III. Specific procedures by audit area
A. IT Administration
- 1. Evaluate the questionnaire responses in this area and document any items that required additional investigation/follow-up. (A-1)
- 2. Review the placement of data processing in the organization in terms of its overall effectiveness. (A-2)
- 3. Evaluate the long-range plan in terms of supporting business objectives, consistency with the business plan, meeting managements objectives, and being properly developed in terms of scope, detail, quantitative analysis, and responsibility. (A-3)
- 4. Obtain and review appropriate expense and budget statements, paying particular attention to significant fluctuations between periods or any unusual items. (A-4)
- 5. Evaluate the job descriptions based on the business structure and observed regular responsibilities. (A-5)
- 6. Evaluate the IT standards manual in terms of scope, being up to date, and general qualitative usefulness. (A-6)
- 7. Test the data processing hardware inventory using a judgmental sample. Document the process and the results. (A-7)
- 8. Test the responses not covered by the specific steps above by observation and any other measures deemed appropriate, and document the work done. (A-99)
- 9. Formulate a conclusion regarding the adequacy of controls in this area. (A-MEMO)
B. Physical Security
- 1. Evaluate the questionnaire responses in this area and document any items that required additional investigation/follow-up. (B-1)
- 2. Review the data center layout in the carryforward workpapers and ensure that all security features are clearly identified. (CF-??)
- 3. Test the responses by observation and any other measures deemed appropriate, and document the work done. (B-2)
- 4. Test the responses not covered by the specific steps above by observation and any other measures deemed appropriate, and document the work done. (B-99)
- 5. Formulate a conclusion regarding the adequacy of controls in this area. (B-MEMO)
C. Logical Security
- 1. Evaluate the questionnaire responses in this area and document any items that required additional investigation/follow-up. (C-1)
- 2. Cross-reference the questionnaire responses with the system values printout, noting and investigating any differences. (C-6)
- 3. Attempt to sign on with vendor supplied profiles to insure that the passwords were changed since the hardware was installed. (C-2)
- 4. Test other password controls to the extent possible, and document the results. (C-3)
- 5. Test the user profile management process for appropriate documentation, approval, and profile information consistent with the original authorization. (C-4)
- 6. Review all user profiles for consistency in the way they are set up and authorized to use the system; any special capabilities given, exceptions to established password management rules, etc. Document the results of this review. (C-5)
- 7. Obtain an extract of the history log with, review for noteworthy or unusual items, and document the procedures performed and the results obtained. (C-7)
- 8. Test the responses not covered by the specific steps above by observation and any other measures deemed appropriate, and document the work done. (C-99)
- 9. Formulate a conclusion regarding the adequacy of controls in this area. (C-MEMO)
IV.
A. Change Management
- 1. Evaluate the questionnaire responses in this area and document any items that required additional investigation/follow-up. (D-1)
- 2. To the extent possible, perform tests of the change management system that will address reviewing the changed code, evaluating the authorization process, and checking the testing and documentation that was done. (D-2)
- 3. Test the responses not covered by the specific steps above by observation and any other measures deemed appropriate, and document the work done. (D-99)
- 4. Formulate a conclusion regarding the adequacy of controls in this area. (D-MEMO)
B. Backup, Recovery, and Contingency Planning
- 1. Evaluate the questionnaire responses in this area and document any items that required additional investigation/follow-up. (E-1)
- 2. Evaluate the backup strategy as it relates to the business done by the locations served by the installation, and document the results. (E-2)
- 3. Evaluate the disaster recovery plan, and document the results. (E-3)
- 4. Evaluate the overall recovery strategy. (E-4)
- 5. Test the responses not covered by the specific steps above by observation and any other measures deemed appropriate, and document the work done. (E-99)
- 6. Formulate a conclusion regarding the adequacy of controls in this area. (E-MEMO)
C. Operations
- 1. Evaluate the questionnaire responses in this area and document any items that required additional investigation/follow-up. (F-1)
- 2. Evaluate the operations run manual considering being up to date, complete, well organized, and addressing other local factors as needed. (F-2)
- 3. Test the responses by observation and any other measures deemed appropriate, and document the work done. (F-3)
- 4. Test the responses not covered by the specific steps above by observation and any other measures deemed appropriate, and document the work done. (F-99)
- 5. Formulate a conclusion regarding the adequacy of controls in this area. (F-MEMO)
D. Application reviewAutomated Application System 1
- 1. Obtain and/or prepare flowcharts, narratives, and other documents to describe the applications and functions under review. This documentation should be clearly marked to indicate control points, strengths, and weaknesses, and include the following:
- a. Identification of key transactions
- b. Identification of controls over those transactions
- c. Identification of key files
- d. Identification of controls over those files
- e. Access controls over the applications and its functions
- f. Backup, recovery, and restart procedures
- 2. Evaluate the information obtained in the prior step in terns of potential opportunities for more efficient business practices.
- 3. Perform substantive testing, either on a walkthrough, judgmental, or statistical sample basis, to confirm the understanding and information obtained from the two previous steps.
- 4. Formulate a conclusion regarding the adequacy of controls in this area.
E. Application reviewAutomated Application System 2
- 1. Obtain and/or prepare flowcharts, narratives, and other documents to describe the applications and functions under review. This documentation should be clearly marked to indicate control points, strengths, and weaknesses, and include the following:
- a. Identification of key transactions
- b. Identification of controls over those transactions
- c. Identification of key files
- d. Identification of controls over those files
- e. Access controls over the applications and its functions
- f. Backup, recovery, and restart procedures
- 2. Evaluate the information obtained in the prior step in terns of potential opportunities for more efficient business practices.
- 3. Perform substantive testing, either on a walkthrough, judgmental, or statistical sample basis, to confirm the understanding and information obtained from the two previous steps.
- 4. Formulate a conclusion regarding the adequacy of controls in this area.