Table of Contents

Entity Name: W/P reference

Project name: Prepared by

Audit Period: Date

Sheet Name
Common Findings
IT Governance and Framework
Access Management
Authentication and Authorization
Change Management
Computer Operations
Continuity and Disaster Recovery
Systems Development
Outsourced Services
 Common Findings
Entity IT access controls need improvement so that any excessive or
unnecessary access privileges are detected and timely removed.

Entity IT security controls related to account management need

improvement.

Some access privileges did not promote an appropriate separation of

duties.

Administrative access privileges granted for some users and service

accounts to selected network domain/database/server were not
appropriate.

Server environments did not promote an appropriate separation of

duties and did not restrict users to only those functions appropriate
and necessary for assigned job duties or functions.

The entity did not perform comprehensive periodic reviews of access

privileges for the application/server/database/network accounts.
Certain controls related to logical access/user authentication/account
management/change management/logging and monitoring need
improvement to ensure the confidentiality, integrity, and availability of
entity data and related IT resources.

Change management controls related to application and systems

software and network infrastructure changes need improvement to
ensure that changes are appropriately documented, authorized, tested
(where applicable), and approved prior to implementation into the
production environment.

Contrary to laws/policies/guidelines the entity did not have signed

service-level agreements (SLAs) with the third-party service provider,
increasing the risk that the effective, efficient, and secure operation of
IT systems may be compromised.

No periodic reviews and monitoring of independent audit reports of

service provider was performed to ensure the IT security
controls/access controls for the third-party service provide was
continued to be effective and adequate to ensure the confidentiality,
integrity, and availability of entity data and related IT resources.

Backup controls continue to need improvement to ensure that all IT

resources that require back up are identified, backups are performed
as required, and backups are periodically tested for recoverability.

The business continuity and disaster recovery plans continue to need

improvement to ensure that critical operations continue in the event of
a disaster or other interruption of service.
IT Governance and Framework
Objective: Evaluate if reasonable controls over the University Information
Technology structure are in place to determine if the IT Department is
organized to properly meet the Company’s business objectives.

Methodology: Inquire with executive management or through available

documentation (corporate strategy, annual report, etc.) to:

Obtain an understanding of the IT governance and framework.

Obtain an understanding of the University’s strategies and objectives,

and document them to the extent the relevent for process under
review.

Determine if IT related decisions align with the University's strategies

and objectives.

Determine IT related processes are overseen effectively and

transparently.

Determine whether there is an IT steering committee that includes

members from different areas of the University.
Determine whether IT Security has been established as a separate
University function.
 Access Management
Objective: Ensure appropriate controls are in place over user account
management.

Methodology: Inquire with executive management or through available

documentation policies, procedures, guidelines etc., obtain an
understanding about the University’s access management process

Obtain an understanding of the user account management process.

Determine whether there are policies and procedures related to

user account management which includes but not limited to:

Requiring unique user IDs;

New user creation;

Modifying existing user rights when roles change or

individuals transfer;

Disabling and/or removing user accounts for users who are

terminated or transferred;
 Periodic review of user access.

Determine whether policies and procedures are applicable to all user

accounts including privileged user accounts.

Review sample user accounts to ensure:

User access rights are appropriately requested, reviewed, and

approved;

User accounts are unique and not shared;

All users and their activities are identifiable using their unique
user IDs;

User access rights are in line with documented business needs

and job requirement.

Request and review the list of privileges user accounts to ensure that
only authorized individuals have elevated privileges:
 System administrators;

Database administrators;

Network administrators.

Verify user accounts with privileged access rights have a secondary

user account.

Verify privileged user activities are logged and monitored.

Verify there are limited number of network administrators, database

administrators, server administrators.

Verify the enforcement of least-privileged access and need-to-know

access for applications, databases, servers.

Verify periodic reviews of access rights are completed and

documented.
 Authentication and Authorization
Objective: to ensure appropriate controls are in place over user authentic
and authorization to prevent unauthorized access to critical applications,
and systems. (Where applicable, review related documentation)

Are there policies and procedures available which describe:

Authentication mechanisms enabled for user identification;

Password complexity requirement for accessing the University’s

network, application, data etc.;

Password parameters – length, characters used, locking of comput

screen when not used for certain time, password requirement to
unlock the computer screen etc.;

Restrictions on using or retaining a vendor default password;

Determine if the systems, applications, and the network have been

configured to enforce the password requirement including those with s
sign-on and/or multi-factor authentication.
Request and review the password settings for the application, network,
systems to ensure the password is set according to the policy requireme
and industry best practices.
 Change Management Controls
Objective: Perform a review of the change management process to
provide management with assurance that the process is controlled,
monitored and is in compliance with good practices.

