DOCUMENT AND RECORDS CONTROL - AUDIT PROGRAM GUIDE

1. Look for the controls for each type of document and records.
- Internal documents
- External documents

2. Verify all the documents and records needed are current and available.
3. Conduct a review for each of the following document and records controls:

a. Approval Process
1. Review the procedures for document approval and determine if complete.
2. Determine authorized persons in creating, reviewing, and distributing the
original documents and inquire whether they are aware and adhere to the
policies and procedures for document approval.
3. Identify the documents that need to be reviewed and assign auditors for
the review of documents.
4. Review and check the documents for accuracy, clarity, and accessibility
and ensure that documents are consistent with the requirements.

b. Document Revisions
1. Review the procedures for the revision of documents, including the
guidelines set for recording when, by whom and what type of revision was
made. Check if they are complete.
2. Identify the authorized person(s) in initiating, requesting, and
implementing the revision of documents.
3. Check if there is a retention period and if it is being followed.
4. Determine whether authorized persons for approving the revision of
documents adhere to the policies and procedures regarding the approval
of the revision.
5. Identify the documents according to its revision.
6. Monitor the current revision status of documents.
7. Ensure that such revisions are monitored and approved for release,
distribution and use by the proper authorities.
8. Ensure that the document revision levels, publish date, document owner,
and review dates are being maintained.

c. Document Review
1. Identify and obtain the documents that need to be examined.
2. Ensure to obtain access to the documents that are covered by the audit's
scope.
3. In addition to checking that the documents are present, manually check if
the documents are properly updated.
4. When reviewing the documents, compare them with the associated
requirements to determine conformance in advance of the internal audit.
 5. In addition to recording conformance status, note any questions regarding
the documents just reviews that are planned to ask assigned personnel
during interviews.
6. Check if there are procedures required for re-approval.
7. Review the documents, any audit findings should be discussed with the
auditees.

d. Document Access

Access to Program Document

1. If documentation is maintained in printed form, observe its storage
location or determine how access to online documentation is controlled.
Determine if the documentation is adequately secured.
2. Check out logs for documentation to ensure that only authorized persons
have access to documentation. Determine if checked out documentation
is appropriately logged and can be located.
3. Any audit findings should be discussed with the Audit Director, Deputy
Director, and Audit Supervisor. Once their approval is obtained, discuss
the audit findings with the client management.
4. Summarize and conclude.

Access to Systems Software

1. Interview the person-in-charge of system software access. Check to
ensure that the techniques being utilized to restrict authorized individuals’
access to system software are sufficient.
2. Check out documentation logs to see if only authorized persons have
access to documentation. Ensure that checked out documentation is
appropriately logged and can be located.
3. Test to see that access to systems software is limited by terminal
address.
4. Any audit findings should be discussed with the Audit Director, Deputy
Director, and Audit Supervisor. Once their approval is obtained, discuss
the audit findings with the client management.
5. Summarize and conclude.

Access to Production Program

1. Interview the person-in-charge for regulating access to production
programs’ source and object codes and job control instructions. Inspect to
see if utilities and passwords that impact program access are properly
managed. Ascertain whether the restrictions are sufficient to restrict
access to those who require it to do their tasks.
2. Any audit findings should be discussed with the Audit Director, Deputy
Director, and Audit Supervisor. Once their approval is obtained, discuss
the audit findings with the client management.
 3. Summarize and conclude.

Access to Data Files

1. Review the procedures for controlling access to data files. Check to
ensure whether restrictions are enough to limit access to data files to
authorized users only and if applications not in the production library are
adequately restrained from processing against data files.
2. Any audit findings should be discussed with the Audit Director, Deputy
Director, and Audit Supervisor. Once their approval is obtained, discuss
the audit findings with the client management.
3. Summarize and conclude.

Access to On-line Systems

1. Determine who has access to confidential data and verify with the owner
of the data to whether these persons have authorized access to this data.
2. Test to ensure that access to applications, data, or entry and update of
transactions is restricted by terminal address and hours of operation.
3. Check to see if the addresses and phone numbers of employees who
have requested for the privacy of such information are sufficiently
protected from disclosure.
4. Any audit findings should be discussed with the Audit Director, Deputy
Director, and Audit Supervisor. Once their approval is obtained, discuss
the audit findings with the client management.
5. Summarize and conclude.

