Professional Documents
Culture Documents
It Audit Check List
It Audit Check List
Management
Information Systems
No. Description Yes No N/A
Audit Objective
- Does the organization of data processing provide for adequate
segregation of duties?
Audit Procedures
- Review the company organization chart, and the data processing
department organization chart.
Has the company developed an IT strategy linked with the long and
3
medium term plans?
Is the EDP Department independent of the user department and in
4
particular the accounting department?
Are there written job descriptions for all jobs within EDP
5 department and these job descriptions are communicated to
designated employees?
Are EDP personnel prohibited from having incompatible
6
responsibilities or duties in user departments and vice versa?
7 Are there written specifications for all jobs in the EDP Department?
Are the following functions within the EDP Department performed
8
by separate sections:
System design?
Application programming?
Computer operations?
Database administration?
Systems programming?
Data entry and control?
Are the data processing personnel prohibited from duties relating
9
to:
Initiating transactions?
(2/20)
Recording of transactions?
Master file changes?
Correction of errors?
Are all processing pre-scheduled and authorized by appropriate
10
personnel?
Are there procedures to evaluate and establish who has access to
11
the data in the database?
12 Are the EDP personnel adequately trained?
Are systems analysts programmers denied access to the computer
13
room and limited in their operation of the computer?
Are operators barred from making changes to programs and from
14
creating or amending data before, during, or after processing?
Is the custody of assets restricted to personnel outside the EDP
15
department?
Is strategic data processing plan developed by the company for the
16
achievement of long-term business plan?
Are there any key personnel within IT department whose absence
17
can leave the company within limited expertise?
18 Are there any key personnel who are being over-relied?
Is EDP audit being carried by internal audit or an external
19 consultant to ensure compliance of policies and controls
established by management?
Audit Objective
- Development and changes to programs are authorized, tested, and
approved, prior to being placed in production.
(3/20)
Obtain an understanding of any program library management
-
software used.
C SYSTEM DEVELOPMENT
(5/20)
D PURCHASED SOFTWARE
1
Are there procedures addressing controls over selection, testing
and acceptance of packaged softwares?
Is adequate documentation maintained for all softwares
2
purchased?
3 Are vendor warranties (if any) still in force?
4 Is the software purchased, held in escrow?
5 Are backup copies of user/operations manual kept off-site?
Audit Objective
-
Is access to data files restricted to authorized users and programs?
- Access to Data
(6/20)
Are encryption techniques used to protect against unauthorized
9
disclosure or undetected modification of sensitive data?
Are returns followed up and non returns investigated and
10
adequately documented?
F COMPUTER PROCESSING
G ACCESS CONTROLS
Audit Objective
Do controls provide reasonable assurance that for each transaction
- type, input is authorized, complete and accurate, and that errors
are promptly corrected?
(8/20)
2 Are all batches of transactions authorized?
Audit Objective
- The controls provide reasonable assurance that transactions are
properly processed by the computer and output (hard copy or
other) is complete and accurate, and that calculated items have
been accurately computed:
Where output from one system is input to another, are run to run
1 totals, or similar checks, used to ensure no data is lost or
corrupted?
2 Are there adequate controls over forms that have monetary value?
(9/20)
Is maximum use made of programmed checks on limits, ranges
3 reasonableness, etc. and items that are detected reported for
investigation?
Where calculations can be 'forced' i.e. bypass a programmed
4
check, are such items reported for investigation?
Where errors in processing are detected, is there a formal
5
procedure for reporting and investigation?
Is reconciliation between input, output and brought forward
6
figures carried out and differences investigated?
7 Are suspense accounts checked and cleared on a timely basis?
Are key exception reports reviewed and acted upon on a timely
8
basis?
J VIRUSES
(10/20)
15 Has all staff been advised of the virus prevention procedures?
K INTERNET
L CONTINUITY OF OPERATIONS
Physical Protection
L.I Fire Hazard
(11/20)
1 Check the safety against fire in the following ways:
(12/20)
Heat, fire and access protection of sensitive air-conditioning
parts (eg. cooling tower)
Air intakes located to avoid undesirable pollution
Back-up air conditioning equipment
(13/20)
Alarms
Extinguishers
Environment monitoring equipment
L.VI Access Control
M ACCESS CONTROL
5 Verification of all items taken into and out of the computer room
(15/20)
Critical jobs rotated periodically (e.g. operators, program
7
maintenance).
O INSURANCE
P BACK-UP PROCEDURES
(16/20)
- (eg, suppliers of equipment, computer time, software)
P.V Tape
P.VI Disc
(17/20)
4 Audit trail (log file) regularly dumped and stored off-site
P.VII Software
P.VIII Operations
(18/20)
Critical processing priorities identified (eg. Significant accounting
6
applications)
(19/20)