
3.4.2
3.4.3
3.5 3.5 Is financial control exercised throughout the project? 3.5.1
3.5.2
3.6 3.6 Has the project appropriate approval to proceed? 3.6.1
3.6.2
3.6.3
4.1 4.1 Does the selection of the developer/provider comply with sound 4.1.1
tendering practice?
4.2 4.2 Is a contract/SLA agreed between the budget holder and 4.2.1
developer/provider?
4.3 4.3 Are all legal obligations known to and complied with by all parties? 4.3.1
4.4 4.4 Does project design reflect the optimum use of available technology 4.4.1
and techniques and security and control considerations? 4.4.2
4.4.3
4.4.4
4.5 4.5 Are installation, testing and acceptance agreed by the user and 4.5.1
provider? 4.5.2
4.5.3
4.5.4
4.5.5
4.6 4.6 Is documentation developed to the agreed standard and delivered 4.6.1
within the agreed timescale? 4.6.2
4.6.3
4.7 4.7 Are staff properly trained in the system? 4.7.1
4.7.2
4.7.3
5.1 5.1 Is a post-implementation review undertaken within an agreed period? 5.1.1
Project Management: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Test a selection of recently developed systems against the IS/IT strategy; if any appear not to
comply, ask for an explanation.
1.1.2
Test a selection of projects under development against the IS/IT strategy; and if any appear not
to comply, ask for an explanation.
1.2 1.2.1
Establish whether PRINCE2 or a similar defined project management methodology has been
adopted by the organisation.
1.2.2
Where project development standards and procedures have not been defined, ask how project
management is controlled and reviewed.
2.1 2.1.1
Enquire whether a corporate IT strategy group reviews significant project proposals and, if so,
review the process for a recent bid.
2.1.2 Enquire whether departmental IT strategy groups review significant project proposals
within their own departments and, if so, review the process for a recent bid.
2.2 2.2.1
Ask whether project management teams are created and identify their responsibilities.
2.2.2
Select a particular project and identify the activities of the team and their management of the
project.
2.3 2.3.1
Check whether a project manager is appointed for significant projects.
2.3.2
Identify a current project and discuss the project managers approach to the project.
2.3.3
Assess whether the project manager has the necessary skills.
3.1 3.1.1
Ask for a copy of a recently completed projects business case and assess whether it provided
sufficient information on which to base a decision to proceed or not.
3.1.2
Check whether the milestones appear viable.
3.1.3
Determine whether control and auditability issues have been considered.
3.2 3.2.1
Determine whether there are formal procedures for preparing a feasibility study.
3.2.2
Determine who has responsibility for the preparation of such studies.
3.2.3
Ask for a copy of a recently completed project's feasibility study and assess whether it provided
sufficient information on which to base a decision to proceed or not.
3.2.4
Ask for a copy of a current projects feasibility study and assess whether it provides sufficient
information on which to base a decision to proceed or not.
3.2.5
Determine whether the study includes all relevant subject areas.
3.2.6
Check whether the milestones appear viable.
3.2.7
Determine whether control and auditability issues have been considered.
3.2.8
Identify whether decisions are taken on the way forward as a consequence of the feasibility
study.
3.3 3.3.1
Check that the project plan includes clearly defined milestones and that the project manager
uses a sound process for tracing progress against these milestones.
3.3.2
Check that appropriate implementation plans have been drawn up.
3.3.3
Review the methods used to estimate the time and resources required to complete tasks.
3.4 3.4.1
Establish what procedures are followed by user departments for small-scale acquisitions.
3.4.2
Determine whether there are adequate procedures to ensure that all equipment is compatible
and conforms to the IT strategy.
3.4.3
Determine whether the user has provided a specification of requirements, that the tendering
and selection procedures are adequate, and that adequate maintenance and insurance cover
is arranged.
3.5 3.5.1
Check that the project plan includes budgetary milestones and that these are monitored by the
project manager.
3.5.2
Enquire what process is adopted if the costs exceed the budget.
3.6 3.6.1
Determine whether formal approval has been given to proceed with the acquisition.
