General department of internal audit

Audit checklist for IT general controls

Audit scope:
This audit to review the general IT control over [in-scope system] to ensure its control design is in
place and operate effectively. The audit scope will cover to the follow domains:
A. Logical/physical access management
B. Computer operation
C. Change management

Objectives:
To facilitate the assessment on whether IT general controls are likely to be effective and identify the
general controls that would require to be tested. The IT auditor will be identified through meetings
with key IT personnel and review of supporting policies and procedures.

By audit period from 01 January to December 2019

Audit checklist

No Audit Question Yes No N/A Audit comments

A. Logical/Physical Access Management
1. Is there an IT policy or procedure in place?
2. Is there any access control policy?
3. Do the control exist for user creation,
modification and termination process?
4. Is the user naming convention for system in
place?
5. Is user creation/modification request through
paper/system/email?
6. Does the user creation/modification request
form require approval from user
manager/supervisor/system owner/IT
manager?
7. Does the user access rights in system assign
based on approval access right or role matrix?
8. Does the user creation/modify for system
perform by IT personnel?
9. Does the user ID and password allow for
sharing with each other?
10. Does the user proxy request has been used
within the organization?
11. If applicable, is there any procedure for the
user proxy request?
12. Does the system automatically revert back to
the proxy permission?
13. Is user termination from system require to fill
 General department of internal audit

in detail user information and send to IT

personnel through paper form/system/email?
14. Do the IT personnel notify back to
management or requestor that access has been
removed from system as requested?
15. Does the system allow to check the timeliness
of user last login into the system?
16. Is there any access right matrix approval
document in place?
17. Does the access right matrix require approval
by the system owner/IT management?
18. Is the access right matrix periodically
reviewed monthly/ quarterly/ annually?
19. In case of access right matrix modification
after review, is it required to complete a
request approval form before making changes
in system?
20. Does the manager of each department who
uses system periodically review current user
access rights (including super user,
administrative access and/or generic IDs) to
ensure that access remains commensurate
with job responsibilities and inappropriate
access is removed timely?
21. In case, the review user access right is
performed by IT personnel how does he/she
confirm the appropriateness of current access
right or permission? Is the reviewer
performing review based on access right
matrix approval?
22. Do the IT personnel provide the user with an
access right report generated from system to
relevant business user to review?
23. If there is any modification of user’s access
permission within system, is it required to
make a request approval form before making
the change in system?
Super user/Administrator
24. What is the control over high privilege users
(super-user/admin user)? Is the user id and
password keep in a sealed envelope/dual
password control/held only IT personnel?
25. If the user ids and password of high privilege
user are kept in a sealed envelope, Is the
access to sealed envelope allowed to only
authorised personnel?
 General department of internal audit

26. In case, high privilege user ids and password

are dual password controlled, who is handling
those passwords? Are they authorized
personnel?
27. Does the procedure to request high privilege
user ids and password ensure only authorized
officers are able login to the system ?
28. Is the system able to record the audit trail or
high privilege user’s activity log?
29. Does the system enable audit trail or high
privilege user’s activity log?
30. Does the authorised independent person
periodically perform a review of high
privilege user’s activity log?
31. Does the review cover all high privilege user
(super-user/admin user)?
32. Is all significant activity such as system
security and financial related transactions
been defined to facilitate the review?
33. Is there any procedure for identification,
investigation and resolution of exception or
variances from the expectations for high
privilege user activity?
Password security
34. Is there any approval policy for password
configuration?
35. Does the password configure as individual
password setting or centralised password
setting?
36. If centralised password setting, can individual
setting override the central configuration?
37. Do the following password setting been
configured?

Enforce password history?

Maximum password age?

Minimum password length?

Password must meet complexity

requirements?

Account lockout duration?

Fail login attempt?

