5.1 Use the Internet. Identify the steps/third-party
applications that can aid in the auditing of the databases you
installed in your OS.
5.2 Creating and Implementing an Audit
You have been hired as the lead auditor within your own company.
You are to create and implement an internal informal database
auditing schedule for the organization. Create a paper that
responds to the following:
1. Create a table that includes a rotating schedule for the 12
months of auditing. Include columns that identify time estimations
as for each audit listed.
2. Create a planning and preparation checklist common to all audits
as a whole.
3. Identify any special planning and preparation needed for each
individual audit.
4. Identify the scope for each audit and identify any special
considerations that needed to be addressed.
5. Create a list of at least 5 audit activities for each
audit.
6. Describe any special considerations unique to your installed
database that must be addressed.
Note: the answer will vary. Think about the size of the company and
the nature of business. Any industry-specific law to comply with?
like HIPPA for a hospital.
5.1 - steps/third-party applications that can aid in the auditing of the databases you installed in your OS.
- IT General controls audit (ITGC) are basic controls that can be applied to IT systems such as applications, operating systems, databases and supporting IT infrastructure. The objectives of ITGCs are to ensure the integrity of the data and processes that the system support.
5.2 - Creating and Implementing an Audit -
1 - 12 month rolling schedule
Activities – Audit planning |
Month |
Scope – Special consideration |
ORGANISATION AND ADMINISTRATION |
January |
|
PROGRAM MAINTENANCE |
February |
As mentioned in Below checklist |
SYSTEM DEVELOPMENT |
March |
As mentioned in Below checklist |
Purchased Software |
April |
|
Access to data files |
May |
As mentioned in Below checklist |
Computer Processing |
June |
As mentioned in Below checklist |
Access Controls |
July |
|
Application controls – Input |
August |
|
Output and Processing |
September |
|
Viruses |
October |
|
Internet |
November |
|
Continuity of operations |
December |
As mentioned in Below checklist |
Answer to 2, 3 and 4 point above - planning and preparation checklist common to all audits as a whole.
No. |
Description |
Yes |
No |
N/A |
A |
ORGANISATION AND ADMINISTRATION |
|||
- |
Audit Objective Does the organization of data processing provide for adequate segregation of duties? |
|||
- |
Audit Procedures Review the company organization chart, and the data processing department organization chart. |
|||
1 |
Is there a separate EDP department within the company? |
|||
2 |
Is there a steering committee where the duties and responsibilities for managing MIS are clearly defined? |
|||
3 |
Has the company developed an IT strategy linked with the long and medium term plans? |
|||
4 |
Is the EDP Department independent of the user department and in particular the accounting department? |
|||
5 |
Are there written job descriptions for all jobs within EDP department and these job descriptions are communicated to designated employees? |
|||
6 |
Are EDP personnel prohibited from having incompatible responsibilities or duties in user departments and vice versa? |
|||
7 |
Are there written specifications for all jobs in the EDP Department? |
|||
8 |
Are the following functions within the EDP Department performed by separate sections: |
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
9 |
Are the data processing personnel prohibited from duties relating to: |
|||
|
||||
|
||||
|
||||
|
||||
10 |
Are all processing pre-scheduled and authorized by appropriate personnel? |
|||
11 |
Are there procedures to evaluate and establish who has access to the data in the database? |
|||
12 |
Are the EDP personnel adequately trained? |
|||
13 |
Are systems analysts programmers denied access to the computer room and limited in their operation of the computer? |
|||
14 |
Are operators barred from making changes to programs and from creating or amending data before, during, or after processing? |
|||
15 |
Is the custody of assets restricted to personnel outside the EDP department? |
|||
16 |
Is strategic data processing plan developed by the company for the achievement of long-term business plan? |
|||
17 |
Are there any key personnel within IT department whose absence can leave the company within limited expertise? |
|||
18 |
Are there any key personnel who are being over-relied? |
|||
19 |
Is EDP audit being carried by internal audit or an external consultant to ensure compliance of policies and controls established by management? |
|||
B |
PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT |
|||
- |
Audit Objective Development and changes to programs are authorized, tested, and approved, prior to being placed in production. |
|||
Program Maintenance Audit - Procedures |
||||
- |
Review details of the program library structure, and note controls which allow only authorized individuals to access each library. |
|||
- |
Note the procedures used to amend programs. |
|||
- |
Obtain an understanding of any program library management software used. |
|||
1 |
Are there written standards for program maintenance? |
|||
2 |
