Previous | Table of Contents | Next |
The review of backup, recovery, and contingency planning has five tasks and should take between 13 and 47 hours to complete.
Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of this portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow-up. The estimated time is three hours to complete this task. The mainframe environment should include most of the controls covered in the questionnaire.
Task 2: Identity, Test, and Document Backup Procedures. The IT auditor should identify the strategy for making periodic backups as it relates to the business conducted by the locations served by the installation. The results should be documented. In the mainframe environment, this task should take between two and four hours, and the testing of the information obtained should require no more than an additional eight hours.
Task 3: Obtain and Evaluate the Corporate Business Continuity Plan. The IT auditor should obtain and evaluate the business continuity plan for the data center under review and for the business location by using the audit program included as Workpaper 11-1. If a plan is in place, even if the plan only covers the recovery of the data center, the estimated time to complete this task is between 8 and 40 hours. A comprehensive business plan could add 40 hours to the review. As with other control areas, the final time required for this task is dependent on the level of testing desired and the results of those testing procedures.
Task 4: Review Questionnaire Responses. The IT auditor should, before preparing the conclusion memo for this area, review the questionnaire responses to determine if any of them have not been reviewed or tested in any way. Any items identified during this task should either be evaluated or noted in the workpapers to indicate why no further evaluation was needed. The time to complete this task cannot be estimated in advance for the mainframe environment.
Task 5: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the backup, recovery, and contingency planning area, including potential findings and any other information deemed important. This task should take between one and three hours, depending on the extent and nature of the included items.
The IT auditor should review the workpapers for clarity and completeness. This task should not take more than two hours. The IT auditor should have the workpapers reviewed by a manager and clear all managers review notes. The time will vary between 4 and 40 hours, based on the review notes received.
The IT auditor should perform the following tasks to issue the final report:
The auditor should complete the audit program and any other remaining pieces of the audit and submit the final workpapers for filing and appropriate retention.
Workpaper 12-1. Generic Questionnaire
GENERIC DOMESTIC COMPANY
IT INTERNAL AUDIT
IT CONTROL ENVIRONMENT QUESTIONNAIRE
COMPANY | ___________________________ |
DIVISION | ___________________________ |
CITY/STATE | ___________________________ |
PREPARED BY | DATE | APPROVED | DATE |
________________ | _______ | ____________ | ______ |
________________ | _______ | ____________ | ______ |
________________ | _______ | ____________ | ______ |
________________ | _______ | ____________ | ______ |
INFORMATION NOT FOR REPRODUCTION OR DISTRIBUTION
DEVELOPED FOR INTERNAL IT AUDIT USE ONLY
IT DEPARTMENT INFORMATION REQUEST FORM GENERIC DOMESTIC INTERNAL IT AUDIT
This questionnaire is based on the Parent Company IT Security Manual, and the numbered items are drawn from the manual. These items are not in sequence because they have been reorganized into subject areas.
The class code for each question has been retained. The class code definitions are listed below. You must address all items for your installation class. The items for each class are the minimum requirements, but we encourage you to review them all, as items from other classes might benefit or relate to your installation.
CLASS CODE/INSTALLATION SIZE
Please review each of the questions and mark the appropriate space, whether the answer is yes, no, or N/A. The Security Manual includes both specific requirements and general suggestions. Your response to the specific requirements should show if you are in compliance or not. Your response to general suggestions could indicate either your compliance or your consideration of the item, even if no specific action was taken. There is a space for comments after each question.
We added supplemental questions to include topics not in the Security Manual, and to gather other information needed for a complete audit. These questions are lettered instead of numbered, to make them readily identifiable.
GENERAL INFORMATION ITEMS
computer and peripheral hardware listing | _______ |
purchased and written software listing | _______ |
data processing organization chart | _______ |
data center and department floor plan | _______ |
departmental position descriptions | _______ |
network diagram | _______ |
Previous | Table of Contents | Next |