B. Computer Operation
Back up/Restoration
 General department of internal audit

38. Is there any approval procedure for

batch/backup monitoring and restoration
testing in place?
39. Are all critical or important data required to
support the business being backed-up? If so,
how often?
40. If back-ups of critical systems, applications,
and data are being performed, are they stored
in a protected location (offsite)?
41. Is there a fireproof cabinets to store the data
backup (onsite & offsite)?
42. Is there a tape inventory? If so, are all tapes
labelled as per defined policy and
procedures?
43. Does the data backup process configured as
automated schedule run by system or manual
data backup?
44. What backup software do you run? Does the
software support full, incremental, and
differential backups?
45. Has the encryption method been used for
data backup?
46. How long is the backup retained before
deletion? Is this period compliant with
approved policy?
47. Is the backup monitoring process in place to
ensure backup is completely successful?
48. Are backup status check list or automated
email notification in place as backup
monitoring evidence?
49. In case any error during data backup, Is there
any procedure in place to resolve the issue?
50. Is there a process in place to verify the
success of data restoration and usability of
data ?
51. If any, what is the frequency of restoration
testing? Is it compliant with approved policy?
52. Who is responsible to verify the restoration
testing data? Are they appropriate authorised
person that can ensure the availability of
data?
Batch processing monitoring
53. Is job scheduling software used?
54. If job scheduling software is used, are these
files protected from unauthorised changes?
55. When is the batch job schedule
frequency/time? Are those jobs properly
 General department of internal audit

monitored to ensure the

completeness/accuracy?
56. Is there any procedure for resolving the issue
if the batch job fails to ensure the accuracy
and completeness after resolving fails?
Real-time monitoring
57. Is real-time tasks or interfacing properly
monitored to ensure the completeness and
accuracy of data transfer?
58. If there are any errors from real-time
processing, is there a procedure in place to
keep track of errors? Who is responsible for
resolving? And; is there any resolving
procedure in place to ensure the accuracy and
completeness after resolving?
Data centre/server room environmental
Server room access
59. Who is permitted access to the server room?
Is access to server room restricted to
authorized personnel only?
60. Under what circumstances may others be
permitted access?
Is the access approved by authorized
individual(s)?
Is an audit trail of all access to server room
maintained?
63. Is a card-key system in place? If so, how is it
maintained?
64. Are periodic reviews conducted to ensure that
access to data centre is restricted to
authorized individuals only? If Yes, what is
the frequency of the same?
65. Is access of terminated / transferred
employees revoked?
66. Is it mandatory for employees, vendors,
contractors, visitors, and service providers to
display their ID cards at all times?
67. Are there any key locks to all server racks
within server room?
68. If any, who responsible to hold the key? Are
they authorised responsible staff?
Server room environmental
69. Do all perimeter entry points (including
emergency exit) have CCTV coverage? If
Yes, are CCTV cameras equipped with Night
Vision feature?
70. Are administrative offices physically
 General department of internal audit

separated from other areas of data centre?

71. Is Very early warning smoke detection
System installed in all critical areas of server
room?
72. Are emergency numbers displayed at each
floor and all working areas?
73. Are user instructions for usage clearly marked
on each fire extinguisher? (Check on Sample
basis)
74. Are fire extinguishers placed hanging on wall
with proper signage? Are fire extinguishers
easily approachable?
75. Is fire suppression system installed in
automatic mode? If No, are all criteria
mentioned in control description available?
76. Are temperature measurements taken at
several locations inside the server room? If
Yes, what is the frequency of same? (Review
the temperature measurement records for
sample period)?
77. Are UPS and cooling system installed in the
server room?
Disaster recovery plan
78. Does the current Business Impact Analysis
(BIA) is in place? If Yes, when was the last
update?
79. Are critical processes documented and
included in this Disaster Recovery Plan
(DRP)?
80. Is a communication plan included?
81. Are call trees and lists, staff names, and
recovery procedures documented - automated
and/or manual?
82. Does the DRP require an alternate site for
recovery?
83. Does the DRP specify the level of service
(which the business owner has agreed to be
acceptable) to be provided while in recovery
mode?
84. Does the DRP identify hardware and software
critical to recover the mission critical
business and/or functions?
85. Does the DRP identify necessary support
equipment (forms, spare parts, office
equipment, etc.) to recover the mission
critical business and/or functions?
86. Do they have UPS for critical systems and/or
 General department of internal audit

business area workstations?

