8/2/2019 17 System Audit Checklist
1/35
Information Systems
AuditChecklist
8/2/2019 17 System Audit Checklist
2/35
** SYSTEM AUDIT CHECKLIST **
ORGANISATION AND ADMINISTRATION
Audit Objective
Does the organisation of data processing provide for adequate segregation ofduties?
Audit Procedures
Review the company organisation chart, and the data processing departmentorganisation chart.
Yes/No Comments
1 Is there a separate EDP department within theCompany?
2 Is there a steering committee andtheir duties and responsibilities formanaging MIS are clearly defined?
3 Has the Company developed an ITstrategy linked with the long andmedium term plans?
4 Is the EDP Department independent
of the user department and inparticular the accountingdepartment?
5 Are there written job descriptions for all jobsWithin
EDP department and these job descriptions are
communicated to designated employees?
6 Are EDP personnel prohibited fromhaving incompatibleresponsibilities or duties in userdepartments and vice versa?
7 Are there written specifications for all jobs in theEDP Department?
8 Are the following functions withinthe EDP Department performedby separate sections:
System design
Application programming
Computer operations
8/2/2019 17 System Audit Checklist
3/35
Database administration
Systems programming
Data entry and control?
Yes/No
Comments
9 Are the data processing personnelprohibited from duties relating to:
Initiating transactions?
Recording of transactions?
Master file changes?
Correction of errors?
10 Are all processing prescheduled andauthorised by appropriate personnel?
11 Are there procedures to evaluate andestablish who has access to the data inthe database?
12 Are the EDP personnel adequately trained?
13 Are systems analysts programmersdenied access to the computer roomand limited in their operation of thecomputer?
14 Do any of the computeroperators have programmingknowledge?
15 Are operators barred from makingchanges to programs and fromcreating or amending data before,
during, or after processing?
16 Is the custody of assets restrictedto personnel outside the EDPdepartment?
17 Is strategic data processing plandeveloped by the company for theachievement of long-term businessplan?
18 Are there any key personnel within IT
department whose absence can leavethe company within limited expertise?
8/2/2019 17 System Audit Checklist
4/35
19 Are there any key personnel who arebeing over - relied?
20 Is EDP audit being carried by internalaudit or an external consultant to
ensure compliance of policies andcontrols established by management?
8/2/2019 17 System Audit Checklist
5/35
PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT
Audit Objective
Development and changes to programs are authorised, tested, andapproved, prior to being placed in production.
Program Maintenance
Audit Procedures
(i) Review details of the program library structure, and notecontrols which allow only authorised individuals to access eachlibrary.
(ii) Note the procedures used to amend programs.
(iii) Obtain an understanding of any program library management software used.
Yes/No Comments
1 Are there written standards forprogram maintenance?
2 Are these standards adhered to and enforced?
3 Are these standards reviewedregularly and approved?
4 Are ther e procedures to ensure thatall programs required formaintenance are kept in a separateprogram test library?
5 Are programmers denied access to alllibraries other than the test library?
6 Are changes to programs initiatedby written request from userdepartment and approved?
7 Are changes initiated by DataProcessing Department communicated
to users and approved by them?
8 Are there adequate controls over thetransfer of programs from productioninto the programmer's test library?
9 Are all systems developed or changes toexisting system tested according touser approved test plans andstandards?
8/2/2019 17 System Audit Checklist
6/35
Yes/No Comments
10 Are tests performed for systemacceptance and test data documented?
11 Are transfers from the developmentlibrary to the production librarycarried out by persons independent ofthe programmers?
12 Do procedures ensure that no suchtransfer can take place without thechange having been properlytested and approved?
13 Is a report of program transfers into
production reviewed on a daily basisby a senior official to ensure onlyauthorised transfers have been made?
14 Are all program changes properly documented?
15 Are all changed programs immediately backed up?
16 Is a copy of the previous version ofthe program retained (for use in theevent of problems arising with theamended version)?
17 Are there standards for emergencychanges to be made to applicationprograms?
18 Are there adequate controlsover program recompilation?
19 Are all major amendments notified toInternal audit for comment?
20 Are there adequate controls overauthorisation, implementation,approval and documentation ofchanges to operating systems?
System Development
1 Are there formalised standardsfor system development lifecycle procedure?
2 Do they require authorisation at thevarious stages of development feasibility study, system specification,testing, parallel running, post
8/2/2019 17 System Audit Checklist
7/35
implementation review, etc.?