Methodology: Interview management and review available documented

standards, processes, procedures and guidelines, reports, and/or logs
to:

Obtain an understanding of the University's system of identifying,

classifying and approving change requests.

Determine if a process exists to classify change requests as an

infrastructure or application change.

Determine if there is a process for tracking the status of the changes

that are approved, in-process, and completed.

Determine if changes are appropriately reviewed, authorized,

approved/rejected, and tested prior to implementing in production.

Determine if only approved changes are implemented.

Determine if there is adequate documentation for requested,
approved or rejected changes.

Determine if the sign-off process, prior to a change moving into

production, includes the following supporting documentation
indicating:

Completion of testing, quality assurance and documentation;

Satisfactory user acceptance test, approval and knowledge of

implementation date;

Acceptance of information security changes.

Determine if logs and reports generated by the change management

system are reviewed and documented by management.

Determine whether testing changes prior to implementation is done

in a test environment rather than production environment.

Determine if there is a process for defining, prioritizing, testing,

documenting, assessing and authorizing emergency changes that do
not follow the established change process.
 Computer Operations
Objective: Effective computer operations controls are in place to ensure
systems and programs are available and processing accurately.

Methodology: Inquire with management/review available documented

standards, processes, procedures and guidelines, reports, logs to
determine if the University’s controls over computer operations are
effective.

Obtain an understanding of computer operations procedures, ensure

the procedures include but not limited to:

System start-up procedures;

Emergency procedures;

System shutdown procedures;

Backup assignments;

System and job status reporting instructions.

Review procedures and logs for batch job processing to determine if
batch jobs are appropriately scheduled, processed, monitored, and
tracked.

Review forms, logs and any related documents to determine if

appropriate physical safeguards, accounting practices, and inventory
management over sensitive IT resources are in place.
 Computer Operations
Continuity of Operations and Disaster Recovery
Objective: To determine if the University has appropriate processes and
controls in place to continue its mission-critical functions with minimal
disruption in case of an emergency or a disaster.
Methodology: Inquire with management/review available documented
standards, plans (continuity of operations plan, disaster recovery plan),
processes, procedures and guidelines, reports, logs to:

Determine if the University has a framework for IT continuity of

operations plan and a disaster recovery plan.

Determine if a continuity of operations plan and disaster recovery plan

have been develop and are kept up-to-date.

Determine if periodic testing of the IT continuity of operations plan and

disaster recovery plan is performed and the concerned parties are
trained.

Determine if a list of the most critical IT resources for recovery is

maintained and is up-to-date.

Determine if the failover and redundancy technology and location

(recovery site) are properly prepared for a disaster situation.
 Systems Development
Objective: Ensure written standards and procedures established for
systems development and maintenance for the systems to be
developed, acquired, implemented, and maintained.

Methodology: Interview management and review available documented

standards, processes, procedures and guidelines, reports, and/or logs to
obtain an understanding of the University’s controls over the process of
systems development.

Obtain and review documentation related to the System Development

Life Cycle (SDLC) to ensure it contains clear guidelines for the phases
of SDLC:

System Definition;

Requirement Analysis;

Component Design;

Implementation;
 System Maintenance (fixes, patches).

Review SDLC workpapers to determine if the appropriate levels of

authorization were obtained for each phase of development.

Review SDLC methodology to ensure that its provisions reflect current

generally accepted techniques and procedures.

Review documented testing procedures, test data, and resulting

output to determine if they appear to be comprehensive and if they
follow University standards.

Review and evaluate procedures for program promotion and

implementation.

Review documentation of the program promotion procedure.

Determine if the standards are followed and if documentation of
compliance with the standards is available. Trace selected program
and system software changes to the appropriate supporting records to
determine if the changes have been properly approved.

Review and evaluate the procedures for performing post-

implementation reviews.
Review and evaluate the procedures for the maintenance of existing
applications.
 Outsourced Services
Objective: Ensure that the University has an effective third-party
management process and that the services provided by third parties
(suppliers, vendors and partners) meet business requirements.
Methodology: Interview management and review available documented
service level agreements, independent service organization audits,
and/or related documents to:

Determine if the University has valid contracts and comprehensive

service level agreements (SLA) with third-party service providers.

Determine if the third-party SLA provides clearly defined roles,

responsibilities and expectations for both the University as well as the
for the provider.

Determine if the University is reviewing independent service

organization audit reports, such as SOC 2 audits conducted pursuant
to AICPA standards, or audits for compliance with ISO27001,
Information Security Management Systems Requirements, to ensure
that IT controls necessary to safeguard the University’s data and
information resources have not been identified, by the independent
auditor, as being deficient.