Upload
debanjan-dey
View
223
Download
0
Embed Size (px)
Citation preview
7/28/2019 2C5_paper
1/8
Page: 1
Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.
Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB
IT General Controls Audit programme
Limited Scope with ITIL support
to ensure reliability for Financial Statements
This audit programme is provided to support the presentation:
Passing the audit - Responding on IT General Controls with ITIL
Presented by
John Wallhoff(CISA, CISM, CISSP, PSM)
7/28/2019 2C5_paper
2/8
Page: 2
Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.
Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB
IT General Controls - Audit Programme - Limited Scope with ITIL support(Risk Assessment Summary on the last page)
Ref Control Tests of control ITIL
support
Significance
- High- Medium- Low
Observations Risk Recommendation
Entity Level - High level governance and control (Control environment):
1 Strategies and plans
shall be implementedand accurate
Has management prepared
strategies and plans?
Obtain a copy of the IT
Strategy
SS 3.3
SS 3.5SS 4,1SS 4,2
SS 4.3
SS 4.3SS 4.4
SS 5.5
SS 6.5
2 Policies and procedures Does IT Managmenetperiodically review Policies
and procedures?
Obtain a copy from the
latest review
SS 2.6SD 6.2
SD 6.4
ST 6.3SD 6.6
CSI 6
3 Risk Managementframework and
activities
Does IT organization have aRisk Management
framework to assess
information in financial
systems?
Obtain the evidence thatrisk have been assessed and
are accurate
SD 6.3SO 5.13
SO 5.14
7/28/2019 2C5_paper
3/8
Page: 3
Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.
Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB
Ref Control Tests of control ITIL
support
Significance
- High- Medium- Low
Observations Risk Recommendation
4 Training and education Has staff received ongoing
training for daily operating
procedures and securitypractices?
Obtain a evidence of plans
and training provided
SD 6.3
SO 5.13
SO 5.14
5 Quality assurance Does a quality plan exist?
Obtain copy of the quality
plan
SS 7.5ST 4.4.5.3CSI 5.2
CSI 5.3
CSI 5.4
6 Internal audit Have an internal audit
reviewed activities within
IT?
Review observations and
outstanding
recommendations
-
Activity-Level: Controlling the IT operations environment:
7 Acquire and MaintainApplication Software
Is a formal development lifecycle used for acquisition
and maintenance of
Software?
Obtain a copy of
methodology (SDLC orsimilar)
SS 6.5SD 3.5
SD 3.6
SD 3.9SD 3.11
SD 5.3
SD 7ST 3.2.3
ST 4.1.4ST 4.1.5
7/28/2019 2C5_paper
4/8
Page: 4
Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.
Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB
Ref Control Tests of control ITIL
support
Significance
- High- Medium- Low
Observations Risk Recommendation
8 Acquire and Maintain
Technology
Infrastructure
Are there documented
procedures to ensure that
acquired network devicesand software is based on
requirements for financial
systems?
Obtain evidence ofprocedures and select a
sample of implementations
and review documentation
SD 3.6.3
SD 4.6.5.1
SO 5.4SO 5.5
SO 5.7
SO 5.8
SO 5.9SO 5.10SO 5.11
ST 4.4.5.1
ST 4.4.5.2
ST 4.4.5.3ST 4.5.5.7ST 4.5.7
9 Enable Operations Are policies and procedures
documented and updatedfor development, change,
access and operations?
Select a sample of projectsand verify that
documentation comply with
requirements in policies and
procedures.
SS 6.4
7/28/2019 2C5_paper
5/8
Page: 5
Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.
Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB
Ref Control Tests of control ITIL
support
Significance
- High- Medium- Low
Observations Risk Recommendation
10 Install and Accredit
Solutions and Changes
Are testing plans prepared
and used for significant
changes?
Select a sample of projects
and verify that tests have
been completed accordingto developmentmethodology and change
management procedures.
ST 3.2.14
ST 4.4.5.4
ST 4.5.5.5ST 4.5.5.6
11 Manage Changes Have changes requests been
standardized and are all
changes logged, approved,documented according to
formal change managementprocess?
Evaluate the changemanagement processand select a sample of
change requests and review
the process
St 3.2
ST 4.2
ST 6.3ST 6.4
12 Define and Manage
Service Levels
Are service levels defined
and managed for financialsystems?
Obtain a sample of service
level agreements and
review content to evaluateif the agreed service levelmeets systems
requirements.
SD 4.2
SD 4.1
7/28/2019 2C5_paper
6/8
Page: 6
Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.
Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB
Ref Control Tests of control ITIL
support
Significance
- High- Medium- Low
Observations Risk Recommendation
13 Manage Third-party
Services
Are vendors used for
outsourcing selected in
accordance with internalpolicies?
Obtain evidence that
selection of outsourcesservice have been selectedproperly
SD 4.2.5.9
SD 4.7.5.1
SD 4.7.5.2SD 4.7.5.3
SD 4.7.5.4
SD 4.7.5.5
14 Ensure Systems
Security
Is the IT/Information
security policy up-to-date?
Obtain a copy of the IT and
Information Security Policy
SD 4.6.4
15 Manage the
Configuration
Are configuration tested
periodically to ensure that
infrastructure and networkdevices are properlyconfigured?
Review network and
software, select a sample ofconfiguration items andverify that the
configuration is in
accordance with
documentation
SD 4.6.5.1
SO 5.4
SO 5.5SO 5.7SO 5.8
SO 5.9
SO 5.10
SO 5.11
7/28/2019 2C5_paper
7/8
Page: 7
Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.
Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB
Ref Control Tests of control ITIL
support
Significance
- High- Medium- Low
Observations Risk Recommendation
16 Manage Problems and
Incident
Does the problem
management system
provide an audit trail toincident management and
underlying cause?
Review a sample ofproblems records andevaluate if an audit trail
exists.
SO 4.4.5.2
SO 4.4.5.5
SO 4.4.5.6SO 4.4.5.7
SO 4.4.5.8
17 Manage Data Have restoration of backup
been tested periodically?
Obtain a test document andreview scope and output
from test
SO 5.2.3
18 Manage Operations Are standard procedures
established for IT
operations
Obtain a sample ofstandards procedures.
SO 3.7
SO 5
SO 4.2.5.5
SO 4.3.5.6SO 5.2.2SO 5.3
19 End-user Computing Are systems developed and
maintained by users
regulary backed up and
stored in a secure area?
Inquire if end user systems
are used and how backup
procedures are handled.
SO 5.2.3
7/28/2019 2C5_paper
8/8
Page: 8
Note: This audit programme is used for an IT General Controls Audit with a limited scope and should not be used on a broad basis. A risk assessment is also necessary in the planning phase to define the scope.
Recommendation: An IT audit should be completed by a certified IT-auditor, preferably CISA (Certified Informations Systems Auditor) 2011 John Wallhoff, Scillani Information AB in corporation with Gasss Syd AB
Ref Control Tests of control ITIL
support
Significance
- High- Medium- Low
Observations Risk Recommendation
20 Ensure Continuous
Service
Are change control
procedures provided to
ensure that continuity planis up-to-date and reflects
the current business
requirements?
Obtain a copy of thecontinuity plan and review
if it is accurate and up-to-
date?
SD 4.5.5.4
Risk Assessment Summary
Review and aporoval
Name / Signature Date
Self-assessment
Review/approval