SlideShare a Scribd company logo

Audit Checklist for Information Systems

Download as DOCX, PDF
Ahmad Tariq Bhatti
Ahmad Tariq Bhatti

IS - Audit Checklist for all companies. The checklist comprehensively covers audit aspects of management information systems.

Education
1 of 19
Audit Checklist Management Information Systems Ahmad Tariq Bhatti FCMA, FPA, MA (Economics), BSc
No. Description Yes No N/A A ORGANISATION AND ADMINISTRATION Audit Objective - Does the organization of data processing provide for adequate segregation of duties? Audit Procedures - Review the company organization chart, and the data processing department organization chart. 1 Is there a separate EDP department within the company? Is there a steering committee where the duties and responsibilities 2 for managing MIS are clearly defined? Has the company developed an IT strategy linked with the long and 3 medium term plans? Is the EDP Department independent of the user department and in 4 particular the accounting department? Are there written job descriptions for all jobs within EDP 5 department and these job descriptions are communicated to designated employees? Are EDP personnel prohibited from having incompatible 6 responsibilities or duties in user departments and vice versa? 7 Are there written specifications for all jobs in the EDP Department? Are the following functions within the EDP Department performed 8 by separate sections:  System design?  Application programming?  Computer operations?  Database administration?  Systems programming?  Data entry and control? Are the data processing personnel prohibited from duties relating 9 to:  Initiating transactions?  Recording of transactions? (2/20)
 Master file changes?  Correction of errors? Are all processing pre-scheduled and authorized by appropriate 10 personnel? Are there procedures to evaluate and establish who has access to 11 the data in the database? 12 Are the EDP personnel adequately trained? Are systems analysts programmers denied access to the computer 13 room and limited in their operation of the computer? Are operators barred from making changes to programs and from 14 creating or amending data before, during, or after processing? Is the custody of assets restricted to personnel outside the EDP 15 department? Is strategic data processing plan developed by the company for the 16 achievement of long-term business plan? Are there any key personnel within IT department whose absence 17 can leave the company within limited expertise? 18 Are there any key personnel who are being over-relied? Is EDP audit being carried by internal audit or an external 19 consultant to ensure compliance of policies and controls established by management? B PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT Audit Objective - Development and changes to programs are authorized, tested, and approved, prior to being placed in production. Program Maintenance Audit - Procedures Review details of the program library structure, and note controls - which allow only authorized individuals to access each library. - Note the procedures used to amend programs. Obtain an understanding of any program library management - software used. (3/20)
1 Are there written standards for program maintenance? 2 Are these standards adhered to and enforced? 3 Are these standards reviewed regularly and approved? Are there procedures to ensure that all programs required for 4 maintenance are kept in a separate program test library? Are programmers denied access to all libraries other than the test 5 library? Are changes to programs initiated by written request from user 6 department and approved? Are changes initiated by Data Processing Department 7 communicated to users and approved by them? Are there adequate controls over the transfer of programs from 8 production into the programmer's test library? Are all systems developed or changes to existing system tested 9 according to user approved test plans and standards? Are tests performed for system acceptance and test data 10 documented? Are transfers from the development library to the production 11 library carried out by persons independent of the programmers? Do procedures ensure that no such transfer can take place 12 without the change having been properly tested and approved? Is a report of program transfers into production reviewed on a 13 daily basis by a senior official to ensure only authorized transfers have been made? 14 Are all program changes properly documented? 15 Are all changed programs immediately backed up? Is a copy of the previous version of the program retained (for use 16 in the event of problems arising with the amended version)? Are there standards for emergency changes to be made to 17 application programs? 18 Are there adequate controls over program recompilation? 19 Are all major amendments notified to Internal audit for comment? Are there adequate controls over authorization, implementation, 20 approval and documentation of changes to operating systems? (4/20)
C SYSTEM DEVELOPMENT Are there formalized standards for system development life cycle 1 procedure? Do they require authorization at the various stages of development 2 – feasibility study, system specification, testing, parallel running, post implementation review, etc.? Do the standards provide a framework for the 3 development of controlled applications? 4 Are standards regularly reviewed and updated? 5 Do the adequate system documentation exist for:  Programmers to maintain and modify programs?  Users to satisfactorily operate the system? Have the internal audit department been involved in the design 6 stage to ensure adequate controls exist? 7 Testing of programs - see Program Maintenance. Procedures for authorizing new applications to production - see 8 Program Maintenance. Are user and data processing personnel adequately trained to use 9 the new applications? Is system implementation properly planned and implemented by 10 either parallel run or pilot run? Are any differences and deficiencies during the implementation 11 phase noted and properly resolved? Are there adequate controls over the setting up of the standing 12 data and opening balances? 13 Is a post implementation review carried out? Are user manuals prepared for all new systems developed and 14 revised for subsequent changes? Is there a Quality Assurance Function to verify the integrity and 15 acceptance of applications developed? D PURCHASED SOFTWARE (5/20)
Are there procedures addressing controls over selection, testing 1 and acceptance of packaged softwares? 2 Is adequate documentation maintained for all softwares purchased? 3 Are vendor warranties (if any) still in force? 4 Is the software purchased, held in escrow? 5 Are backup copies of user/operations manual kept off-site? E ACCESS TO DATA FILES Audit Objective - Is access to data files restricted to authorized users and programs? - Access to Data Is there any formal written data security policy? Consider whether 1 the policy addresses data ownership, confidentiality of information, and use of password. Is the security policy communicated to individuals in the 2 organization? 3 Is physical access to off-line data files controlled in:  Computer room?  On-site library?  Off-site library? Does the company employ a full-time librarian who is 4 independent of the operators and programmers? 5 Are libraries locked during the absence of the librarian? 6 Are requests for on-line access to off line files approved? Are requests checked with the actual files issued and initialed by 7 the librarian? Are sensitive applications e.g. payroll, maintained on machines in 8 physically restricted areas? Are encryption techniques used to protect against unauthorized 9 disclosure or undetected modification of sensitive data? (6/20)
Are returns followed up and non returns investigated and 10 adequately documented? F COMPUTER PROCESSING 1 Does a scheduled system exist for the execution of programs? 2 Are non-scheduled jobs approved prior to being run? Is the use of utility programs controlled (in particular those that 3 can change executable code or data)? 4 Are program tests restricted to copies of live files? Is access to computer room restricted to only authorized 5 personnel? 6 Are internal and external labels used on files? 7 Are overrides of system checks by operators controlled? Are exception reports for such overrides pointed and reviewed by 8 appropriate personnel? Are sufficient operating instructions exist covering procedures to 9 be followed at operation? 10 If so, are these independently reviewed? Is integrity checking programs run periodically for checking the 11 accuracy and correctness of linkages between records? G ACCESS CONTROLS Is there any proper password syntax in-force ie minimum 5 and 1 maximum 8 characters and include alphanumeric characters? Are there satisfactory procedures for reissuing passwords to users 2 who have forgotten theirs? Are procedures in place to ensure the compliance of removal of 3 terminated employee passwords? Are system access compatibilities properly changed with regard to 4 personnel status change? Are individual job responsibilities considered when granting users 5 access privileges? (7/20)
6 Is each user allocated a unique password and user account? Are there procedures in place to ensure forced change of password 7 after every 30 days? 8 Is application level security violations logged? Do standards and procedures exist for follow up of security 9 violations? Do formal and documented procedures exist for use and 10 monitoring of dial up access facility? 11 Is use made of passwords to restrict access to specific files? 12 Do terminals automatically log off after a set period of time? Is there a limit of the number of invalid passwords before the 13 terminal closes down? Are there any administrative regulations limiting physical access to 14 terminals? Are invalid password attempts reported to user department 15 managers? Are restrictions placed on which applications terminals can 16 access? Are keys, locks, cards or other physical devises used to restrict 17 access to only authorized user? H APPLICATION CONTROLS - INPUT Audit Objective Do controls provide reasonable assurance that for each transaction - type, input is authorized, complete and accurate, and that errors are promptly corrected? Are all transactions properly authorized before being processed by 1 computers? 2 Are all batches of transactions authorized? (8/20)
Do controls ensure unauthorized batches or transactions are 3 prevented from being accepted ie they are detected? 4 Is significant standing data input verified against the master file? Is maximum use made of edit checking e.g. check digits, range and 5 feasibility checks, limit tests, etc.? Are there procedures to ensure all vouchers have been processed 6 e.g. batch totals, document counts, sequence reports, etc.? Are there procedures established to ensure that transactions or 7 batches are not lost, duplicated or improperly changed? 8 Are all errors reported for checking and correction? 9 Are errors returned to the user department for correction? 10 Do procedures ensure these are resubmitted for processing? Is an error log maintained and reviewed to identify recurring 11 errors? Are persons responsible for data preparation and data entry 12 independent of the output checking and balancing process? Are persons responsible for data entry prevented from amending 13 master file data? I OUTPUT AND PROCESSING Audit Objective - The controls provide reasonable assurance that transactions are properly processed by the computer and output (hard copy or other) is complete and accurate, and that calculated items have been accurately computed: Where output from one system is input to another, are run to run 1 totals, or similar checks, used to ensure no data is lost or corrupted? 2 Are there adequate controls over forms that have monetary value? (9/20)
Is maximum use made of programmed checks on limits, ranges 3 reasonableness, etc. and items that are detected reported for investigation? Where calculations can be 'forced' i.e. bypass a programmed 4 check, are such items reported for investigation? Where errors in processing are detected, is there a formal 5 procedure for reporting and investigation? Is reconciliation between input, output and brought forward 6 figures carried out and differences investigated? 7 Are suspense accounts checked and cleared on a timely basis? Are key exception reports reviewed and acted upon on a timely 8 basis? J VIRUSES 1 Is there any formal written anti-virus policy? Is the policy effectively communicated to individuals in the 2 organization? 3 Is there a list of approved software and suppliers? 4 Is only authorized software installed on microcomputers? 5 Is there a master library of such software? 6 Are directories periodically reviewed for suspicious files? 7 Are files on the system regularly checked for size changes? 8 Is anti-virus software installed on all microcomputers/laptops? 9 Is anti-virus software regularly updated for new virus definitions? Are suspicious files quarantined and deleted from the terminal’s 10 hard drive and network drive on regular basis? 11 Are diskettes formatted before re-use? Have procedures been developed to restrict or oversee the transfer 12 of data between machines? 13 Is staff prohibited from sharing machines (laptops/desktops)? Is software reloaded from the master diskettes after machine 14 maintenance? (10/20)
15 Has all staff been advised of the virus prevention procedures? Are downloads from internet controlled by locking the hard-drive 16 and routing it through network drive to prevent the virus (if any) from spreading? K INTERNET Is there any proper policy regarding the use of internet by the 1 employees? Does the policy identify the specific assets that the firewall is 2 intended to protect and the objectives of that protection? Does the policy support the legitimate use and flow of data and 3 information? 4 Is information passing through firewall is properly monitored? Determine whether management approval of the policy has been 5 sought and granted and the date of the most recent review of the policy by the management? Is the policy properly communicated to the users and awareness is 6 maintained? 7 Have the company employed a Firewall Administrator? 8 Is firewall configured as per security policy? 9 Is URL screening being performed by Firewall? 10 Is anti-virus inspection enabled? Are packets screened for the presence of prohibited words? If so, 11 determine how the list of words is administered and maintained. Are access logs regularly reviewed and any action is taken on 12 questionable entries? L CONTINUITY OF OPERATIONS Physical Protection L.I Fire Hazard (11/20)
1 Check the safety against fire in the following ways:  Building materials fire resistant?  Wall and floor coverings non-combustible?  Separation from hazardous areas (e.g. fire doors)?  Separation from combustible materials (e.g. paper, fuel)?  Smoking restriction?  Fire resistant safes (for tapes, disks and documentation)? 2 Check the appropriate arrangements of fire detection devices:  Smoke/ Heat-rise detectors?  Detectors located on ceiling and under floor?  Detectors located in all key EDP areas?  Linked to fire alarm system? 3 Check the appropriate arrangements for fire fighting:  Halon gas system (for key EDP areas)  Automatic sprinkler system  Portable CO2, extinguishers (electrical fires)  Ease of access for fire services 4 Check appropriate arrangements in case of fire emergency:  Fire instructions clearly posted  Fire alarm buttons clearly visible  Emergency power-off procedures posted  Evacuation plan, with assignment of roles and responsibilities 5 Check if there is training to avoid fire emergecny:  Regular fire drill and training  Regular inspection/testing of all computing equipment L.II AIR CONDITIONING Monitoring of temperature and humidity in EDP area (12/20)
 Heat, fire and access protection of sensitive air-conditioning parts (eg. cooling tower)  Air intakes located to avoid undesirable pollution  Back-up air conditioning equipment L.III Power Supply  Reliable local power supply  Separate computer power supply  Line voltage monitored  Power supply regulated (For voltage fluctuation)  Uninterrupted power supply (eg. Battery system) available  Alternative power supply (eg. Generator) Emergency lighting system L.IV Communications Network  Physical protection of communications lines modems, multiplexors and processors  Location of communication equipment separate from main EDP equipment  Back-up and dial-up lines for direct lines L.V Machine (Servers) Room Layout  Printers, plotters located in separate area  Printout preparation (eg. bursting) located in separate area  Tape/Disk library in separate area Machine room kept tidy  Practical location of security devices  Emergency power off switches (13/20)
 Alarms  Extinguishers  Environment monitoring equipment L.VI Access Control Entrance Routes (EDP areas):  No unnecessary entrances to the computer room  Non-essential doors always shut and locked to the outside (eg, Fire exits)  Air vent and daylight access location  Protected and controlled use of all open doors M ACCESS CONTROL 1 Access restricted to selected employees 2 Prior approval required for all other employees 3 Entrance door controlled by:  Screening by a guard  Locks/combinations  Electronic badge/key  Other - biological identification devices 4 Positive identification of all employees (eg. identification card) 5 Verification of all items taken into and out of the computer room Access controlled on 24 hours basis including weekends (eg, 6 automatic control mechanism) 7 Locks, combinations, badge codes changed periodically M.I Visitor Control (14/20)
1 Positive identification always required 2 Badges issued, controlled and returned on departure 3 All visits logged in and out 4 Visitors accompanied and observed at all times M.II Terminal Security 1 All terminals located in secure areas Alarm system used to control microcomputers from being 2 disconnected or moved from its location. Sensitive applications eg payroll, maintained on machines in 3 physically restricted area. 4 Terminal keys/locks used 5 Passwords changed regularly 6 Identification labels been placed on each terminal. M.III General Security Waste regularly removed from EDP area and sensitive data 1 shredded. 2 Window and door alarm system. 3 Closed circuit television monitoring ie CCTV cameras. N PERSONNEL POLICIES – MIS STAFF New employees recruited according to job description and job 1 specification. 2 Employee identity cards issued. 3 Performance evaluation and regular counseling. 4 Continuing education program. 5 Training in security, privacy and recovery procedures. 6 All functions covered by cross training. (15/20)
Critical jobs rotated periodically (e.g. operators, program 7 maintenance). 8 Clean desk policy enforced. 9 Fidelity insurance for key personnel. 10 Contract service personnel vetted (e.g. cleaners) O INSURANCE 1 Does adequate insurance exist to cover:  Equipment?  Software and documentation?  Storage media?  Replacement/ re-creation cost?  Loss of data/assets (eg. Accounts receivable)?  Business loss or interruption (business critical systems)? Is adequate consideration given to cover additional cost of working 2 and consequential losses? P BACK-UP PROCEDURES P.I Equipment (computer and ancillary) 1 Regular preventive maintenance Reliable manufacturer service Arrangements for back-up 2 installation Formal written agreement 3 Compatibility regularly checked 4 Sufficient computer time available at back-up 5 Testing at back-up regularly performed P.II Outside Suppliers (non continuance/ disaster) (16/20)
- (eg, suppliers of equipment, computer time, software) 1 Alternative sources of supply/ maintenance/ service available Adequate and secure documentation/ back-up of data and 2 programs Are backup copies of system documentation kept in a secure 3 location? P.III Off-site Storage: 1 Secure separate location 2 Adequate physical protection. Log maintained of off-site materials 3 Off- site Inventory regularly reviewed 4 File transportation under adequate physical protection 5 Back-up files periodically tested P.IV Data Files 1 File criticality and retention procedure regularly reviewed P.V Tape 1 At least three generations of important tape files retained 2 Copies of all updating transactions for above retained At least one generation and all necessary updating transactions in 3 off-site storage P.VI Disc 1 Checkpoint/restart procedures provided for Audit trail (log file) of transactions updating on-line files (data 2 base) maintained 3 Regular tape dumps of all disc files stored off-site (17/20)
4 Audit trail (log file) regularly dumped and stored off-site P.VII Software Copies of following maintained at off-site storage: Production 1 application programs  Major programs under development  System and program documentation  Operating procedures  Operation and system software  All copies regularly updated  Back-up copies regularly tested P.VIII Operations 1 Back-up procedure manual 2 Priority assignments for all applications Procedures for restoring data files and software Procedures for 3 back-up installation Q DISASTER RECOVERY PLANS Is a comprehensive contingency plan developed, documented and 1 periodically tested to ensure continuity in data processing services? Does the contingency plan provide for recovery and extended 2 processing of critical applications in the event of catastrophic disaster? 3 Has any Business Impact Analysis carried out by the company? Are all recovery plans approved and tested to ensure their 4 adequacy in the event of disaster? 5 Communicated to all management and personnel concerned (18/20)
Critical processing priorities identified (eg. Significant accounting 6 applications) Are disaster recovery teams established to support disaster 7 recovery plan? Are responsibilities of individuals within disaster recovery team 8 defined and time allocated for completion of their task? Operations procedures for use of equipment and software back- 9 up Has the company developed and implemented 10 adequate plan maintenance procedures? 11 Are priorities set for the development of critical systems? Does a hardware maintenance contract exist with a reputable 12 supplier? 13 Does the recovery plan ensure, in the event of failure:  No loss of data received but not processed  No reprocessing of data already processed  Files not corrupted by partially completed processing 14 Are recovery plans regularly tested? (19/20)

Recommended

System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaireNicholas Kaptingei
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 

Recommended

System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaireNicholas Kaptingei
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)Corporate Registers Forum
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Cobit
CobitCobit
Cobitifourkhushbooshah
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
Checklist
ChecklistChecklist
Checklistdygmasnah65
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance Jade Global
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMGlobal Manager Group
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Project audit & review checklist
Project audit & review checklistProject audit & review checklist
Project audit & review checklistRam Srivastava
 
Apresentação Executiva TQI
Apresentação Executiva TQIApresentação Executiva TQI
Apresentação Executiva TQIGabriel.s
 

More Related Content

What's hot

ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance Jade Global
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMGlobal Manager Group
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 

What's hot (20)

ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Cobit
CobitCobit
Cobit
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
 
Checklist
ChecklistChecklist
Checklist
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 

Viewers also liked

Project audit & review checklist
Project audit & review checklistProject audit & review checklist
Project audit & review checklistRam Srivastava
 
Apresentação Executiva TQI
Apresentação Executiva TQIApresentação Executiva TQI
Apresentação Executiva TQIGabriel.s
 
Senior database administrator performance appraisal
Senior database administrator performance appraisalSenior database administrator performance appraisal
Senior database administrator performance appraisalTayeaiwo789
 
Database administrator performance appraisal
Database administrator performance appraisalDatabase administrator performance appraisal
Database administrator performance appraisaltaylorshannon964
 
Applicant Tracking System Vendor Criteria Checklist
Applicant Tracking System Vendor Criteria ChecklistApplicant Tracking System Vendor Criteria Checklist
Applicant Tracking System Vendor Criteria ChecklistMatt Charney
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
Iso 9001-internal-audit-checklist
Iso 9001-internal-audit-checklistIso 9001-internal-audit-checklist
Iso 9001-internal-audit-checklistPHILIP TEO
 
Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Ahmad Tariq Bhatti
 
Project Auditing
Project AuditingProject Auditing
Project AuditingSalih Islam
 
Audit of-primary-school-website-rag-check-list-template (1)
Audit of-primary-school-website-rag-check-list-template (1)Audit of-primary-school-website-rag-check-list-template (1)
Audit of-primary-school-website-rag-check-list-template (1)Julia Skinner
 
4 Prerequisites for DevOps Success
4 Prerequisites for DevOps Success4 Prerequisites for DevOps Success
4 Prerequisites for DevOps SuccessCloudCheckr
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsStephan Kaps
 
Software Project Management: Testing Document
Software Project Management: Testing DocumentSoftware Project Management: Testing Document
Software Project Management: Testing DocumentMinhas Kamal
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 

Viewers also liked (20)

Project audit & review checklist
Project audit & review checklistProject audit & review checklist
Project audit & review checklist
 
Apresentação Executiva TQI
Apresentação Executiva TQIApresentação Executiva TQI
Apresentação Executiva TQI
 
Senior database administrator performance appraisal
Senior database administrator performance appraisalSenior database administrator performance appraisal
Senior database administrator performance appraisal
 
Database administrator performance appraisal
Database administrator performance appraisalDatabase administrator performance appraisal
Database administrator performance appraisal
 
Applicant Tracking System Vendor Criteria Checklist
Applicant Tracking System Vendor Criteria ChecklistApplicant Tracking System Vendor Criteria Checklist
Applicant Tracking System Vendor Criteria Checklist
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
Iso 9001-internal-audit-checklist
Iso 9001-internal-audit-checklistIso 9001-internal-audit-checklist
Iso 9001-internal-audit-checklist
 
Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)Internal Control Questionnaires (ICQs)
Internal Control Questionnaires (ICQs)
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit Framework
 
How to do a Project Audit
How to do a Project AuditHow to do a Project Audit
How to do a Project Audit
 
Project Auditing
Project AuditingProject Auditing
Project Auditing
 
Audit of-primary-school-website-rag-check-list-template (1)
Audit of-primary-school-website-rag-check-list-template (1)Audit of-primary-school-website-rag-check-list-template (1)
Audit of-primary-school-website-rag-check-list-template (1)
 
8 steps pdca
8 steps pdca8 steps pdca
8 steps pdca
 
4 Prerequisites for DevOps Success
4 Prerequisites for DevOps Success4 Prerequisites for DevOps Success
4 Prerequisites for DevOps Success
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
 
Security testing ?
Security testing ?Security testing ?
Security testing ?
 
Software Project Management: Testing Document
Software Project Management: Testing DocumentSoftware Project Management: Testing Document
Software Project Management: Testing Document
 
Security testing
Security testingSecurity testing
Security testing
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 

Similar to Audit Checklist for Information Systems

Misauditchecklist 121023080803-phpapp01
Misauditchecklist 121023080803-phpapp01Misauditchecklist 121023080803-phpapp01
Misauditchecklist 121023080803-phpapp01Ravikrishnan Nc
 
Itauditcl
ItauditclItauditcl
ItauditclSAMMOU
 
10 software maintenance
10 software maintenance10 software maintenance
10 software maintenanceakiara
 
Enterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistEnterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistUnvired Inc.
 
Software maintenance
Software maintenanceSoftware maintenance
Software maintenancePiyush Dua
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.renetta
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT SystemsICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT SystemsMohammad Abdul Matin Emon
 
Software Metrics - Software Engineering
Software Metrics - Software EngineeringSoftware Metrics - Software Engineering
Software Metrics - Software EngineeringDrishti Bhalla
 
ERP: Start The Discussion
ERP: Start The DiscussionERP: Start The Discussion
ERP: Start The DiscussionBarry Cole
 
Perintis Mobiliti Success Story: eParlimen Software Process Governance and Co...
Perintis Mobiliti Success Story: eParlimen Software Process Governance and Co...Perintis Mobiliti Success Story: eParlimen Software Process Governance and Co...
Perintis Mobiliti Success Story: eParlimen Software Process Governance and Co...Ratha Jegatheson
 
SE chp1 update and learning management .pptx
SE chp1 update and learning management .pptxSE chp1 update and learning management .pptx
SE chp1 update and learning management .pptxssuserdee5bb1
 

Similar to Audit Checklist for Information Systems (20)

Misauditchecklist 121023080803-phpapp01
Misauditchecklist 121023080803-phpapp01Misauditchecklist 121023080803-phpapp01
Misauditchecklist 121023080803-phpapp01
 
Itauditcl
ItauditclItauditcl
Itauditcl
 
Itauditcl
ItauditclItauditcl
Itauditcl
 
10 software maintenance
10 software maintenance10 software maintenance
10 software maintenance
 
ERP Unit iii
ERP Unit iii ERP Unit iii
ERP Unit iii
 
Enterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistEnterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness Checklist
 
Software maintenance
Software maintenanceSoftware maintenance
Software maintenance
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
Software Project management
Software Project managementSoftware Project management
Software Project management
 
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT SystemsICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
 
Agile software process
Agile software processAgile software process
Agile software process
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Software Metrics - Software Engineering
Software Metrics - Software EngineeringSoftware Metrics - Software Engineering
Software Metrics - Software Engineering
 
ERP: Start The Discussion
ERP: Start The DiscussionERP: Start The Discussion
ERP: Start The Discussion
 
IT & the Auditor
IT & the AuditorIT & the Auditor
IT & the Auditor
 
Perintis Mobiliti Success Story: eParlimen Software Process Governance and Co...
Perintis Mobiliti Success Story: eParlimen Software Process Governance and Co...Perintis Mobiliti Success Story: eParlimen Software Process Governance and Co...
Perintis Mobiliti Success Story: eParlimen Software Process Governance and Co...
 
chapters
chapterschapters
chapters
 
SE chp1 update and learning management .pptx
SE chp1 update and learning management .pptxSE chp1 update and learning management .pptx
SE chp1 update and learning management .pptx
 

More from Ahmad Tariq Bhatti

Microfinancing: A Catalyst for Scaling-up Economy
Microfinancing: A Catalyst for Scaling-up EconomyMicrofinancing: A Catalyst for Scaling-up Economy
Microfinancing: A Catalyst for Scaling-up EconomyAhmad Tariq Bhatti
 
How to be effective in the workplaces?
How to be effective in the workplaces?How to be effective in the workplaces?
How to be effective in the workplaces?Ahmad Tariq Bhatti
 
How to deal with a VAT audit in UAE?
How to deal with a VAT audit in UAE?How to deal with a VAT audit in UAE?
How to deal with a VAT audit in UAE?Ahmad Tariq Bhatti
 
VAT Evasion or Fraud: Penalties & Precautions (The UAE Perspective)
VAT Evasion or Fraud: Penalties & Precautions (The UAE Perspective)VAT Evasion or Fraud: Penalties & Precautions (The UAE Perspective)
VAT Evasion or Fraud: Penalties & Precautions (The UAE Perspective)Ahmad Tariq Bhatti
 
Budgeting — A Framework for the Budgetary Controls System
Budgeting — A Framework for the Budgetary Controls SystemBudgeting — A Framework for the Budgetary Controls System
Budgeting — A Framework for the Budgetary Controls SystemAhmad Tariq Bhatti
 
Stock-Market Performance Comparison with Economic Growth
Stock-Market Performance Comparison with Economic GrowthStock-Market Performance Comparison with Economic Growth
Stock-Market Performance Comparison with Economic GrowthAhmad Tariq Bhatti
 
Glimpses of the Life in Old Lahore
Glimpses of the Life in Old LahoreGlimpses of the Life in Old Lahore
Glimpses of the Life in Old LahoreAhmad Tariq Bhatti
 
Internal Control Questionnaires for Construction Companies
Internal Control Questionnaires for Construction CompaniesInternal Control Questionnaires for Construction Companies
Internal Control Questionnaires for Construction CompaniesAhmad Tariq Bhatti
 
Employee Assessment and Evaluation for Continuation of Service
Employee Assessment and Evaluation for Continuation of ServiceEmployee Assessment and Evaluation for Continuation of Service
Employee Assessment and Evaluation for Continuation of ServiceAhmad Tariq Bhatti
 
Internal Control Questionnaires
Internal Control QuestionnairesInternal Control Questionnaires
Internal Control QuestionnairesAhmad Tariq Bhatti
 

More from Ahmad Tariq Bhatti (20)

Activity-Based Costing System
Activity-Based Costing SystemActivity-Based Costing System
Activity-Based Costing System
 
CSR Analysis
CSR AnalysisCSR Analysis
CSR Analysis
 
Value Analysis
Value AnalysisValue Analysis
Value Analysis
 
Microfinancing: A Catalyst for Scaling-up Economy
Microfinancing: A Catalyst for Scaling-up EconomyMicrofinancing: A Catalyst for Scaling-up Economy
Microfinancing: A Catalyst for Scaling-up Economy
 
How to be effective in the workplaces?
How to be effective in the workplaces?How to be effective in the workplaces?
How to be effective in the workplaces?
 
How to deal with a VAT audit in UAE?
How to deal with a VAT audit in UAE?How to deal with a VAT audit in UAE?
How to deal with a VAT audit in UAE?
 
VAT Evasion or Fraud: Penalties & Precautions (The UAE Perspective)
VAT Evasion or Fraud: Penalties & Precautions (The UAE Perspective)VAT Evasion or Fraud: Penalties & Precautions (The UAE Perspective)
VAT Evasion or Fraud: Penalties & Precautions (The UAE Perspective)
 
Life-Cycle Costing
Life-Cycle CostingLife-Cycle Costing
Life-Cycle Costing
 
Budgeting — A Framework for the Budgetary Controls System
Budgeting — A Framework for the Budgetary Controls SystemBudgeting — A Framework for the Budgetary Controls System
Budgeting — A Framework for the Budgetary Controls System
 
Stock-Market Performance Comparison with Economic Growth
Stock-Market Performance Comparison with Economic GrowthStock-Market Performance Comparison with Economic Growth
Stock-Market Performance Comparison with Economic Growth
 
Glimpses of the Life in Old Lahore
Glimpses of the Life in Old LahoreGlimpses of the Life in Old Lahore
Glimpses of the Life in Old Lahore
 
Lahore During British Era
Lahore During British EraLahore During British Era
Lahore During British Era
 
Internal Control Questionnaires for Construction Companies
Internal Control Questionnaires for Construction CompaniesInternal Control Questionnaires for Construction Companies
Internal Control Questionnaires for Construction Companies
 
Employee Assessment and Evaluation for Continuation of Service
Employee Assessment and Evaluation for Continuation of ServiceEmployee Assessment and Evaluation for Continuation of Service
Employee Assessment and Evaluation for Continuation of Service
 
Internal Control Questionnaires
Internal Control QuestionnairesInternal Control Questionnaires
Internal Control Questionnaires
 
Shahi Qila
Shahi QilaShahi Qila
Shahi Qila
 
Dengue or Break-Bone Fever
Dengue or Break-Bone Fever Dengue or Break-Bone Fever
Dengue or Break-Bone Fever
 
Target Costing
Target CostingTarget Costing
Target Costing
 
Massaundum
MassaundumMassaundum
Massaundum
 
Capital Budgeting
Capital BudgetingCapital Budgeting
Capital Budgeting
 

Recently uploaded

Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 

Recently uploaded (20)

Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 

Audit Checklist for Information Systems

  • 1. Audit Checklist Management Information Systems Ahmad Tariq Bhatti FCMA, FPA, MA (Economics), BSc
  • 2. No. Description Yes No N/A A ORGANISATION AND ADMINISTRATION Audit Objective - Does the organization of data processing provide for adequate segregation of duties? Audit Procedures - Review the company organization chart, and the data processing department organization chart. 1 Is there a separate EDP department within the company? Is there a steering committee where the duties and responsibilities 2 for managing MIS are clearly defined? Has the company developed an IT strategy linked with the long and 3 medium term plans? Is the EDP Department independent of the user department and in 4 particular the accounting department? Are there written job descriptions for all jobs within EDP 5 department and these job descriptions are communicated to designated employees? Are EDP personnel prohibited from having incompatible 6 responsibilities or duties in user departments and vice versa? 7 Are there written specifications for all jobs in the EDP Department? Are the following functions within the EDP Department performed 8 by separate sections:  System design?  Application programming?  Computer operations?  Database administration?  Systems programming?  Data entry and control? Are the data processing personnel prohibited from duties relating 9 to:  Initiating transactions?  Recording of transactions? (2/20)
  • 3. Master file changes?  Correction of errors? Are all processing pre-scheduled and authorized by appropriate 10 personnel? Are there procedures to evaluate and establish who has access to 11 the data in the database? 12 Are the EDP personnel adequately trained? Are systems analysts programmers denied access to the computer 13 room and limited in their operation of the computer? Are operators barred from making changes to programs and from 14 creating or amending data before, during, or after processing? Is the custody of assets restricted to personnel outside the EDP 15 department? Is strategic data processing plan developed by the company for the 16 achievement of long-term business plan? Are there any key personnel within IT department whose absence 17 can leave the company within limited expertise? 18 Are there any key personnel who are being over-relied? Is EDP audit being carried by internal audit or an external 19 consultant to ensure compliance of policies and controls established by management? B PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT Audit Objective - Development and changes to programs are authorized, tested, and approved, prior to being placed in production. Program Maintenance Audit - Procedures Review details of the program library structure, and note controls - which allow only authorized individuals to access each library. - Note the procedures used to amend programs. Obtain an understanding of any program library management - software used. (3/20)
  • 4. 1 Are there written standards for program maintenance? 2 Are these standards adhered to and enforced? 3 Are these standards reviewed regularly and approved? Are there procedures to ensure that all programs required for 4 maintenance are kept in a separate program test library? Are programmers denied access to all libraries other than the test 5 library? Are changes to programs initiated by written request from user 6 department and approved? Are changes initiated by Data Processing Department 7 communicated to users and approved by them? Are there adequate controls over the transfer of programs from 8 production into the programmer's test library? Are all systems developed or changes to existing system tested 9 according to user approved test plans and standards? Are tests performed for system acceptance and test data 10 documented? Are transfers from the development library to the production 11 library carried out by persons independent of the programmers? Do procedures ensure that no such transfer can take place 12 without the change having been properly tested and approved? Is a report of program transfers into production reviewed on a 13 daily basis by a senior official to ensure only authorized transfers have been made? 14 Are all program changes properly documented? 15 Are all changed programs immediately backed up? Is a copy of the previous version of the program retained (for use 16 in the event of problems arising with the amended version)? Are there standards for emergency changes to be made to 17 application programs? 18 Are there adequate controls over program recompilation? 19 Are all major amendments notified to Internal audit for comment? Are there adequate controls over authorization, implementation, 20 approval and documentation of changes to operating systems? (4/20)
  • 5. C SYSTEM DEVELOPMENT Are there formalized standards for system development life cycle 1 procedure? Do they require authorization at the various stages of development 2 – feasibility study, system specification, testing, parallel running, post implementation review, etc.? Do the standards provide a framework for the 3 development of controlled applications? 4 Are standards regularly reviewed and updated? 5 Do the adequate system documentation exist for:  Programmers to maintain and modify programs?  Users to satisfactorily operate the system? Have the internal audit department been involved in the design 6 stage to ensure adequate controls exist? 7 Testing of programs - see Program Maintenance. Procedures for authorizing new applications to production - see 8 Program Maintenance. Are user and data processing personnel adequately trained to use 9 the new applications? Is system implementation properly planned and implemented by 10 either parallel run or pilot run? Are any differences and deficiencies during the implementation 11 phase noted and properly resolved? Are there adequate controls over the setting up of the standing 12 data and opening balances? 13 Is a post implementation review carried out? Are user manuals prepared for all new systems developed and 14 revised for subsequent changes? Is there a Quality Assurance Function to verify the integrity and 15 acceptance of applications developed? D PURCHASED SOFTWARE (5/20)
  • 6. Are there procedures addressing controls over selection, testing 1 and acceptance of packaged softwares? 2 Is adequate documentation maintained for all softwares purchased? 3 Are vendor warranties (if any) still in force? 4 Is the software purchased, held in escrow? 5 Are backup copies of user/operations manual kept off-site? E ACCESS TO DATA FILES Audit Objective - Is access to data files restricted to authorized users and programs? - Access to Data Is there any formal written data security policy? Consider whether 1 the policy addresses data ownership, confidentiality of information, and use of password. Is the security policy communicated to individuals in the 2 organization? 3 Is physical access to off-line data files controlled in:  Computer room?  On-site library?  Off-site library? Does the company employ a full-time librarian who is 4 independent of the operators and programmers? 5 Are libraries locked during the absence of the librarian? 6 Are requests for on-line access to off line files approved? Are requests checked with the actual files issued and initialed by 7 the librarian? Are sensitive applications e.g. payroll, maintained on machines in 8 physically restricted areas? Are encryption techniques used to protect against unauthorized 9 disclosure or undetected modification of sensitive data? (6/20)
