17 System Audit Checklist

8/2/2019 17 System Audit Checklist

1/35

Information Systems

AuditChecklist


2/35

** SYSTEM AUDIT CHECKLIST **

ORGANISATION AND ADMINISTRATION

Audit Objective

Does the organisation of data processing provide for adequate segregation ofduties?

Audit Procedures

Review the company organisation chart, and the data processing departmentorganisation chart.

Yes/No Comments

1 Is there a separate EDP department within theCompany?

2 Is there a steering committee andtheir duties and responsibilities formanaging MIS are clearly defined?

3 Has the Company developed an ITstrategy linked with the long andmedium term plans?

4 Is the EDP Department independent

of the user department and inparticular the accountingdepartment?

5 Are there written job descriptions for all jobsWithin

EDP department and these job descriptions are

communicated to designated employees?

6 Are EDP personnel prohibited fromhaving incompatibleresponsibilities or duties in userdepartments and vice versa?

7 Are there written specifications for all jobs in theEDP Department?

8 Are the following functions withinthe EDP Department performedby separate sections:

System design

Application programming

Computer operations


3/35

Database administration

Systems programming

Data entry and control?

Yes/No

Comments

9 Are the data processing personnelprohibited from duties relating to:

Initiating transactions?

Recording of transactions?

Master file changes?

Correction of errors?

10 Are all processing prescheduled andauthorised by appropriate personnel?

11 Are there procedures to evaluate andestablish who has access to the data inthe database?

12 Are the EDP personnel adequately trained?

13 Are systems analysts programmersdenied access to the computer roomand limited in their operation of thecomputer?

14 Do any of the computeroperators have programmingknowledge?

15 Are operators barred from makingchanges to programs and fromcreating or amending data before,

during, or after processing?

16 Is the custody of assets restrictedto personnel outside the EDPdepartment?

17 Is strategic data processing plandeveloped by the company for theachievement of long-term businessplan?

18 Are there any key personnel within IT

department whose absence can leavethe company within limited expertise?


4/35

19 Are there any key personnel who arebeing over - relied?

20 Is EDP audit being carried by internalaudit or an external consultant to

ensure compliance of policies andcontrols established by management?


5/35

PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT

Audit Objective

Development and changes to programs are authorised, tested, andapproved, prior to being placed in production.

Program Maintenance

Audit Procedures

(i) Review details of the program library structure, and notecontrols which allow only authorised individuals to access eachlibrary.

(ii) Note the procedures used to amend programs.

(iii) Obtain an understanding of any program library management software used.

Yes/No Comments

1 Are there written standards forprogram maintenance?

2 Are these standards adhered to and enforced?

3 Are these standards reviewedregularly and approved?

4 Are ther e procedures to ensure thatall programs required formaintenance are kept in a separateprogram test library?

5 Are programmers denied access to alllibraries other than the test library?

6 Are changes to programs initiatedby written request from userdepartment and approved?

7 Are changes initiated by DataProcessing Department communicated

to users and approved by them?

8 Are there adequate controls over thetransfer of programs from productioninto the programmer's test library?

9 Are all systems developed or changes toexisting system tested according touser approved test plans andstandards?


6/35

Yes/No Comments

10 Are tests performed for systemacceptance and test data documented?

11 Are transfers from the developmentlibrary to the production librarycarried out by persons independent ofthe programmers?

12 Do procedures ensure that no suchtransfer can take place without thechange having been properlytested and approved?

13 Is a report of program transfers into

production reviewed on a daily basisby a senior official to ensure onlyauthorised transfers have been made?

14 Are all program changes properly documented?

15 Are all changed programs immediately backed up?

16 Is a copy of the previous version ofthe program retained (for use in theevent of problems arising with theamended version)?

17 Are there standards for emergencychanges to be made to applicationprograms?

18 Are there adequate controlsover program recompilation?

19 Are all major amendments notified toInternal audit for comment?

20 Are there adequate controls overauthorisation, implementation,approval and documentation ofchanges to operating systems?

System Development

1 Are there formalised standardsfor system development lifecycle procedure?

2 Do they require authorisation at thevarious stages of development feasibility study, system specification,testing, parallel running, post


7/35

implementation review, etc.?