8/2/2019 17 System Audit Checklist
8/35
Yes/No Comments
3 Do the standards provide aframework for the development of
controlled applications?
4 Are standards regularly reviewedand updated?
5 Do the adequate system documentation exist for:
Programmers to maintainand modify programs?
Users to satisfactorily operate the system?
Operators to run the system?
6 Have the internal audit departmentbeen involved in the design stage toensure adequate controls exist?
7 Testing of programs - see Program Maintenance.
8 Procedures for authorising newapplications to production - seeProgram Maintenance.
9 Are user and data processingpersonnel adequately trained to usethe new applications?
10 Is system implementation properlyplanned and implemented by eitherparallel run or pilot run?
11 Are any differences and deficienciesduring the implementation phase notedand properly resolved?
12 Are there adequate controls over thesetting up of the standing data andopening balances?
13 Is a post implementation review carried out?
14 Are user manuals prepared for allnew systems developed and revisedfor subsequent changes?
15 Is there a Quality Assurance Function toverify the integrity and acceptance ofapplications developed?
8/2/2019 17 System Audit Checklist
9/35
PurchasedSoftware
Yes/No
Comments
1 Are thereproceduresaddressingcontrolsoverselection,testing andacceptanceofpackagedsoftwares?
2 Isadequatedocumentationmaintained for allsoftwarespurchased?
3 Are vendor warranties (if any) still in force?
4 Is the software purchased, held in escrow?
5 Are backupcopies ofuser/operations manual keptoff-site?
ACCESS TO DATA FILES
Audit Objective
Is access to data files restricted to authorised users andprograms?
Access to Data
1 Is there any formal written data security policy?Consider whether the policy addresses dataownership,confidentialityofinformation,and use of
password.
8/2/2019 17 System Audit Checklist
10/35
2 Is the securitypolicycommunicatedto individualsin the
organisation?
3 Is physical access to off line data files controlled in:
Computer room?
On-site library?
Off-site library?
4 Does thecompanyemploy a full-
time librarianwho isindependent ofthe operatorsandprogrammers?
5 Arelibrarieslockedduring theabsence ofthe
librarian?
6 Arerequestsfor on-lineaccess tooff line filesapproved?
8/2/2019 17 System Audit Checklist
11/35
Yes/No Comments
7 Are requests checked with the actualfiles issued and initialled by thelibrarian?
8 Are sensitive applications e.g. payroll,maintained on machines in physicallyrestricted areas?
9 Are encryption techniques used toprotect against unauthorised disclosureor undetected modification of sensitivedata?
10 Are returns followed up andnon returns investigated andadequately documented?
Computer Processing
11 Does a scheduled system exist forexecution of programs?
12 Is there a comparison between actualand scheduled processing?
13 Are non-scheduled jobs approvedprior to being run?
14 Is the use of utility programs controlled(in particular those that can changeexecutable code or data)?
15 Are program tests restricted to copies of live files?
16 Is access to computer roomrestricted to only authorisedpersonnel?
17 Are internal and external labels used on files?
18 Are overrides of system checks byoperators controlled?
19 Are exception reports for suchoverrides pointed and reviewed byappropriate personnel?
20 Are sufficient operating instructionsexist covering procedures to befollowed at operation?
8/2/2019 17 System Audit Checklist
12/35
Dat
abase
Yes/No
Comments
21 Does theposition of databaseadministrator (DBA)
exist? If not note who is responsible for:
Defining user and program access
Mediating between users who share data
Maintaining the integrity of the database
Setting standards of backup and recovery
22 Is the DBA restricted from:
Having control over company assets
Initiating and recording transactions
23 Are logsmaintained ofthe use ofutilities,changes toaccessmethods,etc.?
24 If so, are these independently reviewed?
25 Does the DBMShave thefacility to abort
jobs when twousers, with thesame priority,are locked outfrom the samechain of data?
26 Is integritycheckingprograms run
8/2/2019 17 System Audit Checklist
13/35
periodically forchecking theaccuracy andcorrectness oflinkagesbetween
records?
Password and other online controls
Audit Procedure
(i) Note procedures for
issuing, amending, and
deleting passwords. (ii)
Obtain an understanding
of any access control software
used.
1 Do formalprocedures exist forthe issueandsubsequent controlofpasswords?
8/2/2019 17 System Audit Checklist
14/35
2 Is there any proper password syntax in-
Yes/No Comments
min. 5 and max. 8 characters and includealphanumeric characters.
