Upload
benny-ndossi
View
248
Download
0
Embed Size (px)
Citation preview
8/3/2019 Audit Programs - ICT
1/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Data centre
operations
To ensure that roles are well
defined, controls established
& followed to ensure propermanagement of ICT
resources.
ICT department should be independent of the user
departments, particularly the processing of
transactions.(Flexcube manual page 8)
Verify whether the ICT department is independent
of the user departments in particular the
accounting/finance department. Check that the ICTteam is not involved in processing of entries
neither inputting nor authorization of the
transactions.
Corruption of data and
loss/damage to other IT
resources by unauthorized
persons
Entry to the data centre is restricted to authorized
persons only. Entry of unauthorized persons should
recorded in a register indicating the following:
- the name of the visitor
- date and time of entry
- the purpose of visit
- the time of exit
- Signature/initial of the visitor.
The register must be reviewed and initialed by the
Manager, ICT.
(Flexcube manual page 8)
Is there strict control of entry & exit into the Data
Centre? Is there a register to record entry into the
Data Centre?
Review the register to confirm that it contains the
following information on people who enter the
Data Centre;
- the name of the person
- the date and time of entry- the purpose of the entry
- The time of exit.
- Signature/initial of the visitor
Check whether the register is reviewed and
initialed by senior personnel of ICT.
Corruption of data and
loss/damage to other IT
resources by unauthorized
persons
The list of authorized personnel into the Data
Centre must be displayed in the data Centre.
Visitors to the Data Centre must be accompanied
by authorized personnel at all times.
(Flexcube manual page 8)
Verify whether there is a list of authorized
personnel in the Data Centre. Are unauthorized
personnel in to the Data Centre always
accompanied by staff member and do they fill in
the required information in the entrance register?
Inefficiencies arising from
overlapping roles
The role of ICT is segregated into Business system
and Infrastructure system functions and there is no
overlapping of duties between the two units.
(ICT Continuity plan Chapter 2)
Review the organization chart of the ICT
department. Is there segregation of duties between
the Business Systems and Infrastructure system
teams? Check for any overlapping roles between
the two units.
Job description will be given to each staff member
of the ICT team outlining the responsibilities of
every ICT team member.
By reviewing sample of staff files ensure that the
roles are clearly defined for each staff member.
Check that job descriptions for each staff match
1
8/3/2019 Audit Programs - ICT
2/15
(HR procedure manual with the roles being undertaken by the staff.
2
8/3/2019 Audit Programs - ICT
3/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Data centre
operations(Contd)
The ICT team will be continuously trained,
coached and guided in their designated roles.
Review that all ICT staff members are adequately
trained and experienced to handle their designatedroles.
Interruption to information
processing due to
inappropriately implemented
system changes.
System changes will be thoroughly tested prior to
implementation and user acceptance tests, UATs,
done prior to implementation. The UAT results
should be properly documented.
Any exceptions noted in the course of User
Acceptance Testing must be resolved before live
implementation of the system.
Users and data processing personnel should be
adequately trained to handle all new applications.
Check that changes to systems or implementation
of new systems are approved prior to
implementation.
Is adequate testing done prior to implementation.
Are user acceptance tests properly conducted and
documented?
Verify that any exceptions noted during the User
Acceptance Testing are resolved prior to live
implementation.
Are users and data processing personnel
adequately trained to use new applications?Business disruption when
new changes fails and
previous applications are not
maintained
Retain Copies of all previous versions of programs
and applications being replaced or upgraded.
Changes to any applications and programs should
be documented and authorized before
implementation. Thereafter post-implementation
review carried out and results analyzed.
Verify that a copy of the previous version of the
program is retained for use in the event of
problems arising with the amended version.
Are there controls over authorization,
implementation and documentation of changes to
operating systems? Are post implementation
reviews carried out, results documented and
analysed?
Ensure that staff are aware of
how to carry out various
activities
Manuals must be prepared for all applications and
systems in use at the Bank. Subsequent updates
must be done for all revisions and upgrades. Atleast a copy of the user manual must be kept off-
site.
Are user manuals prepared for all new systems
developed and revised for subsequent changes?
Ensure that copies of user/operations manual arekept off-site?