3.6.2
Check that approvals are sought, where necessary, in accordance with the organisations
policy.
3.6.3
Check that those giving approval have the required level of authority.
4.1 4.1.1
Refer to the guidance in Chapter 21, Procurement of IT Facilities, and check that the selection
and tendering procedures follow good practice.
4.2 4.2.1
Refer to Chapter 23, Outsourcing, and Chapter 21, Procurement of IT Facilities, for information
on SLAs and IT contracts and check that all business-critical projects have such arrangements
effectively in place.
4.3 4.3.1
Check that the project manager is aware of any legal obligations relating to the acquisition and
use of IT facilities.
4.4 4.4.1
Check that the functional specification:
adequately reflects and defines user requirements
includes requirements for security and controls
has been agreed and accepted by all parties concerned.
4.4.2
Check the specification and other documentation to see that:
all objectives have been stated and quantified
the specification conforms to standards
all agreements are evidenced in writing.
4.4.3
Examine the technical design documents and verify that:
the design specification complies with IT standards
the design specification reflects the user requirements and that all changes have
been agreed and documented
all technical controls governing file and data organisation have been defined
all security controls over input, processing and output have been included.
4.4.4
Check that externally acquired software will meet the requirements of the user; also check the
operational requirements of the IT facilities and that the package provides satisfactory security
and control features.
4.5 4.5.1
Check the extent of the test plan including interfaces, restarts, re-runs, and back-ups.
4.5.2
See evidence that all the tests have been satisfactorily completed and conducted in
accordance with established standards.
4.5.3
Check that manual procedures are tested.
4.5.4
Establish that users are aware of the significance of controls, their control responsibilities and
the requisite error correction procedures.
4.5.5
Ensure that the recovery and back-up procedures have been adequately tested.
4.6 4.6.1
Check that documentation is identified within the project plan and that it is completed on time
and to the agreed standard.
4.6.2
Ensure that the user guides are clear, unambiguous and easy to understand.
4.6.3
Check that there are procedures for ensuring that the documentation is monitored and
improved.
4.7 4.7.1
Check that training requirements have been identified, and a training plan established.
4.7.2
Ask whether a system has been established to review the effectiveness of training.
4.7.3
Interview a sample of users and obtain their opinion on the effectiveness of the training
received.
5.1 5.1.1
Refer to Chapter 18, Post-Implementation Review, and Chapter 17, Change Control.
Application Controls: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 Each transaction is authorised, 1.1 Transactions are from recognised 1.1
complete, accurate, timely and input sources.
once only.
1.2 Control is established over 1.2
transactions at the earliest
opportunity.
1.3 Transactions are explicitly authorised 1.3
by either manual or electronic
means.
1.4 Proper control is exercised over 1.4
access to application systems.
1.5 Input and authorisation functions are 1.5
restricted and separated.
1.6 Input of parameters for processing 1.6
and other standing data is strictly
controlled.
1.7 Data is subject to validation for 1.7
completeness and accuracy at input
stage.
1.8 There are clear procedures for data 1.8
items rejected on input.
1.9 Clear timetables for input exist and 1.9
are adhered to.
1.10 Checks are made to detect possible 1.10
duplicate input records.
2 An appropriate level of control is 2.1 A clear processing schedule exists 2.1
maintained during processing to and is understood by users and
ensure completeness and accuracy operations staff.
of data.
2.2 All data, including that transferred 2.2
from other systems, is subject to
appropriate validation during
processing.
2.3 Data is processed by the correct 2.3
programs and written to the correct
files.
2.4 Programs provide confirmation that 2.4
processing has been completed
successfully, or recovery and
resubmission procedures exist to
deal with abnormal terminations.
2.5 Assurance is provided that all 2.5
records have been processed.
2.6 Procedures exist for handling 2.6
records rejected by application
programs.
3 Controls ensure the accuracy, 3.1 Staff responsible for handling output 3.1
completeness, confidentiality and carry out checks to ensure its
timeliness of output reports and completeness and reasonableness.
interfaces.