8/35

Yes/No Comments

3 Do the standards provide aframework for the development of

controlled applications?

4 Are standards regularly reviewedand updated?

5 Do the adequate system documentation exist for:

Programmers to maintainand modify programs?

Users to satisfactorily operate the system?

Operators to run the system?

6 Have the internal audit departmentbeen involved in the design stage toensure adequate controls exist?

7 Testing of programs - see Program Maintenance.

8 Procedures for authorising newapplications to production - seeProgram Maintenance.

9 Are user and data processingpersonnel adequately trained to usethe new applications?

10 Is system implementation properlyplanned and implemented by eitherparallel run or pilot run?

11 Are any differences and deficienciesduring the implementation phase notedand properly resolved?

12 Are there adequate controls over thesetting up of the standing data andopening balances?

13 Is a post implementation review carried out?

14 Are user manuals prepared for allnew systems developed and revisedfor subsequent changes?

15 Is there a Quality Assurance Function toverify the integrity and acceptance ofapplications developed?


9/35

PurchasedSoftware

Yes/No

Comments

1 Are thereproceduresaddressingcontrolsoverselection,testing andacceptanceofpackagedsoftwares?

2 Isadequatedocumentationmaintained for allsoftwarespurchased?

3 Are vendor warranties (if any) still in force?

4 Is the software purchased, held in escrow?

5 Are backupcopies ofuser/operations manual keptoff-site?

ACCESS TO DATA FILES

Audit Objective

Is access to data files restricted to authorised users andprograms?

Access to Data

1 Is there any formal written data security policy?Consider whether the policy addresses dataownership,confidentialityofinformation,and use of

password.


10/35

2 Is the securitypolicycommunicatedto individualsin the

organisation?

3 Is physical access to off line data files controlled in:

Computer room?

On-site library?

Off-site library?

4 Does thecompanyemploy a full-

time librarianwho isindependent ofthe operatorsandprogrammers?

5 Arelibrarieslockedduring theabsence ofthe

librarian?

6 Arerequestsfor on-lineaccess tooff line filesapproved?


11/35

Yes/No Comments

7 Are requests checked with the actualfiles issued and initialled by thelibrarian?

8 Are sensitive applications e.g. payroll,maintained on machines in physicallyrestricted areas?

9 Are encryption techniques used toprotect against unauthorised disclosureor undetected modification of sensitivedata?

10 Are returns followed up andnon returns investigated andadequately documented?

Computer Processing

11 Does a scheduled system exist forexecution of programs?

12 Is there a comparison between actualand scheduled processing?

13 Are non-scheduled jobs approvedprior to being run?

14 Is the use of utility programs controlled(in particular those that can changeexecutable code or data)?

15 Are program tests restricted to copies of live files?

16 Is access to computer roomrestricted to only authorisedpersonnel?

17 Are internal and external labels used on files?

18 Are overrides of system checks byoperators controlled?

19 Are exception reports for suchoverrides pointed and reviewed byappropriate personnel?

20 Are sufficient operating instructionsexist covering procedures to befollowed at operation?


12/35

Dat

abase

Yes/No

Comments

21 Does theposition of databaseadministrator (DBA)

exist? If not note who is responsible for:

Defining user and program access

Mediating between users who share data

Maintaining the integrity of the database

Setting standards of backup and recovery

22 Is the DBA restricted from:

Having control over company assets

Initiating and recording transactions

23 Are logsmaintained ofthe use ofutilities,changes toaccessmethods,etc.?

24 If so, are these independently reviewed?

25 Does the DBMShave thefacility to abort

jobs when twousers, with thesame priority,are locked outfrom the samechain of data?

26 Is integritycheckingprograms run


13/35

periodically forchecking theaccuracy andcorrectness oflinkagesbetween

records?

Password and other online controls

Audit Procedure

(i) Note procedures for

issuing, amending, and

deleting passwords. (ii)

Obtain an understanding

of any access control software

used.

1 Do formalprocedures exist forthe issueandsubsequent controlofpasswords?


14/35

2 Is there any proper password syntax in-

Yes/No Comments

min. 5 and max. 8 characters and includealphanumeric characters.