Unauthorized procurement of
ICT resources
All purchases of software and other ICT resources
must be appropriately approved.
For purchased software, check that approval is
obtained for purchase. Are there procedures
addressing controls over selection, testing and
acceptance of packaged software? Have these been
followed? Are vendor warranties still in force for
new software obtained?
3
8/3/2019 Audit Programs - ICT
4/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Systems access
security
To ensure that information
systems are accessed byauthorized persons only. To
guard against the risk of
unauthorized access to the
banks information
resources.
The Information Security Policy details the
management (i.e choice, change and protection) ofpasswords. ( Information Security Policy 2.8)
Passwords should contain minimum 5 and a
maximum of 8 characters and should contain an
alphanumeric character. (Information Security
Policy 2.8.1)
Each user will be allocated a unique password and
a unique user account. (Information Security Policy
2.7.4)
Users who forget their passwords should fill the
System User Access Profile form, which is then
authorized by their departmental heads beforesubmission to ICT. (Information Security Policy
2.8.2)
Do formal procedures exist for the issue and
subsequent control of passwords?
Is proper password syntax being used i.e. minimum
5 and maximum 8 characters and include
alphanumeric characters.
Is each user allocated a unique password and user
account?
Are there satisfactory procedures for re-issuing
passwords to users who have forgotten theirs?
Unauthorized access to the
banks information resources
leading to corruption and
manipulation of information.
Staff members assigned user rights commensurate
to their roles as per job descriptions.
Flex-cube system must be changed before 30 days
while the Network passwords should be changed
before expiry of 45 days. Passwords change
prompts/ alerts are given before expiry of the
respective durations.
Application passwords must not be revealed or
shared with any other users.(Information security
policy 2.8.3 & 5.5)
A Security Violation Report is generated from
Flexcube and reviewed on a daily basis by the
Assistant Manager-ICT.( FCT Control manual page
17)
Check that system access compatibilities are
properly changed with regard to personnel status
change. Are individual job responsibilities
considered when granting users access privileges?
Verify that there are procedures in place to ensure
forced password change after 30 days for Flex-cube
and 45 days for the Network.
Do terminals automatically log-of after a certain
period of time. Check that there is a limit of invalidpasswords before the terminal closes down
Check for any case of password sharing by the ICT
personnel and obtain explanations for such.
Are invalid password attempts reported? Review
the reports.
4
8/3/2019 Audit Programs - ICT
5/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Systems access
security(contd)
Unauthorized access to the
banks information resourcesleading to corruption and
manipulation of information
User access rights are promptly revoked when an
employee departs the service of the Bank. Userswho progress on leave are disabled promptly.
Users are re-instated on resumption of duty and
completion of a System Users Access & Profile
form.
Users are guided through password management
during their induction program when they join the
services of the bank. (Information Security Policy
2.8.1)
Check whether System access rights are promptly
revoked for all employees who leave the services ofthe Bank.
Verify that access rights for user who proceed on
leave are deactivated until resumption of duty. Do
the users fill in a System User Access & Profile
form on duty resumption? Check whether this form
is duly approved.
Review the training arrangements for staff in
designing, changing and protecting their passwords
to ensure restriction of access to systems by
unauthorized people.
Data control
procedures
To ensure transactions are
properly processed and that
output is complete and
accurate. Also to ensure that
data/information stored in the
banks systems is not
corrupted or destroyed
Flexcube System will not process any unauthorized
transactions.
End of day procedures cannot be commenced in
Flexcube system until all batches of transactions
have been authorized.
Violation report in Flexcube system provides
details of all exceptional activities performed by
the users during the day.
ICT team does not carry out any data input norauthorize transactions in the system. This
responsibility lies with the user departments.
Cut off times have been set and communicated to
all users to ensure that End of day process is
commenced and completed as scheduled.
The End of Day Process Checklist forms must be
completed every day by the End of day Teams.
Are all transactions properly authorized before
being processed through the system computer?
Check whether the system can detect batches or
transactions which are input but not authorized.
Are there established procedures to ensure that
transactions or batches are not lost, duplicated or
improperly changed?
Check whether an error log is maintained and
reviewed to identify recurring errors.
