7/28/2019 2C5_paper

1/8

Page: 1

Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.

Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB

IT General Controls Audit programme

Limited Scope with ITIL support

to ensure reliability for Financial Statements

This audit programme is provided to support the presentation:

Passing the audit - Responding on IT General Controls with ITIL

Presented by

John Wallhoff(CISA, CISM, CISSP, PSM)

7/28/2019 2C5_paper

2/8

Page: 2

Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.

Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB

IT General Controls - Audit Programme - Limited Scope with ITIL support(Risk Assessment Summary on the last page)

Ref Control Tests of control ITIL

support

Significance

- High- Medium- Low

Observations Risk Recommendation

Entity Level - High level governance and control (Control environment):

1 Strategies and plans

shall be implementedand accurate

Has management prepared

strategies and plans?

Obtain a copy of the IT

Strategy

SS 3.3

SS 3.5SS 4,1SS 4,2

SS 4.3

SS 4.3SS 4.4

SS 5.5

SS 6.5

2 Policies and procedures Does IT Managmenetperiodically review Policies

and procedures?

Obtain a copy from the

latest review

SS 2.6SD 6.2

SD 6.4

ST 6.3SD 6.6

CSI 6

3 Risk Managementframework and

activities

Does IT organization have aRisk Management

framework to assess

information in financial

systems?

Obtain the evidence thatrisk have been assessed and

are accurate

SD 6.3SO 5.13

SO 5.14

7/28/2019 2C5_paper

3/8

Page: 3

Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.

Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB

Ref Control Tests of control ITIL

support

Significance

- High- Medium- Low

Observations Risk Recommendation

4 Training and education Has staff received ongoing

training for daily operating

procedures and securitypractices?

Obtain a evidence of plans

and training provided

SD 6.3

SO 5.13

SO 5.14

5 Quality assurance Does a quality plan exist?

Obtain copy of the quality

plan

SS 7.5ST 4.4.5.3CSI 5.2

CSI 5.3

CSI 5.4

6 Internal audit Have an internal audit

reviewed activities within

IT?

Review observations and

outstanding

recommendations

-

Activity-Level: Controlling the IT operations environment:

7 Acquire and MaintainApplication Software

Is a formal development lifecycle used for acquisition

and maintenance of

Software?

Obtain a copy of

methodology (SDLC orsimilar)

SS 6.5SD 3.5

SD 3.6

SD 3.9SD 3.11

SD 5.3

SD 7ST 3.2.3

ST 4.1.4ST 4.1.5

7/28/2019 2C5_paper

4/8

Page: 4

Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.

Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB

Ref Control Tests of control ITIL

support

Significance

- High- Medium- Low

Observations Risk Recommendation

8 Acquire and Maintain

Technology

Infrastructure

Are there documented

procedures to ensure that

acquired network devicesand software is based on

requirements for financial

systems?

Obtain evidence ofprocedures and select a

sample of implementations

and review documentation

SD 3.6.3

SD 4.6.5.1

SO 5.4SO 5.5

SO 5.7

SO 5.8

SO 5.9SO 5.10SO 5.11

ST 4.4.5.1

ST 4.4.5.2

ST 4.4.5.3ST 4.5.5.7ST 4.5.7

9 Enable Operations Are policies and procedures

documented and updatedfor development, change,

access and operations?

Select a sample of projectsand verify that

documentation comply with

requirements in policies and

procedures.

SS 6.4

7/28/2019 2C5_paper

5/8

Page: 5

Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.

Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB

Ref Control Tests of control ITIL

support

Significance

- High- Medium- Low

Observations Risk Recommendation

10 Install and Accredit

Solutions and Changes

Are testing plans prepared

and used for significant

changes?

Select a sample of projects

and verify that tests have

been completed accordingto developmentmethodology and change

management procedures.

ST 3.2.14

ST 4.4.5.4

ST 4.5.5.5ST 4.5.5.6

11 Manage Changes Have changes requests been

standardized and are all

changes logged, approved,documented according to

formal change managementprocess?

Evaluate the changemanagement processand select a sample of

change requests and review

the process

St 3.2

ST 4.2

ST 6.3ST 6.4

12 Define and Manage

Service Levels

Are service levels defined

and managed for financialsystems?

Obtain a sample of service

level agreements and

review content to evaluateif the agreed service levelmeets systems

requirements.

SD 4.2

SD 4.1

7/28/2019 2C5_paper

6/8

Page: 6

Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.

Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB

Ref Control Tests of control ITIL

support

Significance

- High- Medium- Low

Observations Risk Recommendation

13 Manage Third-party

Services

Are vendors used for

outsourcing selected in

accordance with internalpolicies?

Obtain evidence that

selection of outsourcesservice have been selectedproperly

SD 4.2.5.9

SD 4.7.5.1

SD 4.7.5.2SD 4.7.5.3

SD 4.7.5.4

SD 4.7.5.5

14 Ensure Systems

Security

Is the IT/Information

security policy up-to-date?

Obtain a copy of the IT and

Information Security Policy

SD 4.6.4

15 Manage the

Configuration

Are configuration tested

periodically to ensure that

infrastructure and networkdevices are properlyconfigured?

Review network and

software, select a sample ofconfiguration items andverify that the

configuration is in

accordance with

documentation

SD 4.6.5.1

SO 5.4

SO 5.5SO 5.7SO 5.8

SO 5.9

SO 5.10

SO 5.11

7/28/2019 2C5_paper

7/8

Page: 7

Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.

Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB

Ref Control Tests of control ITIL

support

Significance

- High- Medium- Low

Observations Risk Recommendation

16 Manage Problems and

Incident

Does the problem

management system

provide an audit trail toincident management and

underlying cause?

Review a sample ofproblems records andevaluate if an audit trail

exists.

SO 4.4.5.2

SO 4.4.5.5

SO 4.4.5.6SO 4.4.5.7

SO 4.4.5.8

17 Manage Data Have restoration of backup

been tested periodically?

Obtain a test document andreview scope and output

from test

SO 5.2.3

18 Manage Operations Are standard procedures

established for IT

operations

Obtain a sample ofstandards procedures.

SO 3.7

SO 5

SO 4.2.5.5

SO 4.3.5.6SO 5.2.2SO 5.3

19 End-user Computing Are systems developed and

maintained by users

regulary backed up and

stored in a secure area?

Inquire if end user systems

are used and how backup

procedures are handled.

SO 5.2.3

7/28/2019 2C5_paper

8/8

Page: 8

Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.

Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB

Ref Control Tests of control ITIL

support

Significance

- High- Medium- Low

Observations Risk Recommendation

20 Ensure Continuous

Service

Are change control

procedures provided to

ensure that continuity planis up-to-date and reflects

the current business

requirements?

Obtain a copy of thecontinuity plan and review

if it is accurate and up-to-

date?

SD 4.5.5.4

Risk Assessment Summary

Review and aporoval

Name / Signature Date

Self-assessment

Review/approval