Professional Documents
Culture Documents
IT Audit Pilot
IT Audit Pilot
IT Audit Pilot
- To understand IT system
• To obtain the IT system inventory list which support each business process
• Identify of IT system and evaluate of related risk associate
• To document or draw system flow or landscape
Procurement FMIS (oracle xxx Window server 2012 Oracle 11g xxx xxx
AR/AP PeopleSoft)
GL
XX
XX
- IT Risk Assessment
To helps the IT auditors to achieve quality and efficiency, the risk-based approach is usually adopted. The
approach involves:
• Understanding the process environment
• Evaluation and risk assessment
• Planning audit response – to identify the control for testing
• Gathering evidence and completion
It also assists IT auditors in the scope of issues that generally should be considered in any review of computer
related controls over the integrity, confidentiality and availability of electronic data.
The IT general controls are concerned with the auditee’s IT infrastructure, IT system with IT related policies,
procedures and working practices by help ensure the confidentiality, integrity and availability of its IT system and
data.
Objective: To ensure that only authorized access is granted to system and data upon authentication of a user’s
identify which mean systems and data are protected from invalid changes and physical interruption.
Activities include:
1. User access management
2. Powerful user account/Super user
3. Segregation of Duties (SoD)
4. Password configuration
4. Password management
Password is a component of a user identification and authentication process. The password configuration or
setting normally consists of:
• Minimum length
• Complexity
• Password history
• Fail login attempt
• Password age or expiration date
Objective:To ensure that production system data is processed completely and accurately in accordance with
management's control objectives, and that processing problems are identified and resolved completely and
accurately to maintain the integrity of financial data. Systems process data as intended, and where they don’t, this
is identified and corrected.
Activities include:
1. Batch processing/Job Scheduling
2. Monitoring of computer processing
3. Backups and Recovery
4. Computer centre operations
5. Incident management
Application
Job A
4. Problem management
Objective: ensures problems are identified and resolved and system downtime is kept to a minimum.
Activities include:
• Helpdesk functions/Problem identification:
o Problem identification and recording in helpdesk or problem management system
o Problem are assigned to responsible person and promptly resolve
o Escalation procedure
Objective: To ensure that changes to system and related infrastructure components are requested, authorised,
performed, tested, and implemented to achieve the objective. Changes to systems and data do not adversely
affect their integrity, availability or confidentiality.
Segregation of duties
1. Change requests
Formally documented
Detailed specification of what
Consistent format the change needs to be
Appropriate business
sponsor and approval
2. Construction
Developer
Construction
Makes change
3. Testing and QA
4. Implementation
Objectives: To ensure that systems are developed, configured, and implemented to achieve management’s
objectives which mean Systems that are developed actually work as required.
System development life cycle approach:
1. Feasibility Study
2. Requirements
3. Software Selection and Acquisition/Design
4. Configuration/Development
5. Final Testing and Implementation
6. Post-implementation Review
Te
im sting
ple &
me
nta
tion/
tio
n Configura
ent
Developm
1. Feasibility Study
What happens at this stage ?
Fe as ib il i ty study 2.
• Define the business problem and implement solution 1. R eq
• Identify whether to use current system with some update, develop or ui
re
me
tation
acquire a system nt
• Define a time frame for implementation and return on investment s
en
Determines whether a vendor product offers a solution to the problem
-
implem
6. Post
• Determines the approximate cost to develop the system
gn
SDLC Phases
Desi
selec tware
Example area to review:
tion/
• Ensure the results of criteria analysed reports (e.g costs , benefits,
f
5.
3. So
risk, resources required and organizational impact) are documented. im Test
• Reasonableness of selection solution based on strength and weakness pl e i n g
me &
• Identification of all relevant stakeholders and approval from them for nta
tio .C o nf i gu ration/
initiation n 4
ent
Developm
2. Requirements
t y s
atsuibdiyl i ty s tRudy 2. R
What happens at this stage ? Feasib1il.iFe eq
ui
eq
ui
• Identify and specify the business/user requirements or function rem re
en me
needs
tation
n ts
tation
ts
• Technical specifications
en
• Business, contractual and regulatory processes
en
-
implem
6. Post
implem
Post-
gn
gn
Example area to review: SDLC Phases
Desi
Desi
re
• The business user requirement and system specifications
ftwa
tion/
selec are
tion/
proper documents
5.
Softw
• Review and approval of design by key stakeholders (including Tes
3. So
T
selec
im tingimp esti
business owners, IT, Risk Management / IA function) ple & le ng
me me &
nta nt a
tio tio nfiguratniofing/uration/
n nCo 4.Co
ent t
DeveloDpemvelopmen
tation
nt
• Illustrating inputs and outputs s
• Interfaces with other system, security and segregation of duties
en
-
implem
6. Post
• Listing the processing steps and completion rules
gn
• Determining the types of database system in use if any SDLC Phases
Desi
selec tware
• Creating a plan for various levels of testing
tion/
f
3. So
Example area to review: 5.
• Proposal and biding documentation im Test
ple ing
• System design documentation me &
nta
ration
• Testing design plan tio
n 4.Configu
ent
/Developm
tation
en
t s
4B. Development (in-house development)
en
• Coding and developing program and system-level documents
-
implem
6. Post
• Debugging and testing the programs developed
gn
SDLC Phases
Desi
• Developing programs for data conversion/migration
selec tware
• Creating user procedures to handle transition to the new system
tion/
• Training selected users on the new system
f
5.
3. So
• Involve with various of testing: im Test
o Unit testing which is the testing of individual programmer ple ing
me &
module nta
tio ration
o Interface or integration testing which is a hardware of n 4.Configu
ent
software test, evaluates the connection of two or more /Developm
components and how well they pass information
tation
other testing and before the general release of the solution. en
t s
en
Example area to review:
-
implem
6. Post
• Formal mapping of old to new data, that is automatically applied
gn
to all records SDLC Phases
Desi
selec tware
• Record counts, sample testing, exception reporting
tion/
• Test conversion prior to UAT
f
5.
3. So
• Review of test script design im Test
• Review of test results and approval to close test phases ple ing
me &
• Monitoring, investigation and resolution of defects nta
tio ration
n 4.Configu
ent
/Developm
tation
o UAT: user acceptance testing focusing on functional aspects of the en
t s
application
en
• System is ready migrate to production environment
-
implem
6. Post
• All necessary data have been successfully converted and loaded into the
gn
SDLC Phases
new system
Desi
selec tware
• Implementation by authorised personnel, not by developers
tion/
o “Go Live” decision
f
5.
3. So
o Back-out procedures im Test
o Scheduled implementation ple ing
me &
Example area to review: n ta
tio ration
• Final acceptance testing plan and results sign off n 4.Configu
ent
• Data migration method/procedure /Developm
• Data verification/reconciliation results
• Final approval of go-live by steering committee / key stakeholders
6. Post-implementation Review
The review should meet the following objectives: ea s i bi li t y study Re
F qu
• Assessing the adequacy of the system ire
m
o Does the system meet user requirements and business objective? en
tation
ts
o Have access controls been adequately defined and implemented?
en
• Evaluating the projected cost benefits or ROI measurements
implem
• Developing recommendations that address the system’s inadequacies and
Post-
gn
SDLC Phases
deficiencies
Desi
• Developing a plan for implementing the recommendations
selec are
tion/
• Assessing the development project process
Softw
o Were the chosen methodologies, standards and techniques followed? Te
im sting
o Were appropriate project management techniques used? ple &
me
n ta
tion/
Example area to review:
tio
n Configura
e nt
• Post-implementation documents Developm