Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IS Audit Checklist- by Software development company in india

1,040 views

Published on

This presentation focuses on the contents of Information System Audit Plan.- by Software development company in india http://www.ifourtechnolab.com

Published in: Education
  • Be the first to comment

IS Audit Checklist- by Software development company in india

  1. 1. iFour ConsultancyInformation Security Audit Checklist
  2. 2. Basic stages and workflow of IS Audit Software Consultancy Indiahttp://www.ifourtechnolab.com
  3. 3. Table of Contents ISO for Software Outsourcing Companies in India Sr. No. Particulars 1 List of documents for understanding the Information System of the auditee. 2 Criticality Assessment Tool 3 Collection of specific information on Information System 4 Risk assessment 5 General controls 6 Input controls 7 Processing controls 8 Output controls 9 IT security Software Consultancy Indiahttp://www.ifourtechnolab.com
  4. 4. Documents for understanding Information System ISO for Software Outsourcing Companies in India Sr. No. List of documents 1 Brief background of the organization 2 Information security objectives 3 Scope document of Information System 4 Organizational chart with details of reporting responsibilities 5 Information security policy 6 Risk assessment process 7 Statement of Applicability 8 Risk treatment plan and process 9 Risk assessment and Risk treatment results 10 Evidence of monitoring and measurement results 11 Evidence of implementation of audit program 12 Evidence of results of management reviews 13 Previous audit and internal audit reports 14 Evidence of results of any corrective action Software Consultancy Indiahttp://www.ifourtechnolab.com
  5. 5.  Questions Asked:  Does the system relate to any of the following operations:  Business Critical Operations  Support functions  What is the amount of investment made in the system?  Number of PCs/Desktops used in the system?  Is the system on the network?  How much dependent is the organization on the system?  Does the system link to third parties?  Does the system have dedicated IT staff?  How many end-users of system?  For how long has the system been operation for?  Does the system have a documented and approved DRP?  What is the volume of data used by the system? Criticality Assessment Tool ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  6. 6. Collection of specific information on IS Information to be collected includes: Name of the system and broad functional areas covered by the system. Department head of the organization Location of the system installation Category of the system architecture Affects financial or accounting aspects of the organization Softwares used by the system Is the system mission critical? Is the system in-house or has it been outsourced? (if so, then collect information of that company) ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  7. 7. Collection of specific information on IS (continued) Total persons involved in the system Does the system documentation provide audit trail of all transactions? Are system manuals available? Details of hardware items employed by the system What is the projected cost of the system? When was the system made operational? Total investment made in the system based on categories of items use ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  8. 8.  The risk assessment is classified into 4 categories: Management & Organization HR Policy Security Physical & Logical access Risk assessment ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  9. 9.  Questions asked: Is there a strategic IT plan prepared by the organization based on business needs? Does the IS department have clear cut and well defined goals? Does management provide appropriate direction on security objectives of the system? If the system uses 3rd party data, does the organization have procedures in place to address associated risks? Are there procedures to update strategic IT plan? Risk assessment – Management & Organization ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  10. 10. Risk Assessment – HR policy Questions asked: Is there a criteria for recruiting and selecting personnel? Is training need analysis done at a particular interval? Is organization’s security clearance process adequate? Are responsibilities and duties clearly defined? Is backup staff available in case of absenteeism? Software Consultancy Indiahttp://www.ifourtechnolab.com
  11. 11.  Questions asked: Is there a data classification schema in place? Is there a user security profile system in place to determine access on a ‘need to know’ basis? Is there a password policy? Are preventive and detective control measures been established by management? Is there a centralized security organization responsible for ensuring only appropriate access to system resources? Risk assessment – Security ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  12. 12.  Questions asked: Whether facility access is limited to least number of people? Is there a periodic and ongoing review of access profiles, including managerial review? Whether physical security is addressed in the continuity plan? Whether health, safety and environmental regulations are being complied with? Is there a system of reviewing fire, weather, electrical warning and alarm procedures and expected response scenarios for various levels of environmental hazards? Risk assessment – Physical & Logical Access ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  13. 13.  To check whether proper controls have been implemented or not.  These controls need to be viewed in relation to the impact on the efficiency, security or effectiveness of the system.  Questions asked: Are there procedures for monitoring the implementation of strategic plan? Are current IT activities consistent with the plan? Is documentation complete and in current state? Does security procedures cover designation and duties of security officer? Are security breaches immediately reported for appropriate action? Are objectives, scope and requirements of acquisition clearly defined and documented? General Controls ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  14. 14.  Questions asked: Are the methods of data entry and conversion well documented? Are all the documents accounted for and if so what is the method used? Is there a system of documents being signed or marked to prevent reuse of data? Is there a system of escalation of reports to higher levels if the conditions deteriorate? Does the system provide for error messages for every type of error not meeting the validation? Input Controls ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  15. 15.  Questions asked: Do documented procedures exist explaining the methods for proper processing of each application program? Is the history log displayed by the console? Does the computer program logic have in-built standardized default options? Are version control procedures in place, ensuring the processing on the proper version of file? Are the error messages clear and short, communicating the nature of error for appropriate guidance to the user? Processing Controls ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  16. 16.  Questions asked: Is the user department responsible for correctness of all output? Examine whether document methods are in place for proper handling and distribution of output? Examine the system of forward linkage to trace transaction from origin to its final output stage Whether output audit trail logs are maintained and periodically reviewed by supervisors to ensure accuracy of output generated Output Controls ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  17. 17.  Sections considered: Security Policy Organizational security Asset classification and control Personnel security Physical & Environmental security Communications & Operations management Access Control System development and maintenance Business continuity management Compliance IT security ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com
  18. 18.  http://www.icisa.cag.gov.in/Background%20Material-IT%20Environment/IT-Audit- Manual/Vol-3.pdf References Software Consultancy Indiahttp://www.ifourtechnolab.com

×