IS Audit Checklist- by Software development company in india

iFour ConsultancyInformation Security Audit Checklist

Basic stages and workflow of IS Audit
Software Consultancy Indiahttp://www.ifourtechnolab.com

Table of Contents
ISO for Software Outsourcing Companies in India
Sr. No. Particulars
1 List of documents for understanding the Information System of the auditee.
2 Criticality Assessment Tool
3 Collection of specific information on Information System
4 Risk assessment
5 General controls
6 Input controls
7 Processing controls
8 Output controls
9 IT security

Documents for understanding Information System
Sr. No. List of documents
1 Brief background of the organization
2 Information security objectives
3 Scope document of Information System
4 Organizational chart with details of reporting responsibilities
5 Information security policy
6 Risk assessment process
7 Statement of Applicability
8 Risk treatment plan and process
9 Risk assessment and Risk treatment results
10 Evidence of monitoring and measurement results
11 Evidence of implementation of audit program
12 Evidence of results of management reviews
13 Previous audit and internal audit reports
14 Evidence of results of any corrective action

 Questions Asked:
 Does the system relate to any of the following operations:
 Business Critical Operations
 Support functions
 What is the amount of investment made in the system?
 Number of PCs/Desktops used in the system?
 Is the system on the network?
 How much dependent is the organization on the system?
 Does the system link to third parties?
 Does the system have dedicated IT staff?
 How many end-users of system?
 For how long has the system been operation for?
 Does the system have a documented and approved DRP?
 What is the volume of data used by the system?
Criticality Assessment Tool
ISO for Software Outsourcing Companies in India Software Consultancy Indiahttp://www.ifourtechnolab.com

Collection of specific information on IS
Information to be collected includes:
Name of the system and broad functional areas covered by the system.
Department head of the organization
Location of the system installation
Category of the system architecture
Affects financial or accounting aspects of the organization
Softwares used by the system
Is the system mission critical?
Is the system in-house or has it been outsourced? (if so, then collect information of that
company)

Collection of specific information on IS (continued)
Total persons involved in the system
Does the system documentation provide audit trail of all transactions?
Are system manuals available?
Details of hardware items employed by the system
What is the projected cost of the system?
When was the system made operational?
Total investment made in the system based on categories of items use

 The risk assessment is classified into 4 categories:
Management & Organization
HR Policy
Security
Physical & Logical access
Risk assessment

 Questions asked:
Is there a strategic IT plan prepared by the organization based on business needs?
Does the IS department have clear cut and well defined goals?
Does management provide appropriate direction on security objectives of the system?
If the system uses 3rd party data, does the organization have procedures in place to
address associated risks?
Are there procedures to update strategic IT plan?
Risk assessment – Management & Organization

Risk Assessment – HR policy
Questions asked:
Is there a criteria for recruiting and selecting personnel?
Is training need analysis done at a particular interval?
Is organization’s security clearance process adequate?
Are responsibilities and duties clearly defined?
Is backup staff available in case of absenteeism?

Is there a data classification schema in place?
Is there a user security profile system in place to determine access on a ‘need to know’
basis?
Is there a password policy?
Are preventive and detective control measures been established by management?
Is there a centralized security organization responsible for ensuring only appropriate
access to system resources?
Risk assessment – Security

Whether facility access is limited to least number of people?
Is there a periodic and ongoing review of access profiles, including managerial review?
Whether physical security is addressed in the continuity plan?
Whether health, safety and environmental regulations are being complied with?
Is there a system of reviewing fire, weather, electrical warning and alarm procedures
and expected response scenarios for various levels of environmental hazards?
Risk assessment – Physical & Logical Access

 To check whether proper controls have been implemented or not.
 These controls need to be viewed in relation to the impact on the efficiency,
security or effectiveness of the system.
Are there procedures for monitoring the implementation of strategic plan?
Are current IT activities consistent with the plan?
Is documentation complete and in current state?
Does security procedures cover designation and duties of security officer?
Are security breaches immediately reported for appropriate action?
Are objectives, scope and requirements of acquisition clearly defined and documented?
General Controls

Are the methods of data entry and conversion well documented?
Are all the documents accounted for and if so what is the method used?
Is there a system of documents being signed or marked to prevent reuse of data?
Is there a system of escalation of reports to higher levels if the conditions deteriorate?
Does the system provide for error messages for every type of error not meeting the
validation?
Input Controls

Do documented procedures exist explaining the methods for proper processing of each
application program?
Is the history log displayed by the console?
Does the computer program logic have in-built standardized default options?
Are version control procedures in place, ensuring the processing on the proper version
of file?
Are the error messages clear and short, communicating the nature of error for
appropriate guidance to the user?
Processing Controls

Is the user department responsible for correctness of all output?
Examine whether document methods are in place for proper handling and distribution
of output?
Examine the system of forward linkage to trace transaction from origin to its final output
stage
Whether output audit trail logs are maintained and periodically reviewed by supervisors
to ensure accuracy of output generated
Output Controls

 Sections considered:
Security Policy
Organizational security
Asset classification and control
Personnel security
Physical & Environmental security
Communications & Operations management
Access Control
System development and maintenance
Business continuity management
Compliance
IT security

 http://www.icisa.cag.gov.in/Background%20Material-IT%20Environment/IT-Audit-
Manual/Vol-3.pdf
References

IS Audit Checklist- by Software development company in india

More Related Content

What's hot

Viewers also liked

Similar to IS Audit Checklist- by Software development company in india

Recently uploaded

IS Audit Checklist- by Software development company in india

Editor's Notes