Are all errors reported to the user departments for
correction?
Are persons responsible for data preparation anddata entry independent of the output checking staff?
Verify that persons responsible for data entry are
prevented from amending master file data.
Review that users adhere to data cut-off times to
enable timely End of day runs.
Peruse the End of Day Process Checklist/sign off
forms file for the review/selected period to ensure
that all listed activities are duly completed.
5
8/3/2019 Audit Programs - ICT
6/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Tapes and
Disks control/Back-up
control
To ensure that adequate
back-ups are regularly takento allow data and information
to be readily recovered as
necessary; therefore
minimum disruptions to
operations.
The Data Back-up policy defines the back-up
requirement for data to minimize exposure to lossof mission critical data.(Information Security
Policy Chapter 10 & The data Back-up Procedure
manual page 2)
The End of Day Process Checklist/sign-off forms
must be completed every day by the End of day
Team and reviewed by the Manager, ICT.
Review the procedure for taking back-up of system
and program files. Does the procedure specify theduration for retaining back-ups? Does the
procedure detail how to reinstall the back-ups?
Check that back-ups of all database related files are
taken regularly. Verify that daily back-ups are
taken? Check for evidence that daily End of Day
Procedures are executed and back-ups taken.
Who manages the End of day back-up team?
Business interruption in the
event of system failure and
unavailable back-ups. To
minimize the risk of businessinterruptions occasioned by
virus attacks on systems the
bank is running on.
Flexcube Data back-up is documented in the Data
Back-up procedure Manual and the End of Day
Process Checklist itemizes the EOD process.
(Flexcube data Back-up Procedure manual &Flexcube End of day Cycle procedure manual)
The ICT team should be adequately trained and
regularly appraised on data back-up processes.
All exceptions for data back-up must be approved
by the Senior Manager ICT.
Check that the back-up process is fully documented
and showing the following:
- date of data back-up
- type of data back-up( additional or full)- number of generations
- responsibility for data back-up
- extent of data back-up ( files/directories)
- data media on which the back-up data are
stored
- data back-up hardware and software (with
version number)
- data back-up parameters (type of data backup)
- storage location of back-up copies
Is the data back-up team adequately and regularly
trained on data back-up, data restoration process,
back-up media retention and storage?Review exceptions during the audit period when
daily back-ups were not taken. Obtain explanations
for such.
To minimize the risk of
business interruptions
occasioned by virus attacks
on systems the bank is
running on.
Copies of Back-up tapes and disks are sent for safe
custody at off-site locations while other copies are
stored in a fire proof safe inside the computer
room.
Ensure that back-ups are stored at an off-site
location away from the Data Centre.
Verify that back-up tape and disks are securely
stored at the off-site location? Does the off-site
location have adequate physical controls?
6
8/3/2019 Audit Programs - ICT
7/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Tapes and
Disks control/
Back-up
control
(contd)
System recovery drawbacks
due to non-operational back-
ups causing delays in
information processing
Regular testing of back-ups must be done and
results documented.
Are back-ups regularly tested to ensure their
compatibility with the existing system? Have the
testing results been documented and reviewed?
System recovery drawbacks
due to non-operational back-
ups causing delays in
information processing
A hierarchical back-up cycle is established as
follows:
- daily back-ups are retained for 2 weeks
- weekly back-ups are retained for 1 month
- monthly back-ups are retained for 1 year
- end of fiscal year and yearly data back-up isretained for the long-term ( Information Security
policy manual 10.3.1)
Check that back-ups are retained for appropriate
period as follows:
- two weeks for daily back-ups
- one month for weekly back-ups
- one year for monthly back-ups
- annual back-ups are retained for the long-term
System recovery drawbacks
due to non-operational back-
ups causing delays in
information processing
Multiple back-ups should be generated for monthly
and annual back-ups and each copy stored in a
distinct archive storage location. ( Information
Security policy manual 10.3.1)
Ensure that multiple back-ups copies are taken for
monthly and annual back-ups and each copy stored
in a distinct archive storage location. Identify the
locations for each back-up copy.
7
8/3/2019 Audit Programs - ICT
8/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Physical &
Environmentalcontrols
Loss resulting from fire, Smoking should be inside the Data Centre and near
all ICT installations.
