IT Workplan Templates Overview of workplans and how to leverage templates

Last updated: September 2013

Overview of IT Workplans
Technology Layer Technology Element Oracle eBusiness PeopleSoft Application Related Files Oracle eBusiness.zip PeopleSoft.zip

SAP
Generic Application DB2 Oracle database Database SQL database Generic Database AS400/OS400 UNIX/Linux (AIX, HP-UX, Solaris, Red Hat) Operating Systems Windows Domain Controller

SAP.zip
Generic Application.zip DB2.zip Oracle.zip SQL.zip Generic Database.zip AS400.zip UNIX/Linux.zip Windows DC.zip

Windows Non Domain Controller Windows NDC.zip

Generic Operating System Network
1

Generic OS.zip Generic Network.zip

Copyright 2013 Deloitte Development LLC. All rights reserved.

Generic Network

What is included in each Workplan Package

Resource IT Audit Workplan Template Purpose
Primary workplan to document testing procedures

How to Use
Leverage workplan to document control testing that address IT risks at the technology element layer. Leverage technology specific design assessment and Operating effectiveness testing considerations unique to each control Leverage guidance and background information for testing controls and to view common requests for each control/procedure If performing D&I only audit, use implementation procedures instead of operating effectiveness procedures (which are already included in the IT Audit Workplan Template.

IT Audit Workplan Appendix

Contains implementation procedures if performing a non-integrated audit where only Design and Implementation procedures are relevant. Also contains control/procedure testing guidance and background information.

IT Audit Workplan Template

Where procedures are documented
Design assessment considerations (starts in cell B11 for each control tab)

Design considerations are indicative of what may be tested for design, in addition to assessment of each of the 7 design factors in the workplan. These considerations can be replaced with entity specific information that address the considerations after they are considered and do not need to be maintained in the workplan after consideration.

Operating effectiveness test procedures (starts in cell B120 for each control tab)

IT Audit Workplan Appendix

How to leverage information

Implementation procedures are included in the Appendix to be leveraged if IT specialists are performing a non-integrated audit where only design and implementation procedures are being performed. These procedures can replace the operating effectiveness procedures that are included in the IT Workplan Template. Note that the procedures here are very similar to the OE procedures, but extent of testing is reduced and no procedures are included to focus on the assessment of completeness and accuracy of IPE.

General information related to the control have been included that may provide additional insights to the control and technology, which may be helpful when performing test procedures. Because this information is informational only, it has not been included in the IT Workplan Template.

Common information requests or technology commands have been included here (where available/relevant) to assist the IT Specialist with requesting information that may be relevant to obtain when testing the control activity.

Types of Controls in Workplan

IT element specific controls are included in the workplans
(e.g., Oracle Database administrator access is restricted to authorized individual(s) and all the activities of these accounts are monitored and reviewed by the management.)

Other controls are also included that may be common or relevant to multiple IT elements
(e.g., Physical access to data centers and computer rooms is appropriately restricted to personnel who require access to perform their assigned duties.

Form 1860S was used when developing the risks and related controls for each IT Audit Workplan Each risk in the 1860S document denotes the technology element which the risk and related controls is related to in association with our audits Certain risks/controls may be relevant to all IT elements, such as those related to Physical Security, and as such the IT Audit workplans include control procedures that may not be IT element specific. You may remove these risks/controls/procedures from the workplan if they are addressed in another manner on your audit engagement.

Questions or Feedback?
Please contact Kelly Rau and Tim Dixon if you: Have questions regarding the workplans Have suggestions for additional controls or procedure modifications

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2013 Deloitte Development LLC. All rights reserved. 36 USC 220506 Member of Deloitte Touche Tohmatsu Limited