Are these standards adhered to and enforced? |
|||
3 |
Are these standards reviewed regularly and approved? |
|||
4 |
Are there procedures to ensure that all programs required for maintenance are kept in a separate program test library? |
|||
5 |
Are programmers denied access to all libraries other than the test library? |
|||
6 |
Are changes to programs initiated by written request from user department and approved? |
|||
7 |
Are changes initiated by Data Processing Department communicated to users and approved by them? |
|||
8 |
Are there adequate controls over the transfer of programs from production into the programmer's test library? |
|||
9 |
Are all systems developed or changes to existing system tested according to user approved test plans and standards? |
|||
10 |
Are tests performed for system acceptance and test data documented? |
|||
11 |
Are transfers from the development library to the production library carried out by persons independent of the programmers? |
|||
12 |
Do procedures ensure that no such transfer can take place without the change having been properly tested and approved? |
|||
13 |
Is a report of program transfers into production reviewed on a daily basis by a senior official to ensure only authorized transfers have been made? |
|||
14 |
Are all program changes properly documented? |
|||
15 |
Are all changed programs immediately backed up? |
|||
16 |
Is a copy of the previous version of the program retained (for use in the event of problems arising with the amended version)? |
|||
17 |
Are there standards for emergency changes to be made to application programs? |
|||
18 |
Are there adequate controls over program recompilation? |
|||
19 |
Are all major amendments notified to Internal audit for comment? |
|||
20 |
Are there adequate controls over authorization, implementation, approval and documentation of changes to operating systems? |
|||
C |
SYSTEM DEVELOPMENT |
|||
1 |
Are there formalized standards for system development life cycle procedure? |
|||
2 |
Do they require authorization at the various stages of development – feasibility study, system specification, testing, parallel running, post implementation review, etc.? |
|||
3 |
Do the standards provide a framework
for the |
|||
4 |
Are standards regularly reviewed and updated? |
|||
5 |
Do the adequate system documentation exist for: |
|||
|
||||
|
||||
6 |
Have the internal audit department been involved in the design stage to ensure adequate controls exist? |
|||
7 |
Testing of programs - see Program Maintenance. |
|||
8 |
Procedures for authorizing new applications to production - see Program Maintenance. |
|||
9 |
Are user and data processing personnel adequately trained to use the new applications? |
|||
10 |
Is system implementation properly planned and implemented by either parallel run or pilot run? |
|||
11 |
Are any differences and deficiencies during the implementation phase noted and properly resolved? |
|||
12 |
Are there adequate controls over the setting up of the standing data and opening balances? |
|||
13 |
Is a post implementation review carried out? |
|||
14 |
Are user manuals prepared for all new systems developed and revised for subsequent changes? |
|||
15 |
Is there a Quality Assurance Function to verify the integrity and acceptance of applications developed? |
|||
D |
PURCHASED SOFTWARE |
|||
1 |
Are there procedures addressing controls over selection, testing and acceptance of packaged softwares? |
|||
2 |
Is adequate documentation maintained for all softwares purchased? |
|||
3 |
Are vendor warranties (if any) still in force? |
|||
4 |
Is the software purchased, held in escrow? |
|||
5 |
Are backup copies of user/operations manual kept off-site? |
|||
13 |
Is staff prohibited from sharing machines (laptops/desktops)? |
|||
14 |
Is software reloaded from the master diskettes after machine maintenance? |
|||
15 |
Has all staff been advised of the virus prevention procedures? |
|||
16 |
Are downloads from internet controlled by locking the hard-drive and routing it through network drive to prevent the virus (if any) from spreading? |
|||
K |
INTERNET |
|||
1 |
Is there any proper policy regarding the use of internet by the employees? |
|||
2 |
Does the policy identify the specific assets that the firewall is intended to protect and the objectives of that protection? |
|||
3 |
Does the policy support the legitimate use and flow of data and information? |
|||
4 |
Is information passing through firewall is properly monitored? |
|||
5 |
Determine whether management approval of the policy has been sought and granted and the date of the most recent review of the policy by the management? |
|||
6 |
Is the policy properly communicated to the users and awareness is maintained? |
|||
7 |
Have the company employed a Firewall Administrator? |
|||
8 |
Is firewall configured as per security policy? |
|||
9 |
Is URL screening being performed by Firewall? |
|||
10 |
Is anti-virus inspection enabled? |
|||
11 |
Are packets screened for the presence of prohibited words? If so, determine how the list of words is administered and maintained. |
|||
12 |
Are access logs regularly reviewed and any action is taken on questionable entries? |
|||
L |
CONTINUITY OF OPERATIONS |
|||
Get Answers For Free
Most questions answered within 1 hours.