Previous Table of Contents Next


Change Management

The review of change management has five tasks.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of the change management and systems development portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow up.

Task 2: Test to Ensure that All Change Control Features Are Operational. The IT auditor should test the procedures identified in task 1 to ensure that all of the appropriate control features are in place and functioning. This procedure should take between two and eight hours to complete, depending on the extent of the testing required.

Task 3: Test the Change Control Management Process. The IT auditor must determine the extent of testing that is desirable for the current audit, which is most likely based on the need to reach a conclusion on the reliability of the change management process. Once the extent of testing is determined, the auditor should perform the tests that address reviewing the changed code, evaluating the authorization process, and verifying the testing and documentation that was done.

Task 4: Review and Evaluate the Questionnaire Responses. The IT auditor should, before preparing the conclusion memo for this area, review the control questionnaire responses to determine if any of them have not been reviewed or tested in any way. Any items identified during this task should either be further evaluated or noted in the workpapers to indicate why no evaluation was needed.

Task 5: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the control change management area, including any potential findings and any other information deemed important

Backup, Recovery, and Contingency Planning

The review of backup, recovery, and contingency planning has five tasks.

Task 1: Review Security and Control Questionnaire. The IT auditor should make a copy of this portion of the security and control questionnaire so that the original completed questionnaire can be kept whole in the carry-forward workpapers. The auditor should evaluate the questionnaire responses and document any items that required additional investigation or follow-up.

Task 2: Identity, Test, and Document Backup Procedures. The IT auditor should identify the strategy for making periodic backups as it relates to the business conducted by the locations served by the installation. The results should be documented.

Task 3: Obtain and Evaluate the Corporate Business Continuity Plan. The IT auditor should obtain and evaluate the business continuity plan for the data center under review and for the business location by using the audit program included as Workpaper 11-1. If a plan is in place, even if the plan only covers the recovery of the data center, the estimated time to complete this task is between four and eight hours. A comprehensive business plan could add 10 to 15 hours to the review. As with other control areas, the final time required for this task is dependent on the level of testing desired and the results of those testing procedures.

Task 4: Review Questionnaire Responses. The IT auditor should, before preparing the conclusion memo for this area, review the questionnaire responses to determine if any of them have not been reviewed or tested in any way. Any items identified during this task should either be evaluated or noted in the workpapers to indicate why no further evaluation was needed.

Task 5: Prepare a Summarization Memo. The IT auditor should prepare a memo summarizing the work performed in the backup, recovery, and contingency planning area, including potential findings and any other information deemed important.

AUDIT FINALIZATION

The IT auditor should review the workpapers for clarity and completeness. The auditor should have the workpapers reviewed by a manager and clear all manager’s review notes.

The auditor should perform the following tasks to issue the final report:

1.  Prepare a draft report.
2.  Have the draft reviewed, clearing all questions and comments.
3.  Mail the draft to the auditee for review and response development.
4.  If the responses are not received as scheduled, contact the auditee by telephone to determine when the responses can be expected.
5.  Evaluate the responses for adequacy; add them to the draft report; and review them with Internal Audit management as needed.
6.  Based on the preceding tasks, prepare a final report.

The auditor should complete the audit program and any other remaining pieces of the audit and submit the final workpapers for filing and appropriate retention.

Workpaper 14-1. Network Questionnaire (Novell)

GENERIC DOMESTIC COMPANY
Information Technology Internal Control Questionnaire
(Novell LAN Version)
SEGMENT _______________________
DIVISION _______________________
CITY/STATE _______________________
PREPARED BY DATE
------------------------------------ ------------------------------------
------------------------------------ ------------------------------------
------------------------------------ ------------------------------------
------------------------------------ ------------------------------------

INTRODUCTION

This questionnaire was developed to gather the basic data required to evaluate information technology internal controls. We appreciate your timely completion of this questionnaire. The time spent completing it will greatly reduce our onsite interview and documenting time.

ASSUMPTIONS

1. A “No” or “NA” does not automatically identify a problem.
2. The “comments” sections provided at the end of a question, or group of questions, can be used for comments, explanations, or even questions to be followed up when we are on site.
3. This is not a policy document. You should not interpret the questions as requiring compliance, unless the question references established policies within Generic Domestic Company.

INSTRUCTIONS

This document is divided into several sections, each containing three types of questions. There are questions requiring a specific response, which have a space for the data. Other questions require a response of “Yes”, “No”, or “NA”, and have a response block and space for your comments, explanations, or questions. There are also tables that should be self-explanatory. This document is set up in table format. All responses can be included in the document itself (with the exception of requested attachments).

GENERAL INFORMATION ITEMS

Please attach documents covering the following topics and check () the items that are attached.

______Computer and peripheral hardware listing
______Purchased and written software listing
______Organization chart and position descriptions
______Data center and department floor plan
______Network diagram
______Login Script(s), Mapping, File Server Directory Tree

TABLE OF CONTENTS

GENERAL CONTROL TOPICS SECTION
Administration A
Physical security B
Logical security C
Change management D
Backup, recovery, and contingency planning E
Operations F


Previous Table of Contents Next