3 Are there satisfactory proceduresfor reissuing passwords to users

4 Are procedures in place to ensure theremoval of terminated employee

5 Are system access compatibilitiesproperly changed with regard to

6 Are individual job responsibilities

considered when granting users

7 Is each user allocated a uniquepassword and user account?

8 Are there procedures in place to ensurechange of password after every 30 days?

9 Is application level security violations

10 Do standards and procedures exist forfollow up of security violations?

11 Do formal and documented proceduresexist for use and monitoring of dial up

12 Is use made of passwords to restrictspecific file s?

13 Do terminals automatically log off aftera set period of time?

14 Is there a limit of the number of invalidpasswords before the terminal closes

15 Are there any administrativeregulations limiting physical access

16 Are invalid password attempts reported todepartment managers?

17 Are restrictions placed on whichapplications terminals can access?


15/35

Yes/No Comments

18 Are keys, locks, cards or otherphysical devises used to restrict

access to only authorised user?

APPLICATION CONTROLS

Input

Audit Objective

Do controls provide reasonable assurance that for each transactiontype, input is authorised, complete and accurate, and that errors arepromptly corrected?

1 Are all transactions properlyauthorised before being processedby computers?

2 Are all batches of transactions authorised?

3 Do controls ensure unauthorisedbatches or transactions are preventedfrom being accepted i.e. they aredetected?

4 Is significant standing data inputverified against the master file?

5 Is maximum use made of edit checkinge.g. check digits, range and feasibilitychecks, limit tests, etc.?

6 Are there procedures to ensure allvouchers have been processed e.g.batch totals, document counts,sequence reports, etc.?

7 Are there procedures established to

ensure that transactions or batchesare not lost, duplicated or improperlychanged?

8 Are all errors reported for checking and correction?

9 Are errors returned to the userdepartment for correction?

10 Do procedures ensure these areresubmitted for processing?


16/35


17/35

Yes/No Comments

11 Is an error log maintained andreviewed to identify recurring errors?

12 Are persons responsible for datapreparation and data entryindependent of the output checkingand balancing process?

13 Are persons responsible for dataentry prevented from amendingmaster file data?

Output and Processing

Audit Objective

The controls provide reasonable assurance that transactions areproperly processed by the computer and output (hard copy or other) iscomplete and accurate, and that calculated items have been accuratelycomputed:

1 Is there any formal written outputdistribution policy?

2 Are hard copy reports:

Headed

Pages numbered

Dated

Identified by report/program number

Adequately totalled/control totalled

Designed to give an End of Report

message, if not obvious?

3 Are significant reports distributedto only authorised personnel inline with an approved distributionlist?

4 Are there formal procedures forchecking, filing and retention ofreports?

5 Where output from one system is inputto another, are run to run totals, orsimilar checks, used to ensure no data


18/35

is lost or corrupted?


19/35

Yes/No Comments

6 Are there adequate controls overforms that have monetary value?

7 Is maximum use made of programmedchecks on limits, rangesreasonableness, etc. and items that aredetected reported for investigation?

8 Where calculations can be 'forced'i.e. bypass a programmed check, aresuch items reported forinvestigation?

9 Where errors in processing aredetected is there a formal procedurefor reporting and investigation?

10 Is reconciliation between input, outputand brought forward figures carried outand differences investigated?

11 Are suspense accounts checked andcleared on a timely basis?

12 Are key exception reports reviewed andacted upon on a timely basis?

Viruses

1 Is there any formal written anti-virus

2 Is the policy effectively communicated toindividuals in the organisation?

3 Is there a list of approved software and

4 Is only authorised softwareinstalled on microcomputers?

5 Is there a master library of such

6 Are directories periodically reviewed forsuspicious files?

7 Are files on the system regularlychecked for size changes?


20/35

Yes/No Comments

8 Is anti-virus softwareinstalled on allmicrocomputers?

9 Is anti-virus software regularlyupdated for new virus definitions?

10 Are suspicious files quarantined anddeleted from the terminals hard driveand network drive?

11 Are diskettes formatted before re-use?

12 Have procedures been developed torestrict or oversee the transfer ofdata between machines?

13 Is staff prohibited from sharing machines?

14 Is software reloaded from the masterdiskettes after machine maintenance?

15 Has all staff been advised of the virusprevention procedures?

16 Are downloads from internet controlledby locking the hard-drive and routing itthrough network drive to prevent the

virus (if any) from spreading?