3.2 Output is identified and includes 3.2
information that demonstrates
completeness.
3.3 Distribution of output procedures 3.3
ensure that it goes to the correct
location/users and that confidentiality
is maintained.
3.4 The usefulness of output is kept 3.4
under review.
3.5 Confidential output is disposed of 3.5
securely.
how access controls are set up within the application, and whether the person responsible
is able to obtain access to input and authorisation transactions
whether the access hierarchy in existence reflects responsibilities and desired separation
of duties
bulky printouts, and consider whether they are needed in full, eg whether summary
information is all that is used, while details could be suppressed
paper output that is keyed into a spreadsheet, and could be downloaded direct to the
PC
ensuring that all appropriate reports are enabled within packaged systems.
3.5 3.5.1
Find out whether retention and disposal of confidential output is included in IT security
guidelines and user instructions for specific applications. Assess the appropriateness of this
guidance.
3.5.2
Review procedures for disposing of confidential output, whether it is held on paper or other
media.
4.1 4.1.1
Examine listings of input records to see what identifiers are used for the origin of each record
and consider whether these provide unique and sufficient information for each. If the
information does not appear to be adequate, examine the appropriate record definitions to see
if further fields are held on the file but not printed. The audit trail might then be followed by use
of retrieval software.
4.1.2
Establish how the listings/trails are used and consider where they are reviewed sufficiently
regularly.
4.2 4.2.1
Attempt to trace input documents to data held on computer files, and records on output reports
to original documents. Use retrieval software if necessary.
4.3 4.3.1
Review the output from an application and find out whether listings are produced or can be
generated which substantiate reported control totals. If there is none, consider the use of
retrieval software to extract the necessary records, though if this is necessary, it is clear that
the auditor must conclude that controls are not operating effectively.
4.4 4.4.1
Follow up and agree reconciliations between financial systems. Where none has been carried
out, attempt them using standard reports or retrieval software if necessary.
4.4.2
Examine the extent to which such reconciliations are or could be automated and whether error
reports or rejections are generated as a result.
4.5 4.5.1
Walk through the interfacing procedures between systems to establish the effect of rejections
on both the sending and the receiving systems.
4.6 4.6.1
Ascertain how amendment and deletion facilities function within the system and the method by
which the history of transactions is maintained.
4.7 4.7.1
Ascertain from systems manuals the options for maintaining audit trail facilities, printing reports
and retention of trail files.
5.1 5.1.1
Examine operations manuals and other system documentation to ascertain whether files are
backed up during processing and programs include restart points. Check that they are used in
practice by examining job journals for a sample of procedures.
5.2 5.2.1
Ascertain what database integrity checks are available from system documentation. Find out
from operations staff how often they are run and whether a complete back-up of the database
is retained from one check to the next.
5.2.2
Check from the appropriate job journal (if available) whether the integrity check was completed
successfully and, if not, what rectification action was taken.
5.3 5.3.1
Examine operators instructions to see whether procedures are laid down for dealing with failed
jobs. Also, check with users to ensure that they are aware of these procedures and know what
their responsibilities are in such circumstances.
5.3.2
Seek evidence that procedures have been successfully tested, including the use of stored,
back-up data and programs to restore systems.
Change Control: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ
REF
TRANSACTION RECORDING AND PROCESSING
1 Arrangements for amending 1.1 Change control standards exist and 1.1
production software conform to define how amendments should be
agreed standards. carried out and documented.
1.2 All IT support staff have a copy of 1.2
standards detailing how program
changes should be recorded.
1.3 Documentation is updated. 1.3
1.4 A quality assurance procedure is 1.4
undertaken to ensure compliance
with standards.
2 Program changes are authorised and 2.1 Owners of data are responsible for 2.1
actioned in a controlled environment. authorising changes, accepting
amendments for testing, and
authorising implementation.
2.2 Development and maintenance 2.2
work is performed in a separate
environment from production work.
The movement of files between
these areas is strictly controlled.