Check that building material used around the Data
Centre is fire resistant. Ensure that wall and floorcoverings are non-combustible.
Check that smoking is prohibited in the Data
Centre or near any other IT installation.
Risk of loss resulting from
fire.
An automated Fire Suppression System has been
installed which will extinguish fire occurrences in
the Data Centre by release of Inergen Gas. ( ICTCP
3.6 (8) Environmental Control Systems)
The Fire Suppression System should be serviced
regularly and certificate of working condition filed.
(ICTCP3.6 Environmental Control Systems)
Check whether fire/smoke detectors have been
installed in the Data Centre and near all key
Electronic Data Processing areas.
Have fire extinguishers been installed? Are the fire
instructions clearly posted in conscipicous
locations?
Are fire drills and training regularly conducted?
Check whether the fire equipments are regularly
inspected and confirmed to be in workingcondition.
Review the maintenance agreements for the fire
equipments. Ascertain that they cover current
period.
To minimize the risk of loss
resulting water/floods
Major IT installation should be kept raised above
the floors to evade the risk of flooding.
The Data Centre is fitted with 2 sets of Air
Conditioners. ( ICTCP 3.6 (8) Environmental
Control Systems)
Check that all IT equipments are located above the
floor.
Is the Data Centre installed with Air Conditioners
which are in working condition? Review this?.
Check whether the Air conditioner is regularly
maintained/serviced?
Interruption to information processing due to electrical
power interruptions
The Data Centre is connected to an automaticGenerator Set and a 30KVA MGE Galaxy 3000
UPS connected to the mains supply and the
Generator set. ( ICTCP 3.6 (1) Utility Systems )
All PCs are primarily served by standalone UPS for
protection against any power failures. (ICTCP 3.6
(1) Utility Systems.)
Is there a reliable power supply to the Data Centreand other IT locations? Does the bank have an
alternative source of power such as a stand by
generator? Review whether the alternative power
supply is regularly serviced?
Check whether all computer equipments are
supported by stand by UPS.
Check the general tidiness of the Data Centre. Are
there littered papers around the area?
8
8/3/2019 Audit Programs - ICT
9/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Virus control To minimize the risk of
business interruptionsoccasioned by virus attacks
on systems the bank is
running on.
The Information Security Policy details the manner
of dealing with viruses control. (InformationSecurity Policy section 2.13)
Is there a formal written anti-virus policy? Check
that the policy has been communicated to allemployees of the bank.
Unapproved software
causing corruption of
information hence losses
Software shall only be acquired from approved
vendors only. Exceptions to this rule must be
appropriately sanctioned and approved.(FA
procedure manual 1.1 procurements)
The bank has a standard list of permissible
software packages that users can run on their
computers and employees must not install other
software packages or permit automatic installation
routines on computers.( Information security policymanual 8.3)
Verify that there is an approved list of software
suppliers. Review that software obtained during the
audit period was sourced from these vendors. Was
any software obtained from unapproved suppliers?
Check for approval for such procurements. Are
only approved software installed on the banks
computer system?
Is there a master library for authorized software?Who controls access to this library?
To minimize the risk of
business interruptions
occasioned by virus attacks
on systems the bank is
running on.
All attachments to electronic mail messages should
be scanned with authorized virus detection
software package before opening and/or execution(
information security policy 5.12)
Employees should not open any attachments from
unknown senders without approval from the ICT
department ( Information security policy manual5.12)
Are directories periodically reviewed for any
suspicious files and reports documented? Check
that such reports are reviewed by the Senior
Manager ICT.
Check that suspicious files are quarantined and
deleted from the computer hard drive and network
drive.
9
8/3/2019 Audit Programs - ICT
10/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Virus control
(Contd)
To minimize the risk of
business interruptionsoccasioned by virus attacks
on systems the bank is
running on.
All computers must continuously run the current
version of virus detection which will beautomatically downloaded to each computer when
the machine is connected to DTBKs internal
networks.( Information Security Policy 8.6)
Verify that anti-virus software is installed on all
computers. Is the anti-virus software regularlyupdated for new virus definitions?
Verify that diskettes are formatted before re-use.
