5.1 Use the Internet. Identify the steps/third-party applications that can aid in the auditing of the...

No.

Description

Yes

No

N/A

A

ORGANISATION AND ADMINISTRATION

-

Audit Objective

Does the organization of data processing provide for adequate segregation of duties?

-

Audit Procedures

Review the company organization chart, and the data processing department organization chart.

1

Is there a separate EDP department within the company?

2

Is there a steering committee where the duties and responsibilities for managing MIS are clearly defined?

3

Has the company developed an IT strategy linked with the long and medium term plans?

4

Is the EDP Department independent of the user department and in particular the accounting department?

5

Are there written job descriptions for all jobs within EDP department and these job descriptions are communicated to designated employees?

6

Are EDP personnel prohibited from having incompatible responsibilities or duties in user departments and vice versa?

7

Are there written specifications for all jobs in the EDP Department?

8

Are the following functions within the EDP Department performed by separate sections:

• System design?

• Application programming?

• Computer operations?

• Database administration?

• Systems programming?

• Data entry and control?

9

Are the data processing personnel prohibited from duties relating to:

• Initiating transactions?

• Recording of transactions?

• Master file changes?

• Correction of errors?

10

Are all processing pre-scheduled and authorized by appropriate personnel?

11

Are there procedures to evaluate and establish who has access to the data in the database?

12

Are the EDP personnel adequately trained?

13

Are systems analysts programmers denied access to the computer room and limited in their operation of the computer?

14

Are operators barred from making changes to programs and from creating or amending data before, during, or after processing?

15

Is the custody of assets restricted to personnel outside the EDP department?

16

Is strategic data processing plan developed by the company for the achievement of long-term business plan?

17

Are there any key personnel within IT department whose absence can leave the company within limited expertise?

18

Are there any key personnel who are being over-relied?

19

Is EDP audit being carried by internal audit or an external consultant to ensure compliance of policies and controls established by management?

B

PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT

-

Audit Objective

Development and changes to programs are authorized, tested, and approved, prior to being placed in production.

Program Maintenance Audit - Procedures

-

Review details of the program library structure, and note controls which allow only authorized individuals to access each library.

-

Note the procedures used to amend programs.

-

Obtain an understanding of any program library management software used.

1

Are there written standards for program maintenance?

2

Are these standards adhered to and enforced?

3

Are these standards reviewed regularly and approved?

4

Are there procedures to ensure that all programs required for maintenance are kept in a separate program test library?

5

Are programmers denied access to all libraries other than the test library?

6

Are changes to programs initiated by written request from user department and approved?

7

Are changes initiated by Data Processing Department communicated to users and approved by them?

8

Are there adequate controls over the transfer of programs from production into the programmer's test library?

9

Are all systems developed or changes to existing system tested according to user approved test plans and standards?

10

Are tests performed for system acceptance and test data documented?

11

Are transfers from the development library to the production library carried out by persons independent of the programmers?

12

Do procedures ensure that no such transfer can take place without the change having been properly tested and approved?

13

Is a report of program transfers into production reviewed on a daily basis by a senior official to ensure only authorized transfers have been made?

14

Are all program changes properly documented?

15

Are all changed programs immediately backed up?

16

Is a copy of the previous version of the program retained (for use in the event of problems arising with the amended version)?

17

Are there standards for emergency changes to be made to application programs?

18

Are there adequate controls over program recompilation?

19

Are all major amendments notified to Internal audit for comment?

20

Are there adequate controls over authorization, implementation, approval and documentation of changes to operating systems?

C

SYSTEM DEVELOPMENT

1

Are there formalized standards for system development life cycle procedure?

2

Do they require authorization at the various stages of development – feasibility study, system specification, testing, parallel running, post implementation review, etc.?

3

Do the standards provide a framework for the
development of controlled applications?

4

Are standards regularly reviewed and updated?

5

Do the adequate system documentation exist for:

• Programmers to maintain and modify programs?

• Users to satisfactorily operate the system?

6

Have the internal audit department been involved in the design stage to ensure adequate controls exist?

7

Testing of programs - see Program Maintenance.

8

Procedures for authorizing new applications to production - see Program Maintenance.

9

Are user and data processing personnel adequately trained to use the new applications?

10

Is system implementation properly planned and implemented by either parallel run or pilot run?

11

Are any differences and deficiencies during the implementation phase noted and properly resolved?

12

Are there adequate controls over the setting up of the standing data and opening balances?

13

Is a post implementation review carried out?

14

Are user manuals prepared for all new systems developed and revised for subsequent changes?

15

Is there a Quality Assurance Function to verify the integrity and acceptance of applications developed?

D

PURCHASED SOFTWARE

1

Are there procedures addressing controls over selection, testing and acceptance of packaged softwares?

2

Is adequate documentation maintained for all softwares purchased?

3

Are vendor warranties (if any) still in force?

4

Is the software purchased, held in escrow?

5

Are backup copies of user/operations manual kept off-site?

13

Is staff prohibited from sharing machines (laptops/desktops)?

14

Is software reloaded from the master diskettes after machine maintenance?

15

Has all staff been advised of the virus prevention procedures?

16

Are downloads from internet controlled by locking the hard-drive and routing it through network drive to prevent the virus (if any) from spreading?

K

INTERNET

1

Is there any proper policy regarding the use of internet by the employees?

2

Does the policy identify the specific assets that the firewall is intended to protect and the objectives of that protection?

3

Does the policy support the legitimate use and flow of data and information?

4

Is information passing through firewall is properly monitored?

5

Determine whether management approval of the policy has been sought and granted and the date of the most recent review of the policy by the management?

6

Is the policy properly communicated to the users and awareness is maintained?

7

Have the company employed a Firewall Administrator?

8

Is firewall configured as per security policy?

9

Is URL screening being performed by Firewall?

10

Is anti-virus inspection enabled?

11

Are packets screened for the presence of prohibited words? If so, determine how the list of words is administered and maintained.

12

Are access logs regularly reviewed and any action is taken on questionable entries?

L

CONTINUITY OF OPERATIONS