INTERNET

1 Is there any proper policy regardingthe use of internet by theemployees?

2 Does the policy identify the specificassets that the firewall is intended toprotect and the objectives of that

protection?

3 Does the policy support the legitimateuse and flow of data and information?

4 Is information passing through firewallis properly monitored?

5 Determine whether managementapproval of the policy has been soughtand granted and the date of the mostrecent review of the policy bymanagement.


21/35


22/35

Yes/No Comments

6 Is the policy properly communicatedto the users and awareness ismaintained?

7 Have the company employed a FirewallAdministrator?

8 Is firewall configured as per security policy?

9 Is URL screening being performed by Firewall?

10 Is anti-virus inspection enabled?

11 Are packets screened for the presenceof prohibited words? If so, determine

how the list of words is administeredand maintained.

12 Are access logs regularly reviewed andany action is taken on questionableentries?

CONTINUITY OF OPERATIONS AND PHYSICAL

PROTECTION

1 Fire Hazard

Fire resistance:

Building materials fire resistant

Wall and floor coverings non-combustible

Separation from hazardousareas (e.g. fire doors)

Separation from combustiblematerials (e.g. paper, fuel)


23/35

Yes/No Comments

Smoking restriction

Fire resistant safes (for tapes,disks and documentation)

Fire detection:

Smoke / Heat-rise detectors

Detectors located on ceiling and under floor

Detectors located in all key EDP areas

Linked to fire alarm system

Fire extinction:

Halon gas system (for key EDP areas)

Automatic sprinkler system

Portable CO2, extinguishers (electrical fires)

Ease of access for fire services

Fire emergency:

Fire instructions clearly posted

Fire alarm buttons clearly visible

Emergency power-off procedures posted

Evacuation plan, withassignment ofresponsibilities

Fire practices:

Regular fire drill and training

Regular inspection/testing of all equipment


24/35

2 Water Damage

EDP area locatedabove ground level

Building weatherprotected (eg.Storms, water leaks)

Yes/No

Comments

Computer room drainage facilities

3 Air Conditioning

Monitoring of temperature and humidity in EDParea

Heat, fireand accessprotectionof sensitiveairconditioningparts (eg.coolingtower)

Air intakes located to avoid undesirable pollution

Back-up air conditioning equipment

4 Power Supply

Reliable local power supply

Separate computer power supply

Line voltage monitored

Power supply regulated (For voltage fluctuation)

Uninterrupted power supply (eg. Battery system)available

Alternative power supply (eg. Generator)

Emergency lighting system


25/35


26/35

5 CommunicationsNetw ork

Physical protectionof communicationslines modems,multiplexors andprocessors

Location ofcommunicationequipment separatefrom main EDPequipment

Yes/No

Comments

Back-up and dial-up lines for direct lines

6 Machine Room Layout

Printers, plotters located in separate area

Printoutpreparation (eg.bursting)located inseparatearea

Tape/Disklibrary inseparate areaMachineroom kepttidy

Practical location of security devices

Emergency power off switches

Alarms

Extinguishers

Environment monitoring equipment

B ACCESS CONTROL

1 Entrance Routes (EDP areas):


27/35

No unnecessary entrances to the computer room

Non-essentialdoors always

shut andlocked to theoutside (eg.Fire exits)

Air vent and daylight access location protected

Use of all open doors controlled


28/35

Yes/No Comments

2 Access Control:

Access restricted to selected employees

Prior approval required for all other employees

Entrance door controlled by:

Screening by a guard

Locks/combinations

Electronic badge/key

Other (specify)

Positive identification of allemployees (eg. identificationcard)

All unknown personnel challenged

Verification of all items taken intoand out of the computer room

Access controlled on 24 hours basisincluding weekends (e.g. automaticcontrol mechanism)

Locks, combinations, badge codeschanged periodically

Is access to copies of thedocumentation kept in a securelocation?