87. Do they have a back-up generator? If so, how
much time can it run supporting critical
systems, technical staff and business area
workstations?
88. Do they have a hot/cold/warm site vendor on
contract? If so, does the vendor have UPS and
generator back-up?
89. Is a current copy of the DRP maintained off-
site?
90. Is there an audit trail of the changes made to
the DRP?
91. Do all users of the Disaster Recovery Plan
have ready access to a current copy and/or
copies at all times?
92. Do all employees responsible for the
execution of the DRP receive training?
93. Are all critical or important data required to
support the business being backed-up? If so,
how often? If not all, list business
areas/applications covered and not covered.
94. Is there a training, testing/exercise (TT&E)
plan included?
95. Does the TT&E plan list exercise type,
sequence, and frequency of occurrence?
96. Do they conduct exercise(s) of the DRP at
least annually?
97. Based on the joint assessment has the team
determined that the Disaster Recovery Plan
and Exercises have met all requirements to
provide reasonable assurance that the plan
will work in the event of a disaster?
98. Has the corrective action plan been completed
and closed?
99. Are there DRP maintenance procedures and
schedules?
100. Is the summary of changes made to plan since
last submission been documented?
C. Change Management
101. Are approval policy or procedures in place
for all change management?
102. Is there any procedure to handle emergency
change request?
103. Are policy or procedures properly
communicating to relevant staff?
104. Do they have a periodic review of change
management policy or procedure to ensure
 General department of internal audit

that the procedure are aligned and up to date

with current business?
105. Is the change request process appropriately
in place?
Paper based request form/System request?
Request and approve by authorised person?
108. Does the control exist of testing performed
(e.g., unit, integration, regression and user
acceptance testing) based on the nature of the
change?
Appropriate person performs system testing
and sign-off results?
Appropriate person performs UAT and sign-
off UAT results?
111. Does the control exist over migration to
production process?
Is Authorised person approval for migration
to production in place?
Segregation of environment
testing/production?
Segregation of duty between developer and
migrator should be not the same person?
115. Is version management control existing? If
yes, how to manage program version?
116. Is the most recent version that had been tested
and approved apply to production?
117. If there are any exceptions during the testing
process or processing of change promotion,
how are these exceptions managed? What are
the criteria to approve to go-live? Is the
control over problem management in place to
ensure all exceptions or problems are
properly resolved?
D. System Development (new implementation/enhancement)
118. Is there an SDLC policies and procedures
document in place to define the SDLC
process?
119. Do the business requirement and system
specification properly define and document?
120. Who has the authority to approve system
specifications for proposed new applications
in the following?
Business/User department (s)?
System development function?
Quality assurance function?
124. Is the approval above properly documented?
125. Does the project team have the requisite
 General department of internal audit

business and technology skills, including

knowledge of internal controls to ensure
proper controls have been defined?
126. Is the business sponsor’s approval obtained
prior to moving to the construction phase of
the project?
127. Is the system an in-house development or it
has been purchase from vendor?

128. Are there any system diagrams or landscape

and interface/integrate properly design and
document?
129. Is developed system testing properly
performed and signed off by authorised
responsible person?

Unit testing – the testing of individual

program or module?

Interface or integration testing – the testing

connection of two or more components that
pass information from one area to another?

132. Does the below System testing been

performed and documented?

Recovery testing – checking the system’s

ability to recovery after failure?

Security testing – ensure the modified/new

system no introduce any security holes that
might compromise other systems?

Load testing – testing with large quantities of

data to evaluate its performance during peak
hours?

Volume testing – testing with an incremental

volume of records to determine the maximum
volume of records (data) that application can
process?

Stress testing – testing with an incremental

number of concurrent user/services on the
application to determine the maximum
number of concurrent users/services that
application can process?

138. Has the below final acceptance testing been

performed?
 General department of internal audit

Quality assurance testing (QAT) – focusing

on technical testing?

User acceptance testing (UAT) – to ensure

system is production-ready and satisfies all
documented requirements?

141. Are the above testing results properly

documented and signed off by authorised
persons?

142. Does the defect log or issue encounter during

development and testing properly log and
follow-up for resolution?

143. Is there any sign off document from

authorised management for system go-live
approval?

144. Is the data conversion/migration methodology

plan properly documented and approved by
authorised personnel?

145. Are there any procedures to ensure the

completeness and accuracy of data from
legacy system to new system?

146. Is there any data integrity check between

legacy and new system?

147. Are there any final sign off document to

confirm the final results of data
conversion/migration to new system?

148. Is there a the fall-back (rollback) plan in place

to prevent in the event the conversion is not
successful?

149. Is the post-implementation review in place to

ensure that there is no issue after system
goes-live?

150. Has the training programs for the various

affected parties been performed?

151. Are the training materials (e.g., training

materials, user manuals, procedure manuals,
online help, help desk written procedures,
etc.) in place?

152. Have the attendance records been signed and

documented to confirm that all relevant users
 General department of internal audit

have been trained?

Prepared by: Reviewed by: Approved by:

Date: Date: Date: