IT Management Audit Programs

2,059 views

Published on

This document contains 6 IT Management Audit Programs and Questionnaires that can be used by IT managers, development and technical staff as well as other professionals (e.g. IT Auditors) in reviewing and improving the organizational aspects of IT functions for any type of company or organization.

For details on how these fit into IT Operations, see my books:
1. ‘IT Strategic & Operational Controls’
2. ‘Addendum to IT Strategic & Operational Controls’

PUBLISHER: www.itgovernance.co.uk


Published in: Business, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,059
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
184
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

IT Management Audit Programs

  1. 1. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 1 INFORMATION TECHNOLOGY (IT) MANAGEMENT IT ORGANIZATION AUDIT PROGRAMS & QUESTIONNAIRES By John Kyriazoglou August 2013 This document contains 6 IT Management Audit Programs and Questionnaires that can be used by IT managers, development and technical staff as well as other professionals (e.g. IT Auditors) in reviewing and improving the organizational aspects of IT functions for any type of company or organization. For details on how these fit into IT Operations, see my books: 1. ‘IT Strategic & Operational Controls’ 2. ‘Addendum to IT Strategic & Operational Controls’ PUBLISHER: www.itgovernance.co.uk
  2. 2. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 2 List of IT Audit Programs & Questionnaires 1. IT department structure audit program & questionnaire 2. IT policies and procedures audit program & questionnaire 3. IT finance assessment audit program & questionnaire 4. IT management reporting audit program & questionnaire 5. IT inventory control audit program & questionnaire 6. IT procurement management audit program & questionnaire
  3. 3. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 3 1. IT department structure audit program & questionnaire 1. Obtain IT vision, mission and values statements, IT terms of reference, description of department and organisational chart. 2. Review and assess organisational responsibility and reporting hierarchy of the IT unit. 3. Review IT organisation and assess IT organisational chart, and IT department description with IT management. 4. Review and assess how the IT unit is structured to serve the company and its divisions/functions (e.g. as a separate division, as part of another division, interfacing with an outsource entity, shared service among several departments, a combination of above, etc.). 5. Obtain restructuring plan of IT department. 6. Review restructuring plan of IT department with IT management and with the Chief Information Officer (CIO). 7. Is the vision declaration concise, balanced between internal and external needs, inspirational, appealing to all stakeholders, consistent with the mission, and verifiable? 8. Does the mission declaration reply to the questions: ‘Who are we?’, ‘What customer needs do we exist to meet?’, ‘What business problems do we exist to resolve?’, ‘How do we respond to our key stakeholders?’, ‘How do we resolve business problems with the IT systems?’, ‘What is our guiding philosophy or culture?’, and ‘What makes us unique or distinctive?’? 9. Has a values statement been formulated and communicated to all levels of the organisation? 10. Are IT vision, mission and values statements, and IT strategy clear and supported by all organisational levels, such as IT staff, suppliers, subcontractors, customers, management and Board of Directors?
  4. 4. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 4 2. IT policies and procedures audit program & questionnaire 1. Obtain a copy of the IT policies and procedures. 2. Have IT policies and procedures been formally established and communicated to all functions of the IT unit? 3. Does the corporate performance policy include evaluating the performance of IT? 4. Does the corporate human resources management policy include a special set of procedures related to IT staff? 5. Are all IT systems, purchases and services managed in terms of costs and benefits? 6. Is there an approved IT asset management, disposition and protection system in place? 7. Is there an approved IT research and innovation system in place? 8. Does the Management Reporting System include IT activities? 9. Is there an IT quality management system in place? 10. Is there an IT risk management system in operation? 11. Does the corporate ethics policy include IT staff?
  5. 5. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 5 3. IT finance assessment audit program & questionnaire 1. Obtain budget report for the period audited and related to IT activities, projects and purchases. 2. Obtain budget report (for the last year) for the items not controlled directly – but supported – by the IT department (e.g. telephony, cabling, server equipment). 3. Obtain revenue report (for the last year) for the revenue sources of the IT department. 4. Assess budget and revenue reports for any inconsistencies, such as funds not properly controlled, items not properly reported, transactions not recorded in the general ledger, budgets not approved by the Board, IT projects undertaken without cost–benefit analysis, revenue not allocated to IT, IT projects and activities not allocated in terms of costing to all end-users and departments. 5. Has all the background material relevant to this audit assignment been gathered and reviewed in total? 6. Were the IT budget, costing, revenue and accounting systems, policies and procedures discussed and reviewed with IT management and approved by the Board? 7. Were the IT budget, costing, revenue and accounting systems, policies and procedures developed upon the basis of agreed corporate policies? 8. Were reliable budget, costing, revenue and accounting systems (purchased or developed internally) tested and installed? 9. Are the budget, costing, revenue and accounting systems covered by the existing corporate security policies, controls and procedures? 10. Are cost centres established and used for each IT functional area? 11. Is the budget report (monthly, quarterly, annual, etc.) for the period audited related to all IT activities (production, development, research, etc.), projects and purchases? 12. Does the revenue report, produced by the IT department, contain all the relevant amounts for the IT activities, projects and investment payouts?
  6. 6. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 6 13. Does the budget report (for the last year) contain all the relevant amounts for the items not controlled directly – but supported – by the IT department (e.g. telephony, cabling, server equipment, etc.)? 14. Do the budget and revenue reports contain any inconsistencies, such as: funds not properly controlled, items not properly reported, transactions not recorded in the general ledger, budgets not approved by the Board, IT projects undertaken without cost–benefit and feasibility analysis, revenue not allocated to IT? 15. Is there a costing system for the IT activities, projects and services provided to all internal and external parties? 16. Are all IT projects, services and activities allocated in terms of costing to all end- users and departments? 17. Are the IT department managers familiar with the budget, revenue and costing systems? 18. Are all IT asset items (hardware, furniture, etc.) marked with non-removable company labels? 19. Are all IT asset items (hardware, furniture, software, etc.) moved and disposed of on the basis of proper CIO/IT management authorisation? 20. Are all IT costs and charges reviewed, discussed and agreed with the main users, on a formal basis and according to corporate and IT management policy? 21. Are IT costs, budgets and revenues monitored and reviewed for all IT projects, services, activities, etc. on a continuous basis? 22. Are these systems aiding the IT managers and staff in discharging their duties? 23. Is the IT function cost-effective and beneficially structured to serve the company and its divisions/functions? 24. Does an IT investment approach, awareness and framework operate for use in evaluating the costs, benefits and outcomes (results) of all IT activities and projects?
  7. 7. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 7 25. Does the IT investment approach interface with the corporate strategic planning process? 26. Does the IT investment approach contain the fundamental phases of: selection of projects on the basis of pre-agreed selection criteria, controlling and monitoring the progress of the projects and taking corrective action, evaluation of costs, benefits and outcomes (results) delivered by all IT projects? 27. How often is the audited unit subject to external auditing and to what level? 28. Did the external audit reports contain any significant findings? 29. Were the external audit reports and findings reviewed by executive Board management? 30. Were the external audit reports and findings reviewed by top management? 31. Were the external audit reports and findings reviewed by top IT/CIO management? 32. Were the external audit reports and findings reviewed by top internal audit management? 33. Were the external audit reports and findings posted on the company website for external review? 34. Has the CIO/IT manager taken any action on the last external report findings? 35. Have the external audit reports assisted the IT managers and staff in discharging their duties? 36. Has an evaluation been done of what costs/benefits of IT outsourcing accrue to the company, identifying the parties to be used and for what applications? 37. Were users made aware of which external party provides a service?
  8. 8. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 8 4. IT management reporting audit program & questionnaire 1. Obtain IT management reports for the last two years and assess how the technology, financial aspects, application systems and inter-group projects are handled, managed and reported to top management. 2. Ensure that the IT management reports, for application developments, contain, at least: changes, problems and backlog of requests help desk related issues development issues of new applications project actual costs (against budgets) post-implementation review issues. In the absence of formal communications, assess whether there is informal communication of IT activities to top management and how effective this has been (so far). 3. Interview important users to determine consistency between organisational and user long-range strategies related to IT goals. 4. Assess, in the absence of formal review/reporting procedures, whether there is adequate information communication/review by user management of IT activities carried out by the IT department. 5. Has all the background material relevant to this audit assignment been gathered and reviewed in total? 6. Are the IT management reports issued at least annually? 7. Do these reports contain at least: technology issues financial aspects application systems user problems operating, networking, Internet and database software issues? 8. Are the IT management reports reviewed by all appropriate levels of management, at least annually? 9. Are these reports reviewed with all the affected users? 10. Are there any other formal or informal communication mechanisms between IT, end-user and top management? 11. Are these communication mechanisms effective and do they solve problems? 12. Are all IT staff aware of the IT management and other communications mechanisms?
  9. 9. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 9 5. IT inventory control audit program & questionnaire 1. Obtain a list of all hardware, operating systems software, database management systems software, networking software, personal computer software, applications systems software, computer and back-up media, books, manuals, maintenance suppliers, etc. 2. Review all these inventory lists to ensure completeness and accuracy and check actual contents list (vs. suppliers, ledger, maintenance contract files and invoices file, etc.). 3. Does the organisation periodically balance IT property records to the general ledger? 4. Does the organisation have complete and accurate records with descriptions of all purchased IT items and systems, including their cost and location? 5. Does the organisation prepare periodic reports on the status and condition of property, plants, IT installations, IT equipment and other valuable assets (e.g. back-up media, information systems, etc.)? 6. Does the organisation have reliable data related to IT property management for monitoring, tracking, auditing and forecasting future needs? 7. Does the organisation periodically check all IT assets by checking the physical inventory? 8. Has all the background material relevant to this audit assignment been gathered and reviewed in total? 9. Is there a hardware inventory list for: mainframe computers mini computers personal computers laptop computers network devices printers and auxiliary devices mobile devices PDAs and other non-fixed devices? Is there a software inventory list for: operating system networking database management office systems application systems? Is there a media inventory list for: tapes CDs
  10. 10. IT MANAGEMENT CONTROLS Copyright: John Kyriazoglou 10 diskettes other magnetic media? 10. Is there a documentation inventory list for: operating systems all computer hardware database systems application systems network devices printers and auxiliary devices mobile devices PDAs and other non-fixed devices? 11. Is there a suppliers’ inventory list for all suppliers? 12. Are all these inventory lists accurate? 6. IT procurement management audit program & questionnaire 1. Obtain copy of policy on IT equipment procurement (both hardware and software). 2. Assess both the hardware/software comparative selection methods and the commercial evaluations. 3. Ensure that IT purchases fall within the authority level of the IT manager and according to the IT budget. 4. Obtain copies of all original purchase contracts (including systems in production, development and supported ) and for all types (such as lease, use, rent, outsource, latest software amendments, subscriptions) for all IT equipment and systems, computers, networking, personal computers, telecommunications, etc. 5. Review the last two years’ purchases for IT equipment and assess accuracy of methods, their usage, etc. 6. Does the organisation have operating controls to protect against fraud, waste, abuse and mismanagement in the use of all IT purchasing and contracting mechanisms? 7. Does the organisation have systems that ensure compliance for all IT systems with all regulatory and policy requirements of both the organisation and the state/government? 8. Does the organisation have a positive, supportive attitude towards integrity, ethics education and training in IT procurement and IT contracts? 9. Does the organisation monitor the reliability and confidentiality of data used in all IT purchasing and IT contracting decisions? 10. Are the criteria, such as objectivity, fairness, etc. known to all IT bidders and to the market (well publicised) and are these assured in the competitive review and selection of an IT contractor?

×