3 Are there satisfactory proceduresfor reissuing passwords to users
4 Are procedures in place to ensure theremoval of terminated employee
5 Are system access compatibilitiesproperly changed with regard to
6 Are individual job responsibilities
considered when granting users
7 Is each user allocated a uniquepassword and user account?
8 Are there procedures in place to ensurechange of password after every 30 days?
9 Is application level security violations
10 Do standards and procedures exist forfollow up of security violations?
11 Do formal and documented proceduresexist for use and monitoring of dial up
12 Is use made of passwords to restrictspecific file s?
13 Do terminals automatically log off aftera set period of time?
14 Is there a limit of the number of invalidpasswords before the terminal closes
15 Are there any administrativeregulations limiting physical access
16 Are invalid password attempts reported todepartment managers?
17 Are restrictions placed on whichapplications terminals can access?
8/2/2019 17 System Audit Checklist
15/35
Yes/No Comments
18 Are keys, locks, cards or otherphysical devises used to restrict
access to only authorised user?
APPLICATION CONTROLS
Input
Audit Objective
Do controls provide reasonable assurance that for each transactiontype, input is authorised, complete and accurate, and that errors arepromptly corrected?
1 Are all transactions properlyauthorised before being processedby computers?
2 Are all batches of transactions authorised?
3 Do controls ensure unauthorisedbatches or transactions are preventedfrom being accepted i.e. they aredetected?
4 Is significant standing data inputverified against the master file?
5 Is maximum use made of edit checkinge.g. check digits, range and feasibilitychecks, limit tests, etc.?
6 Are there procedures to ensure allvouchers have been processed e.g.batch totals, document counts,sequence reports, etc.?
7 Are there procedures established to
ensure that transactions or batchesare not lost, duplicated or improperlychanged?
8 Are all errors reported for checking and correction?
9 Are errors returned to the userdepartment for correction?
10 Do procedures ensure these areresubmitted for processing?
8/2/2019 17 System Audit Checklist
16/35
8/2/2019 17 System Audit Checklist
17/35
Yes/No Comments
11 Is an error log maintained andreviewed to identify recurring errors?
12 Are persons responsible for datapreparation and data entryindependent of the output checkingand balancing process?
13 Are persons responsible for dataentry prevented from amendingmaster file data?
Output and Processing
Audit Objective
The controls provide reasonable assurance that transactions areproperly processed by the computer and output (hard copy or other) iscomplete and accurate, and that calculated items have been accuratelycomputed:
1 Is there any formal written outputdistribution policy?
2 Are hard copy reports:
Headed
Pages numbered
Dated
Identified by report/program number
Adequately totalled/control totalled
Designed to give an End of Report
message, if not obvious?
3 Are significant reports distributedto only authorised personnel inline with an approved distributionlist?
4 Are there formal procedures forchecking, filing and retention ofreports?
5 Where output from one system is inputto another, are run to run totals, orsimilar checks, used to ensure no data
8/2/2019 17 System Audit Checklist
18/35
is lost or corrupted?
8/2/2019 17 System Audit Checklist
19/35
Yes/No Comments
6 Are there adequate controls overforms that have monetary value?
7 Is maximum use made of programmedchecks on limits, rangesreasonableness, etc. and items that aredetected reported for investigation?
8 Where calculations can be 'forced'i.e. bypass a programmed check, aresuch items reported forinvestigation?
9 Where errors in processing aredetected is there a formal procedurefor reporting and investigation?
10 Is reconciliation between input, outputand brought forward figures carried outand differences investigated?
11 Are suspense accounts checked andcleared on a timely basis?
12 Are key exception reports reviewed andacted upon on a timely basis?
Viruses
1 Is there any formal written anti-virus
2 Is the policy effectively communicated toindividuals in the organisation?
3 Is there a list of approved software and
4 Is only authorised softwareinstalled on microcomputers?
5 Is there a master library of such
6 Are directories periodically reviewed forsuspicious files?
7 Are files on the system regularlychecked for size changes?
8/2/2019 17 System Audit Checklist
20/35
Yes/No Comments
8 Is anti-virus softwareinstalled on allmicrocomputers?
9 Is anti-virus software regularlyupdated for new virus definitions?
10 Are suspicious files quarantined anddeleted from the terminals hard driveand network drive?
11 Are diskettes formatted before re-use?
12 Have procedures been developed torestrict or oversee the transfer ofdata between machines?
13 Is staff prohibited from sharing machines?
14 Is software reloaded from the masterdiskettes after machine maintenance?
15 Has all staff been advised of the virusprevention procedures?
16 Are downloads from internet controlledby locking the hard-drive and routing itthrough network drive to prevent the
virus (if any) from spreading?
INTERNET
1 Is there any proper policy regardingthe use of internet by theemployees?
2 Does the policy identify the specificassets that the firewall is intended toprotect and the objectives of that
protection?
3 Does the policy support the legitimateuse and flow of data and information?
4 Is information passing through firewallis properly monitored?
5 Determine whether managementapproval of the policy has been soughtand granted and the date of the mostrecent review of the policy bymanagement.
8/2/2019 17 System Audit Checklist
21/35
8/2/2019 17 System Audit Checklist
22/35
Yes/No Comments
6 Is the policy properly communicatedto the users and awareness ismaintained?
7 Have the company employed a FirewallAdministrator?
8 Is firewall configured as per security policy?
9 Is URL screening being performed by Firewall?
10 Is anti-virus inspection enabled?
11 Are packets screened for the presenceof prohibited words? If so, determine
how the list of words is administeredand maintained.
12 Are access logs regularly reviewed andany action is taken on questionableentries?
CONTINUITY OF OPERATIONS AND PHYSICAL
PROTECTION
1 Fire Hazard
Fire resistance:
Building materials fire resistant
Wall and floor coverings non-combustible
Separation from hazardousareas (e.g. fire doors)
Separation from combustiblematerials (e.g. paper, fuel)
8/2/2019 17 System Audit Checklist
23/35
Yes/No Comments
Smoking restriction
Fire resistant safes (for tapes,disks and documentation)
Fire detection:
Smoke / Heat-rise detectors
Detectors located on ceiling and under floor
Detectors located in all key EDP areas
Linked to fire alarm system
Fire extinction:
Halon gas system (for key EDP areas)
Automatic sprinkler system
Portable CO2, extinguishers (electrical fires)
Ease of access for fire services
Fire emergency:
Fire instructions clearly posted
Fire alarm buttons clearly visible
Emergency power-off procedures posted
Evacuation plan, withassignment ofresponsibilities
Fire practices:
Regular fire drill and training
Regular inspection/testing of all equipment
8/2/2019 17 System Audit Checklist
24/35
2 Water Damage
EDP area locatedabove ground level
Building weatherprotected (eg.Storms, water leaks)
Yes/No
Comments
Computer room drainage facilities
3 Air Conditioning
Monitoring of temperature and humidity in EDParea
Heat, fireand accessprotectionof sensitiveairconditioningparts (eg.coolingtower)
Air intakes located to avoid undesirable pollution
Back-up air conditioning equipment
4 Power Supply
Reliable local power supply
Separate computer power supply
Line voltage monitored
Power supply regulated (For voltage fluctuation)
Uninterrupted power supply (eg. Battery system)available
Alternative power supply (eg. Generator)
Emergency lighting system
8/2/2019 17 System Audit Checklist
25/35
8/2/2019 17 System Audit Checklist
26/35
5 CommunicationsNetw ork
Physical protectionof communicationslines modems,multiplexors andprocessors
Location ofcommunicationequipment separatefrom main EDPequipment
Yes/No
Comments
Back-up and dial-up lines for direct lines
6 Machine Room Layout
Printers, plotters located in separate area
Printoutpreparation (eg.bursting)located inseparatearea
Tape/Disklibrary inseparate areaMachineroom kepttidy
Practical location of security devices
Emergency power off switches
Alarms
Extinguishers
Environment monitoring equipment
B ACCESS CONTROL
1 Entrance Routes (EDP areas):
8/2/2019 17 System Audit Checklist
27/35
No unnecessary entrances to the computer room
Non-essentialdoors always
shut andlocked to theoutside (eg.Fire exits)
Air vent and daylight access location protected
Use of all open doors controlled
8/2/2019 17 System Audit Checklist
28/35
Yes/No Comments
2 Access Control:
Access restricted to selected employees
Prior approval required for all other employees
Entrance door controlled by:
Screening by a guard
Locks/combinations
Electronic badge/key
Other (specify)
Positive identification of allemployees (eg. identificationcard)
All unknown personnel challenged
Verification of all items taken intoand out of the computer room
Access controlled on 24 hours basisincluding weekends (e.g. automaticcontrol mechanism)
Locks, combinations, badge codeschanged periodically
Is access to copies of thedocumentation kept in a securelocation?
