- P Is there a standard form used to request additions and/or changes to existing and proposed systems? _____ If so, please attach a copy of the blank form, and a copy of one that has been filled out and the project completed. Are there written procedures for using it? _____ Again, please attach a copy.
- Q If there are no written procedures for requesting projects, please describe the process below:
__________________________________________________________
__________________________________________________________
__________________________________________________________
- R Are there separate libraries for:
- program development?_____
- program testing?_____
- production programs?_____
- S Is there a standard procedure within data processing for approving a new or changed program? _____ If yes, please attach a copy of the standard procedure.
- T Is there a review of the source code to evaluate the actual changes made by the programmer? _____ If so, describe how it is done and any documentation retained.
__________________________________________________________
__________________________________________________________
- U Is systems documentation required to be prepared or updated? _____ If so, please describe the documentation required and attach an example of it.
__________________________________________________________
__________________________________________________________
- V Is user documentation required as part of this process? _____ If so, indicate who has responsibility for preparing and maintaining it. Also attach an example of several pages from such documentation.
__________________________________________________________
__________________________________________________________
- W Describe the normal procedures for testing new and/or enhanced systems prior to their going into production.
__________________________________________________________
__________________________________________________________
__________________________________________________________
- X Are programmers restricted from adding new or changed programs directly into production libraries? _____ If so, describe how that is accomplished.
__________________________________________________________
__________________________________________________________
__________________________________________________________
- Y Are source programs recompiled after being transferred into the production library? _____
- Z Is a log or standard form kept for all additions and changes to the production environment? _____ If so, attach an example of a completed log sheet or form.
- AA Are testing or acceptance procedures for purchased programs different from those for in-house programs? _____ If so, please describe the difference.
__________________________________________________________
__________________________________________________________
- AB How are updates to purchased application software made?
__________________________________________________________
__________________________________________________________
- AC Is user training a part of the systems development and maintenance process? _____ If so, describe the training procedures in the area below.
__________________________________________________________
__________________________________________________________
- AD Indicate what documentation is usually present for company applications.
system narrative _____
| printer layouts _____
|
system flowchart _____
| operator instructions _____
|
program listing _____
| program narratives _____
|
program history _____
| data descriptions _____
|
other (specify) _____________________________________
|
_____________________________________
|
- AE Are there any programs for which the source code is not available? _____ If so, indicate which ones, and how any necessary maintenance is done.
__________________________________________________________
__________________________________________________________
- AF Is there a practice of conducting post-implementation reviews for significant projects? _____ If so, please describe the process, what deliverables it has, and what happens to the information. Also, provide one example of the report from such a review.
__________________________________________________________
__________________________________________________________
__________________________________________________________
Thank you for your time and cooperation in completing this information request form. If you have any questions or comments regarding this survey, please contact [INSERT APPROPRIATE AUDITOR NAME, INSERT DEPARTMENT, at (xxx)-xxx-xxxx.]
Workpaper 12-2. Generic Program
Please note that wherever possible the standard workpaper reference for the workpaper addressing a particular audit program step has been indicated in parentheses and boldface type. If a procedure has not been performed, the reason for that will either be indicated on the audit program itself or else on the indicated workpaper.
I. Planning the audit
- A. Contact the location personnel responsible for coordinating the audit to confirm the basic scope of the expected procedures and the timing of the various audit phases.
- B. Send a letter to the primary contact at the location confirming the information discussed in the prior step. (AA-11.2)
- C. Prepare an audit planning memo based on the expected scope of the audit, a review of the previous report and workpapers, and any other items as needed. (AA-1)
- D. Define the specific audit program for the engagement. This may be done directly from the standard program for this area (noting any steps not being done due to scope or time limitations) or developed specifically for the engagement. (AA-2)
- E. Send out the IT Internal Control Questionnaire, specifying a date for its completion that will permit time to have it returned and to review it before leaving for the field. (If there is a questionnaire from a previous audit, and it is not materially different from the questionnaire currently in use, copy it and have the location personnel update the prior form.)
- F. Obtain prior audit reports related to this location, and place a copy in the workpapers. (AA-6.2)
- G. Review past audit files for permanent and carryforward information, and incorporate any found into the current workpapers. (AA-3)
- H. Set up any necessary files that will facilitate performance of fieldwork.
II. Performing field procedures
- A. Conduct an entrance conference, and document the results of the meting. (AA-4)
- B. Prepare a listing of all issues from the prior audit, and indicate the current status of each of those items. (AA-6.1)
- C. Take a plant tour, noting any unusual items or observations. (AA-7)
- D. Document all audit finding and potential exceptions in the audit point section of the workpapers. (APSUM)