  • 7. Are returns followed up and non returns investigated and 10 adequately documented? F COMPUTER PROCESSING 1 Does a scheduled system exist for the execution of programs? 2 Are non-scheduled jobs approved prior to being run? Is the use of utility programs controlled (in particular those that 3 can change executable code or data)? 4 Are program tests restricted to copies of live files? Is access to computer room restricted to only authorized 5 personnel? 6 Are internal and external labels used on files? 7 Are overrides of system checks by operators controlled? Are exception reports for such overrides pointed and reviewed by 8 appropriate personnel? Are sufficient operating instructions exist covering procedures to 9 be followed at operation? 10 If so, are these independently reviewed? Is integrity checking programs run periodically for checking the 11 accuracy and correctness of linkages between records? G ACCESS CONTROLS Is there any proper password syntax in-force ie minimum 5 and 1 maximum 8 characters and include alphanumeric characters? Are there satisfactory procedures for reissuing passwords to users 2 who have forgotten theirs? Are procedures in place to ensure the compliance of removal of 3 terminated employee passwords? Are system access compatibilities properly changed with regard to 4 personnel status change? Are individual job responsibilities considered when granting users 5 access privileges? (7/20)
  • 8. 6 Is each user allocated a unique password and user account? Are there procedures in place to ensure forced change of password 7 after every 30 days? 8 Is application level security violations logged? Do standards and procedures exist for follow up of security 9 violations? Do formal and documented procedures exist for use and 10 monitoring of dial up access facility? 11 Is use made of passwords to restrict access to specific files? 12 Do terminals automatically log off after a set period of time? Is there a limit of the number of invalid passwords before the 13 terminal closes down? Are there any administrative regulations limiting physical access to 14 terminals? Are invalid password attempts reported to user department 15 managers? Are restrictions placed on which applications terminals can 16 access? Are keys, locks, cards or other physical devises used to restrict 17 access to only authorized user? H APPLICATION CONTROLS - INPUT Audit Objective Do controls provide reasonable assurance that for each transaction - type, input is authorized, complete and accurate, and that errors are promptly corrected? Are all transactions properly authorized before being processed by 1 computers? 2 Are all batches of transactions authorized? (8/20)
  • 9. Do controls ensure unauthorized batches or transactions are 3 prevented from being accepted ie they are detected? 4 Is significant standing data input verified against the master file? Is maximum use made of edit checking e.g. check digits, range and 5 feasibility checks, limit tests, etc.? Are there procedures to ensure all vouchers have been processed 6 e.g. batch totals, document counts, sequence reports, etc.? Are there procedures established to ensure that transactions or 7 batches are not lost, duplicated or improperly changed? 8 Are all errors reported for checking and correction? 9 Are errors returned to the user department for correction? 10 Do procedures ensure these are resubmitted for processing? Is an error log maintained and reviewed to identify recurring 11 errors? Are persons responsible for data preparation and data entry 12 independent of the output checking and balancing process? Are persons responsible for data entry prevented from amending 13 master file data? I OUTPUT AND PROCESSING Audit Objective - The controls provide reasonable assurance that transactions are properly processed by the computer and output (hard copy or other) is complete and accurate, and that calculated items have been accurately computed: Where output from one system is input to another, are run to run 1 totals, or similar checks, used to ensure no data is lost or corrupted? 2 Are there adequate controls over forms that have monetary value? (9/20)
  • 10. Is maximum use made of programmed checks on limits, ranges 3 reasonableness, etc. and items that are detected reported for investigation? Where calculations can be 'forced' i.e. bypass a programmed 4 check, are such items reported for investigation? Where errors in processing are detected, is there a formal 5 procedure for reporting and investigation? Is reconciliation between input, output and brought forward 6 figures carried out and differences investigated? 7 Are suspense accounts checked and cleared on a timely basis? Are key exception reports reviewed and acted upon on a timely 8 basis? J VIRUSES 1 Is there any formal written anti-virus policy? Is the policy effectively communicated to individuals in the 2 organization? 3 Is there a list of approved software and suppliers? 4 Is only authorized software installed on microcomputers? 5 Is there a master library of such software? 6 Are directories periodically reviewed for suspicious files? 7 Are files on the system regularly checked for size changes? 8 Is anti-virus software installed on all microcomputers/laptops? 9 Is anti-virus software regularly updated for new virus definitions? Are suspicious files quarantined and deleted from the terminal’s 10 hard drive and network drive on regular basis? 11 Are diskettes formatted before re-use? Have procedures been developed to restrict or oversee the transfer 12 of data between machines? 13 Is staff prohibited from sharing machines (laptops/desktops)? Is software reloaded from the master diskettes after machine 14 maintenance? (10/20)
  • 11. 15 Has all staff been advised of the virus prevention procedures? Are downloads from internet controlled by locking the hard-drive 16 and routing it through network drive to prevent the virus (if any) from spreading? K INTERNET Is there any proper policy regarding the use of internet by the 1 employees? Does the policy identify the specific assets that the firewall is 2 intended to protect and the objectives of that protection? Does the policy support the legitimate use and flow of data and 3 information? 4 Is information passing through firewall is properly monitored? Determine whether management approval of the policy has been 5 sought and granted and the date of the most recent review of the policy by the management? Is the policy properly communicated to the users and awareness is 6 maintained? 7 Have the company employed a Firewall Administrator? 8 Is firewall configured as per security policy? 9 Is URL screening being performed by Firewall? 10 Is anti-virus inspection enabled? Are packets screened for the presence of prohibited words? If so, 11 determine how the list of words is administered and maintained. Are access logs regularly reviewed and any action is taken on 12 questionable entries? L CONTINUITY OF OPERATIONS Physical Protection L.I Fire Hazard (11/20)