3 Visitor Control:

Positive identification always required

Temporary badges issued, controlledand returned on departure

All visits logged in and out

Visitors accompanied and observed at all times


29/35

Yes/No Comments

4 Terminal Security:

All terminals located in secure areas

Alarm system used to controlmicrocomputers from beingdisconnected or moved from its location.

Sensitive applications e.g. payroll,maintained on machines in physicallyrestricted area.

Terminal keys/locks used

Passwords changed regularly

Identification labels been placed on each terminal.

5 General Security

Waste regularly removed from EDParea and sensitive data shredded

Window and door alarm system

Closed circuit television monitoring

C PERSONNEL POLICIES

1 New employees recruitedaccording to job description and

job specification

2 Employee identity cards issued

3 Performance evaluation and regular counselling

4 Continuing education program

5 Training in security, privacy andrecovery procedures

6 All functions covered by cross training

7 Critical jobs rotated periodically (e.g.operators, program maintenance)


30/35

Yes/No Comments

8 Clean desk policy enforced

9 Fidelity insurance for key personnel

10 Contract service personnel vetted (e.g.

D INSURANCE

1 Does adequate insurance exist to cover:

Equipment?

Software and documentation?

Storage media?

Replacement / re-creation cost?

Loss of data/assets (eg. Accounts

Business loss or interruption(business critical systems)?

2 Is adequate consideration given tocover additional cost of working and

E BACK-UP PROCEDURES

1 Equipment (computer and a ncillary):

Regular preventive maintenance

Reliable manufacturer service

Arrangements for back-up installation

Formal written agreement

Compatibility regularly checked

Sufficient computer time available at

Testing at back-up regularly performed


31/35

Yes/No Comments

2 Outside Suppliers (non continuance/ disaster):

(eg. suppliers of equipment,computer time, software)

Alternative sources of supply / maintenance /service available

Adequate and securedocumentation/back-up of data andprograms

Are backup copies of systemdocumentation kept in a secure

location?

3 Off-site Storage:

Secure separate location

Adequate physical protection (see section A)

Log maintained of off-site materials

Off-site Inventory regularly reviewed

File transportation underadequate physical protection

Back-up files periodically tested

4 Data Files:

File criticality and retentionprocedure regularly reviewed

Tape

At least three generations ofimportant tape files retained


32/35

Yes/No Comments

Copies of all updating transactions for above

retained

At least one generation and allnecessary updating transactions in off-

Disc

Checkpoint/restart procedures provided

Audit trail (log file) of transactionsupdating on-line files (data base)

Regular tape dumps of all disc files stored

Audit trail (log file) regularly dumpedand stored off-site

5 Softwa re:

Copies of following maintained at off-site

Production application programs

Major programs under development

System and program documentation

Operating procedures

Operation and system software

All copies regularly updated

Back-up copies regularly tested

6 Operations

Back-up procedure manual

Priority assignments for all applications

Procedures for restoring data files and

Procedures for back-up installation


33/35

Yes/No Comments

F DISASTER RECOVERYPLANS

1 Is a comprehensive contingency plan

developed, documented andperiodically tested to ensurecontinuity in data processingservices?

2 Does the contingency plan provide forrecovery and extended processing ofcritical applications in the event ofcatastrophic disaster?

3 Has any Business Impact Analysiscarried out by the company?

3 Are all recovery plans approved andtested to ensure their adequacy inthe event of disaster?

4 Communicated to all managementand personnel concerned

5 Critical processing prioritiesidentified (eg.

Significant accountingapplications)

6 Are disaster recovery teamsestablished to support disasterrecovery plan?

7 Are responsibilities of individualswithin disaster recovery teamdefined and time allocated forcompletion of their task?

8 Operations procedures for use ofequipment and software back-up

9 Has the company developed and

implemented adequate planmaintenance procedures?

10 Are priorities set for thedevelopment of critical systems?

11 Does a hardware maintenance contractexist with a reputable supplier?


34/35


35/35

Yes/No Comments

12 Does the recovery plan ensure, inthe event of failure:

No loss of data received but not processed

No reprocessing of data already processed

Files not corrupted by partiallycompleted processing

13 Are recovery plans regularly tested?

P.VELU CA (FINAL)

Documents

17 System Audit Checklist