SECTION 3: APPENDIX

IS auditor may use checklist to ensure that review is complete. In order to formalize the auditors’
role and practices, a master checklist may be prepared. It is suggested that a master checklist
for every audit must be prepared by considering the nature of engagement, type and culture of
organisation, objectives of audit and expectation from auditor. Using one checklist for all audits
have a risk that auditor may end up in concluding on inappropriate findings and auditor’s report
may not add value to the organisations.

This is a general checklist. For additional information readers may visit websites of Institute of
Internal Auditors (www.theiia.org), ISACA (www.isaca.org) and similar organisations which have
done exhaustive research in developing suitable audit programs for various technologies and
SDLC projects. The IS Auditor may add more columns (control description, documents
inspected, evidence collected, tests performed, result of analysis, conclusion on design,
conclusion effectiveness of controls and overall finding) to this checklist to convert it into an audit
work paper document..

(Table 8.1) is a sample checklist:

Sl. Checkpoints SDLC Phase

No. Remark
1. Whether information system acquisition and / (General questions covers
or development policy and procedure essential information about
documented? control environment within
organisation)
2. Whether system acquisition and / or General
development policy and procedure approved (related to Phase 3 B to 6B)
by the management?

3. Whether the policy and procedure cover the General

following: (related all phases)
Problems faced in existing system and need for
replacement
Functionality of new IS
Security needs
Regulatory compliance
Acceptance Criteria
Proposed roles and responsibilities
Transition/ Migration to new IS

1
 Section 3

Interfaces with legacy systems

Post implementation review
Maintenance arrangements.
4. Whether policy and procedure documents are General
communicated / available to the respective
users?
5. Whether policy and procedure documents are General
reviewed and updated at regular intervals?

6. Whether the organisation has evaluated Phase 1 Feasibility Study

requirement and functionalities of proposed Phase 2 requirement definition
application?

7. Whether the organisation carried out feasibility Phase 1 Feasibility Study

study in respect of financial, operational and
technical feasibility
8. Whether Business case has been prepared Phase 1 and 2 Feasibility study
listing the benefits against associated risks and and requirement definition
approved by management?
9. Whether selection of vendor and acquisition Phase 3B and 3C
terms considers:
Evaluation of alternative vendors
Specification on service levels and deliverables
Penalty for delays
Escrow mechanism for Source codes
Customization
Upgrades
Regulatory Compliance
Support and maintenance.
10. Whether the organisation has identified and General
assigned roles in development activities to
appropriate stakeholders?
11. Whether the organisation has a separate General
development, test and production (Mainly related to Phase 6
environments? Testing, Phase 7 UAT and
Phase 9 Support)
12. Whether the IS developed plan is prepared and Phase 1 Feasibility study
approved by the management? Phase 3/4 Analysis and Design
Module 5

13. Whether the testing of IS includes: Phase 6 Testing

Confirms the compliance to functional
requirements
Confirms the compatibility with IS infrastructure
Identifies bugs and errors and addresses them
by analyzing root causes
Escalating functionality issues at appropriate
levels.
14. Whether the adequate documentation for: Phase 6 Testing
Preserving test results for future reference
Preparation of manuals like systems manual,
installation manual, user manual
Obtaining user sign off / acceptance
15. Whether the implementation covers the Phase 8 Implementation
following?
User Departments' involvement and their role
User Training
Acceptance Testing
Role of Vendor and period of Support
Required IS Infrastructure plan
Risk involved and actions required to mitigate
the risks
Migration plan
16. If the development activities are outsourced, Phase 1 Feasibility Study and
are the outsourcing activities evaluated based Phase 3C to 6C
on following practices: Phase 7 UAT
What is the objective behind Outsourcing?
What are the in-house capabilities in
performing the job?
What is the economic viability?
What are the in-house infrastructure
deficiencies and the time factor involved?
What are the Risks and security concerns?
What are the outsourcing arrangement and fall
back method?
What are arrangements for obtaining the
source code for the software?
Reviewing the capability and quality of software
development activities by visit to vendor's
premises?
Review of progress of IS development at
periodic intervals.
3
 Section 3

17. Whether the organisation carried out a post General

implementation review of new IS? Phase 8 Implementation

18. Whether a process exists for measuring Phase 6 C and Phase 9 Support
vendors' performance against the agreed and maintenance
service levels?
19. Whether post implementation review results Phase 8 Implementation
are documented?