Have procedures been developed to restrict and
oversee the transfer of data between machines?
Check that staff members have been prohibited
from sharing machines.
To minimize the risk of
business interruptions
occasioned by virus attacks
on systems the bank is
running on.
If Users suspect infection by a virus, they must stop
using the involved computer, turn-off and
disconnect from all networks and call the ICT
department. .( Information Security Policy 8.8)
Has all staff been advised of the virus prevention
procedures? Check that staff members informs the
ICT team of any suspicion of virus infection
To minimize the risk of
business interruptions
occasioned by virus attacks
on systems the bank is
running on.
All files downloaded from the internet will be
screened with virus detection software prior to use.
(Information Security policy 7.5)
Are downloads from the internet controlled by
locking the hard drive and routing through the
network drive to prevent viruses (if any) from
spreading?
10
8/3/2019 Audit Programs - ICT
11/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Use of the
internet
The bank has a policy
regarding the use of theinternet regulating the flow
of data and information.
The internet policy applies to all workers who use
the internet with DTBK computing or networkingresources. Internet users are expected to be familiar
with and comply with the policy.( Information
Security Policy 7.2)
Access to the internet will be provided to only
those employees who have a legitimate need for
such access. ( Information Security Policy 7.3)
Is there a policy regulating the use of the internet?
If so, has the policy been properly communicated tothe users and awareness being maintained?
Check whether access to the internet is limited to
authorized personnel only. Review prior
management approvals for internet access. Are
there unauthorized personnel accessing the
internet?
To minimize the risk of
business interruptions
occasioned by virus attackson systems the bank is
running on.
DBTK firewalls routinely prevent users from
connecting with certain non-business web sites. .
( Information Security Policy 7.24)
Check whether firewalls (security systems used to
control and restrict internet use) have been installed
at the bank to protect the banks informationresources.
To minimize the risk of
business interruptions
occasioned by virus attacks
on systems the bank is
running on.
All non-text files (databases, software object code,
spreadsheets, formatted word processing package
files etc) downloaded from Non-DTBK sources via
the internet will be screened with virus detection
software prior to being used.( Information Security
Policy 7.5)
Review that all non-text files downloaded from the
internet are screened for viruses prior to being used.
Is there evidence of testing of non-trusted material
or software prior to use.
To minimize the risk of
business interruptions
occasioned by virus attackson systems the bank is
running on.
The management reserves the right to examine
without prior notice all information passing
through or stored on the DTBK computers. .( Information Security Policy 7.25)
Does the management conduct random reviews of
electronic mails, files on personal computers, web
browser cache files, logs of web sites visited andother information stored on DTBK computers to
assure compliance with internal policies?
Review action taken in cases where violations are
observed.
11
8/3/2019 Audit Programs - ICT
12/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Personnel
policies
To ensure that appropriate
personnel policies existallowing for segregations of
duties.
All new staff members are provided with job
descriptions and are sufficiently inducted into theICT Department. ( HR policies & Procedure
manual 7.4.1)
Are new employees recruited according to job
description and specifications? Are new personnelsufficiently trained/ inducted to handle their roles
as enumerated in their job descriptions?
Poor performance and hence
productivity by staff thus
adversely affecting overall
performance of the Bank
Staff members are given on-job training to enhance
their skills to enable them cope with the dynamism
of the ICT industry.
Review whether staff are regularly trained and
appraised to cope with the dynamism of the ICT
industry?
Check whether performance reviews are conducted
regularly?
Failure to discover
irregularities and
manipulations.
Roles should be separated in a manner that no one
person has unlimited access to the systems
Check that duties are sufficiently separated to
ensure no one person has uncontrolled access to the
system which could compromise system security?
Failure to discover
irregularities and
manipulations.
Periodic job rotation will be ensured and staff
members will take leave regularly. ( HR policies &
Procedure manual 13.1)
Are job rotations and cross training conducted
periodically? Is the rotation of duties of sufficient
duration to disclose any irregularities or
manipulations?
12
8/3/2019 Audit Programs - ICT
13/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK
PAPER REF.