3 Visitor Control:
Positive identification always required
Temporary badges issued, controlledand returned on departure
All visits logged in and out
Visitors accompanied and observed at all times
8/2/2019 17 System Audit Checklist
29/35
Yes/No Comments
4 Terminal Security:
All terminals located in secure areas
Alarm system used to controlmicrocomputers from beingdisconnected or moved from its location.
Sensitive applications e.g. payroll,maintained on machines in physicallyrestricted area.
Terminal keys/locks used
Passwords changed regularly
Identification labels been placed on each terminal.
5 General Security
Waste regularly removed from EDParea and sensitive data shredded
Window and door alarm system
Closed circuit television monitoring
C PERSONNEL POLICIES
1 New employees recruitedaccording to job description and
job specification
2 Employee identity cards issued
3 Performance evaluation and regular counselling
4 Continuing education program
5 Training in security, privacy andrecovery procedures
6 All functions covered by cross training
7 Critical jobs rotated periodically (e.g.operators, program maintenance)
8/2/2019 17 System Audit Checklist
30/35
Yes/No Comments
8 Clean desk policy enforced
9 Fidelity insurance for key personnel
10 Contract service personnel vetted (e.g.
D INSURANCE
1 Does adequate insurance exist to cover:
Equipment?
Software and documentation?
Storage media?
Replacement / re-creation cost?
Loss of data/assets (eg. Accounts
Business loss or interruption(business critical systems)?
2 Is adequate consideration given tocover additional cost of working and
E BACK-UP PROCEDURES
1 Equipment (computer and a ncillary):
Regular preventive maintenance
Reliable manufacturer service
Arrangements for back-up installation
Formal written agreement
Compatibility regularly checked
Sufficient computer time available at
Testing at back-up regularly performed
8/2/2019 17 System Audit Checklist
31/35
Yes/No Comments
2 Outside Suppliers (non continuance/ disaster):
(eg. suppliers of equipment,computer time, software)
Alternative sources of supply / maintenance /service available
Adequate and securedocumentation/back-up of data andprograms
Are backup copies of systemdocumentation kept in a secure
location?
3 Off-site Storage:
Secure separate location
Adequate physical protection (see section A)
Log maintained of off-site materials
Off-site Inventory regularly reviewed
File transportation underadequate physical protection
Back-up files periodically tested
4 Data Files:
File criticality and retentionprocedure regularly reviewed
Tape
At least three generations ofimportant tape files retained
8/2/2019 17 System Audit Checklist
32/35
Yes/No Comments
Copies of all updating transactions for above
retained
At least one generation and allnecessary updating transactions in off-
Disc
Checkpoint/restart procedures provided
Audit trail (log file) of transactionsupdating on-line files (data base)
Regular tape dumps of all disc files stored
Audit trail (log file) regularly dumpedand stored off-site
5 Softwa re:
Copies of following maintained at off-site
Production application programs
Major programs under development
System and program documentation
Operating procedures
Operation and system software
All copies regularly updated
Back-up copies regularly tested
6 Operations
Back-up procedure manual
Priority assignments for all applications
Procedures for restoring data files and
Procedures for back-up installation
8/2/2019 17 System Audit Checklist
33/35
Yes/No Comments
F DISASTER RECOVERYPLANS
1 Is a comprehensive contingency plan
developed, documented andperiodically tested to ensurecontinuity in data processingservices?
2 Does the contingency plan provide forrecovery and extended processing ofcritical applications in the event ofcatastrophic disaster?
3 Has any Business Impact Analysiscarried out by the company?
3 Are all recovery plans approved andtested to ensure their adequacy inthe event of disaster?
4 Communicated to all managementand personnel concerned
5 Critical processing prioritiesidentified (eg.
Significant accountingapplications)
6 Are disaster recovery teamsestablished to support disasterrecovery plan?
7 Are responsibilities of individualswithin disaster recovery teamdefined and time allocated forcompletion of their task?
8 Operations procedures for use ofequipment and software back-up
9 Has the company developed and
implemented adequate planmaintenance procedures?
10 Are priorities set for thedevelopment of critical systems?
11 Does a hardware maintenance contractexist with a reputable supplier?
8/2/2019 17 System Audit Checklist
34/35
8/2/2019 17 System Audit Checklist
35/35
Yes/No Comments
12 Does the recovery plan ensure, inthe event of failure:
No loss of data received but not processed
No reprocessing of data already processed
Files not corrupted by partiallycompleted processing
13 Are recovery plans regularly tested?
P.VELU CA (FINAL)
Top Related