2.3 When program amendments are 2.3
made outside normal working hours,
a log of activities is maintained and
checked by management.
Change Control: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Do change control standards exist and define how amendments should 1.1.1
be carried out and documented? 1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2 1.2 Do all IT support staff have a copy of standards detailing how program 1.2.1
changes should be recorded?
1.3 1.3 Is documentation updated? 1.3.1
1.4 1.4 Is a quality assurance procedure undertaken to ensure compliance with 1.4.1
standards?
2.1 2.1 Are owners of data responsible for authorising changes, accepting 2.1.1
amendments for testing, and authorising implementation? 2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.2 2.2 Is development and maintenance work performed in a separate 2.2.1
environment from production work? Is the movement of files between 2.2.2
these areas strictly controlled? 2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.3 2.3 When program amendments are made outside normal working hours, 2.3.1
is a log of activities maintained and checked by management? 2.3.2
Change Control: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Request a copy of the change control standard and check when it was last updated to see if it
appears up to date.
1.1.2
Review standards to assess whether initiation, programming and updating processes are
adequately separated and cannot be undertaken by a single user in smaller systems.
1.1.3
Establish who is responsible for defining change control standards and when the arrangements
were last reviewed.
1.1.4
Check whether the standards have been made known to all development staff and to any staff
in user departments who may undertake development work.
1.1.5
Verify that suitable arrangements exist for packaged software support to be provided securely
over remote dial-in by vendors.
1.1.6
Ask some staff whether they are aware of their responsibilities.
1.1.7
Check whether newly appointed staff are made aware of their responsibilities. (This may be
done during any initial training sessions.)
1.1.8
Observation and conversations with staff should indicate whether change control procedures
are regarded as important and evidence of compliance should be found in review of change
control request forms and user sign-off of program changes.
1.1.9
Ensure that arrangements are in place for smaller-scale changes and that these are used
appropriately.
1.2 1.2.1
Ask to see the program standards and check when they were last updated to determine if they
seem up to date.
1.3 1.3.1
Examine a sample of system documentation for a number of recent program changes.
1.4 1.4.1
Determine whether a quality assurance function is in place and, if so, consider its adequacy;
review a sample of program changes to ensure that they have been subject to the formal
quality assurance process.
2.1 2.1.1
Check that the system permits amendments to the masterfile.
2.1.2
Check that the system provides different levels of password control to authorise master file
amendments (eg superuser).
2.1.3
Ask if details of all master file amendments are automatically printed and that these are shown
to be a complete record of such changes.
2.1.4
Check who is responsible within each installation for testing amendments, who supervises such
activities and when these arrangements were last reviewed.
2.1.5
Check who is responsible within each installation for signing off program amendments and
when the arrangements were last reviewed.
2.1.6
Select a recent amendment and check that the correct processes were followed.
2.1.7
Ask if the audit trail is sufficiently protected so as to prevent it from being edited or deleted.
2.1.8
Examine a selection of change request forms to ensure that the proposals for change have
been costed and timetabled. These details should be recorded on the change request form.
2.2 2.2.1
Ask the development manager and system programmer how access to production programs
and data is restricted.
2.2.2
Establish who is responsible within each installation for separating test and production libraries
and when the arrangements were last reviewed.
2.2.3
Check whether a statement of responsibilities has been distributed and whether it is up to date.
2.2.4
Establish who is responsible within each installation for moving test files to production libraries
and when the arrangements were last reviewed.
2.2.5
Establish who is responsible within each installation for copying production files to test libraries
and when the arrangements were last reviewed.
2.2.6
Establish whether such procedures apply in user departments applying their own change
control.
2.2.7
Obtain details of recent program changes and check to see that the previous copies of the
programs are stored on the system and that other laid-down procedures have been followed.
2.3 2.3.1
Establish who is responsible within each installation for emergency amendments and who
subsequently verifies the amendments. Check when these arrangements were last reviewed.
2.3.2
Review a selection of out-of-hours activities to ensure that these relate to valid program
changes.