Insurance To ensure that there is
adequate insurance to coverequipment, software and
documentation, storage
media, replacement cost, data
loss and business loss i.e. to
minimize loss of earning
emanating from
failure/interruption of ICT
systems
All ICT resources must be adequately insured at all
times. The insurance should cover:- Equipment
- Software and storage media
- Loss of data and business interruption
Review the insurance file and ensure that adequate
insurance exists to cover:- equipment
- software
- storage media
- loss of data
- business loss interruption
Check whether the insurance is current.
Disaster
Recovery and
Business
continuityplans
To minimize the risk of
disruption of business
operation should disasters
occur/strike.
The ICT Continuity Plan provides a written plan
outlining the ICT recovery strategy in the event of
an interruption on the continuous operations.( ICT
Continuity Plan Chapter 1 page 3)
Is there a comprehensive contingency/Disaster
Recovery plan which is documented? Has the
Disaster Recovery and Business Continuity Plans
been approved by the BOD? Does the contingencyplan provide for recovery and extended processing
of critical applications in the event of catastrophic
disaster?
Are all recovery plans approved and tested to
ensure their adequacy in the event of disaster?
Poor coordination of disaster
recovery efforts
The emergency Recovery Team comprises the
following members:
- General Manager, Finance & Operations
- General Manager, Regional Risk
- Senior Manager, ICT- Manager, Operations & Projects
- Manager, Administration
(ICT Continuity Plan 4.1 page 32)
Are disaster recovery teams established to support
the recovery effort? Are responsibilities of
individuals within disaster recovery team defined
and time allocated for completion of their tasks?
Check that the recovery plans are communicated tothe management and to all concerned personnel?
Poor coordination of disaster
recovery efforts
The information assets of the Bank are divided into
two main categories of Business systems and
Infrastructure systems.( ICT Contingency plan 2.1
& 2.2)
Does the recovery plan identify the key processing
priorities? Does the plan identify the key
information assets (Business Systems and
infrastructure systems) deployed at the Bank.
13
8/3/2019 Audit Programs - ICT
14/15
ACTIVITY OBJECTIVE/RISK KEY CONTROLS AUDIT TEST
RESULTS / WORK PA
REF.
Disaster
Recovery andBusiness
continuity
plans (contd)
Interruption of businessactivities due to lack of an
alternative data processing
location.
The bank has implemented a Database server at acontingency site at Capital Centre Branch. The
server acts as a contingency server in case of
failure of the Primary Database server at the Head
Office( ICT Contingency Plan 3.3 page 20)
Verify that an off-site location has been identifiedand set-up for recovery operations. Has hardware
and software, and operating system been installed
at the off-site location? User profiles for the off-
site system should be created similar to those of
the main system.
The risk of the continuity plan
getting outdated
The ICT continuity Plan will be maintained every
six months. The Senior Manager ICT will ensure
that the plan is maintained and appropriately
updated every six months. ( ICT Continuity Plan
Chapter 5 page 34)
Review whether the disaster recovery plan is
tested regularly and results documented indicating
the level of preparedness? Check whether the
recovery strategy is periodically reviewed and
updated.
System
Change
Management
To avoid haphazard
implementation of system
change.
To ensure that development
and changes to programs are
authorized, tested and
approved prior to
implementation.
The change management procedure sets out a
systematic approach to dealing with change.
All persons requesting change must fill the System
Change Request (SCR) Form which is submitted
to ICT for review and onward transmission to
OpsCo for approval considerations.
The SCR form must contain the following
information:
- request date
- originating unit/department- Initial of Head of Department initiating
change.
- Description of proposed changes
- Benefits and justification of changes
- Expected impact of the Changes
All changes must be documented and backed up
immediately.
Is there a duly documented and approved change
management policy/procedure?
Review that person/department requesting the
system changes complete a System Change
Requests form and submitted to ICT for review. Is
the form reviewed and authorized?
Check that benefits and justification for system
change are indicated in the form and that approval
for change is obtained from OpsCo. ( Operations
Committee)Review that the proposed system change is clearly
described and ICT comments included in the
System Change Form.
Review that the details of the impact of non-
implementation of the change are clearly outlined
and considered.
Are all changes to programs and systems
documented and backed up immediately
14
8/3/2019 Audit Programs - ICT
15/15
15