  • 12. 1 Check the safety against fire in the following ways:  Building materials fire resistant?  Wall and floor coverings non-combustible?  Separation from hazardous areas (e.g. fire doors)?  Separation from combustible materials (e.g. paper, fuel)?  Smoking restriction?  Fire resistant safes (for tapes, disks and documentation)? 2 Check the appropriate arrangements of fire detection devices:  Smoke/ Heat-rise detectors?  Detectors located on ceiling and under floor?  Detectors located in all key EDP areas?  Linked to fire alarm system? 3 Check the appropriate arrangements for fire fighting:  Halon gas system (for key EDP areas)  Automatic sprinkler system  Portable CO2, extinguishers (electrical fires)  Ease of access for fire services 4 Check appropriate arrangements in case of fire emergency:  Fire instructions clearly posted  Fire alarm buttons clearly visible  Emergency power-off procedures posted  Evacuation plan, with assignment of roles and responsibilities 5 Check if there is training to avoid fire emergecny:  Regular fire drill and training  Regular inspection/testing of all computing equipment L.II AIR CONDITIONING Monitoring of temperature and humidity in EDP area (12/20)
  • 13. Heat, fire and access protection of sensitive air-conditioning parts (eg. cooling tower)  Air intakes located to avoid undesirable pollution  Back-up air conditioning equipment L.III Power Supply  Reliable local power supply  Separate computer power supply  Line voltage monitored  Power supply regulated (For voltage fluctuation)  Uninterrupted power supply (eg. Battery system) available  Alternative power supply (eg. Generator) Emergency lighting system L.IV Communications Network  Physical protection of communications lines modems, multiplexors and processors  Location of communication equipment separate from main EDP equipment  Back-up and dial-up lines for direct lines L.V Machine (Servers) Room Layout  Printers, plotters located in separate area  Printout preparation (eg. bursting) located in separate area  Tape/Disk library in separate area Machine room kept tidy  Practical location of security devices  Emergency power off switches (13/20)
  • 14. Alarms  Extinguishers  Environment monitoring equipment L.VI Access Control Entrance Routes (EDP areas):  No unnecessary entrances to the computer room  Non-essential doors always shut and locked to the outside (eg, Fire exits)  Air vent and daylight access location  Protected and controlled use of all open doors M ACCESS CONTROL 1 Access restricted to selected employees 2 Prior approval required for all other employees 3 Entrance door controlled by:  Screening by a guard  Locks/combinations  Electronic badge/key  Other - biological identification devices 4 Positive identification of all employees (eg. identification card) 5 Verification of all items taken into and out of the computer room Access controlled on 24 hours basis including weekends (eg, 6 automatic control mechanism) 7 Locks, combinations, badge codes changed periodically M.I Visitor Control (14/20)
  • 15. 1 Positive identification always required 2 Badges issued, controlled and returned on departure 3 All visits logged in and out 4 Visitors accompanied and observed at all times M.II Terminal Security 1 All terminals located in secure areas Alarm system used to control microcomputers from being 2 disconnected or moved from its location. Sensitive applications eg payroll, maintained on machines in 3 physically restricted area. 4 Terminal keys/locks used 5 Passwords changed regularly 6 Identification labels been placed on each terminal. M.III General Security Waste regularly removed from EDP area and sensitive data 1 shredded. 2 Window and door alarm system. 3 Closed circuit television monitoring ie CCTV cameras. N PERSONNEL POLICIES – MIS STAFF New employees recruited according to job description and job 1 specification. 2 Employee identity cards issued. 3 Performance evaluation and regular counseling. 4 Continuing education program. 5 Training in security, privacy and recovery procedures. 6 All functions covered by cross training. (15/20)
  • 16. Critical jobs rotated periodically (e.g. operators, program 7 maintenance). 8 Clean desk policy enforced. 9 Fidelity insurance for key personnel. 10 Contract service personnel vetted (e.g. cleaners) O INSURANCE 1 Does adequate insurance exist to cover:  Equipment?  Software and documentation?  Storage media?  Replacement/ re-creation cost?  Loss of data/assets (eg. Accounts receivable)?  Business loss or interruption (business critical systems)? Is adequate consideration given to cover additional cost of working 2 and consequential losses? P BACK-UP PROCEDURES P.I Equipment (computer and ancillary) 1 Regular preventive maintenance Reliable manufacturer service Arrangements for back-up 2 installation Formal written agreement 3 Compatibility regularly checked 4 Sufficient computer time available at back-up 5 Testing at back-up regularly performed P.II Outside Suppliers (non continuance/ disaster) (16/20)
  • 17. - (eg, suppliers of equipment, computer time, software) 1 Alternative sources of supply/ maintenance/ service available Adequate and secure documentation/ back-up of data and 2 programs Are backup copies of system documentation kept in a secure 3 location? P.III Off-site Storage: 1 Secure separate location 2 Adequate physical protection. Log maintained of off-site materials 3 Off- site Inventory regularly reviewed 4 File transportation under adequate physical protection 5 Back-up files periodically tested P.IV Data Files 1 File criticality and retention procedure regularly reviewed P.V Tape 1 At least three generations of important tape files retained 2 Copies of all updating transactions for above retained At least one generation and all necessary updating transactions in 3 off-site storage P.VI Disc 1 Checkpoint/restart procedures provided for Audit trail (log file) of transactions updating on-line files (data 2 base) maintained 3 Regular tape dumps of all disc files stored off-site (17/20)
  • 18. 4 Audit trail (log file) regularly dumped and stored off-site P.VII Software Copies of following maintained at off-site storage: Production 1 application programs  Major programs under development  System and program documentation  Operating procedures  Operation and system software  All copies regularly updated  Back-up copies regularly tested P.VIII Operations 1 Back-up procedure manual 2 Priority assignments for all applications Procedures for restoring data files and software Procedures for 3 back-up installation Q DISASTER RECOVERY PLANS Is a comprehensive contingency plan developed, documented and 1 periodically tested to ensure continuity in data processing services? Does the contingency plan provide for recovery and extended 2 processing of critical applications in the event of catastrophic disaster? 3 Has any Business Impact Analysis carried out by the company? Are all recovery plans approved and tested to ensure their 4 adequacy in the event of disaster? 5 Communicated to all management and personnel concerned (18/20)
  • 19. Critical processing priorities identified (eg. Significant accounting 6 applications) Are disaster recovery teams established to support disaster 7 recovery plan? Are responsibilities of individuals within disaster recovery team 8 defined and time allocated for completion of their task? Operations procedures for use of equipment and software back- 9 up Has the company developed and implemented 10 adequate plan maintenance procedures? 11 Are priorities set for the development of critical systems? Does a hardware maintenance contract exist with a reputable 12 supplier? 13 Does the recovery plan ensure, in the event of failure:  No loss of data received but not processed  No reprocessing of data already processed  Files not corrupted by partially completed processing 14 Are recovery plans regularly tested? (19/20)