Post-Implementation Review: Risk Identifier
CONTROL OBJECTIVE CONTROL RISK ICQ REF
TRANSACTION RECORDING AND PROCESSING
1 The project complied with the 1.1 Procedures are in place and 1.1
organisation's project management followed to ensure compliance with
standards and processes. the IT strategy, procurement policy
and project management
procedures.
1.2 The system was fully tested and 1.2
documented.
1.3 Agreed changes have been properly 1.3
authorised and implemented.
1.4 Processes are in place to ensure 1.4
that all staff are adequately trained.
2 The project outcome met the 2.1 Users are satisfied that the project 2.1
requirements of users. outcome provides the level of
functionality expected.
2.2 The performance of the project 2.2
outcome met expectations.
3 The project justified the cost in terms 3.1 Actual costs and benefits matched 3.1
of actual benefits. expectations.
Post-Implementation Review: Internal Control Questionnaire
RISK ICQ CONTROL ANSWER COMMENTS CT
ID CTL REF Y N
1.1 1.1 Are procedures in place and followed to ensure compliance with the IT 1.1.1
strategy, procurement policy and project management procedures? 1.1.2
1.1.3
1.2 1.2 Was the system fully tested and documented? 1.2.1
1.3 1.3 Have agreed changes been properly authorised and implemented? 1.3.1
1.3.2
1.4 1.4 Are processes in place to ensure that all staff are adequately trained? 1.4.1
2.1 2.1 Are users satisfied that the project outcome provided the level of 2.1.1
functionality expected? 2.1.2
2.1.3
2.1.4
2.1.5
2.2 2.2 Has the performance of the project outcome met expectations? 2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
3.1 3.1 Have actual costs and benefits matched expectations? 3.1.1
3.1.2
3.1.3
Post-Implementation Review: Compliance Tests
ICQ REF CT REF COMPLIANCE TEST WORKING PAPERS
1.1 1.1.1
Ask to see the IT strategy and procurement policy and confirm that the project complies with
them. Any deviations from the strategy and policy should have been identified, documented
and their implications understood.
1.1.2
Review the adequacy of the organisations procurement policy/regulations.
1.1.3
Enquire whether the regulations have been followed and any deviations properly documented
and authorised.
1.2 1.2.1
Ensure that test plans have been compiled covering all functions. The plans should detail the
test, the expected result and the actual result. By observation and conversation the auditor
should ensure that staff responsible for testing have the appropriate skills and business
knowledge.
1.3 1.3.1
Examine any requested amendments to the system.
1.3.2 Enquire whether:
the cost and benefits of each project change request are reviewed
training methodologies have been identified evaluated and the most appropriate
selected
a system has been established to review the effectiveness of training.
In addition, it may be beneficial for the auditor to interview a sample of users and obtain their
opinion on the effectiveness of the training received.
2.1 2.1.1
Ask to see a copy of the system specification and check with users that the project was well
understood and the primary objectives and scope of the system had been identified; that a
project appraisal and selection team was established; and that the members of the project
appraisal and selection team had appropriate skills and abilities.
2.1.2
Check that the requirements were signed off as acceptable by the users of the system. Seek
explanations of the reasons why individual requirements were excluded.
2.1.3
Consider whether the functionality delivered has been accompanied by adequate controls in
such areas as application control and security.
2.1.4
Observation of and conversation with staff about day-to-day operations should identify, for
example, whether the incidence of errors has diminished, whether working conditions have
improved and whether the improvements promised in the specification stage have been
realised.
2.1.5
Determine whether a systematic survey of users has been undertaken to establish user
satisfaction.
2.2 2.2.1
Critically examine the operational running costs of the system.
2.2.2
Assess the staff resources required to support the system. Compare with estimates made at
the feasibility requirements stage.
2.2.3
Identify any system turnaround delays.
2.2.4
Review error rates for input data capture.
2.2.5
Review the number of reported programming errors.
3.1 3.1.1
Check that a cost benefit analysis has been carried out and any assumption documented. The
cost benefit analysis should have ensure that:
the costs are assessed over a period greater than one year