Access to Data Bases

1. Inquire to the data base administrator regarding whether the controls are
adequate to limit access to the data base and data base change utilities.
2. Determine how concurrent access to the same data item is prevented and
whether it is adequate.
3. Any audit findings should be discussed with the Audit Director, Deputy
Director, and Audit Supervisor. Once their approval is obtained, discuss
the audit findings with the client management.
4. Summarize and conclude.

Password Administration
1. Review the procedures for controlling passwords and check if they are
complete (using 3.4.4 of 1992 EDP Control Objectives as a guide).
2. Review records or interview users to determine when passwords were
last changed.
3. In a department where an employee has recently terminated, check if the
employee's password has been deleted and if there are changes in the
passwords of other employees in the department.
 4. Determine the security measures for password tables. Check whether the
access is restricted to only those people who truly need access to the
table.
5. Test to see that there is a limit on the number of unsuccessful attempts to
sign on (or login).
6. Any audit findings should be discussed with the Audit Director, Deputy
Director, and Audit Supervisor. Once their approval is obtained, discuss
the audit findings with the client management.
7. Summarize and conclude.

Policies for Access Security

1. Review the policies for access security and check if they are complete.
2. Determine whether the person(s) in charge of access security are aware
of and adhere to the policies for access security by conducting an
interview with them.
3. Look through the access logs and compare the logs against the list of
authorized persons. Check if access violations are being investigated
according to the procedures.
4. Any audit findings should be discussed with the Audit Director, Deputy
Director, and Audit Supervisor. Once their approval is obtained, discuss
the audit findings with the client management.
5. Summarize and conclude.

e. Document Disposition
1. Review the procedures for document disposition, including the controls
regarding the identification, regulation, criteria for archiving and
destroying, and unintended use of obsolete documents and discipline
policies for nonconformity. Check if they are complete.
2. Determine the authorized person(s) in charge for the document
disposition, such as approval for disposal or transfering documents and
whether they are aware and adhere to the policies and procedures of the
organization for document disposition.
3. Interview authorized persons to ensure that the method of disposal for
each type of document is appropriate.
4. Check if the approved documents for disposal are disposed of in
accordance with the appropriate method.

f. External Documents
1. Review the procedure for external documents control and check if they
are complete.
2. Determine the relevant documents of external origin:
a. Name of document
b. Issuer of the document
c. Updated version and date
 d. Internal distribution
e. Person responsible for control
3. Identify authorized persons for checking, updating, and publishing the
documents and inquire whether they are aware and adhere to the policies
and procedures regarding the external document control.
4. Review the documents and determine if they are changed or updated.
5. Determine whether the documents currently being distributed and used
are the appropriate version of documents.
6. Ensure that a masterlist of all approved external documents is kept,
reviewed, and updated regularly.
7. Any audit findings should be discussed with the Audit Director, Deputy
Director, and Audit Supervisor. Once their approval is obtained, discuss
the audit findings with the client management.

Note: In reviewing the control procedures, the auditor should also inquire the controller
and other persons responsible for the document and records control regarding the
procedures and criteria they follow.

4. Once all control procedures have been reviewed, assess the following controls for each
type of document and records as identified in the audit checklist:

For internal documents:

a. Is there a documented procedure available to define controls for all document
types identified?
b. Does this procedure identify who can approve and issue each type of document?
c. What is the process for updates and changes?
- Are changes approved before issuance?
- Is the approval made by the same authority as the initial issue or has it
been changed?
- If so, is this adequate to control the document issue
- Are the documents reviewed from time to time to ensure they are relevant
and being followed?
- If there is a review period, is there any evidence that it is being followed
or are documents out of date?
- Are hand amendments allowed in the procedure and if so are these
properly authorised?
d. Does each document have a clear title/identification and is there a clear revision
level for the document?
e. How are changes to documents communicated to the people who need to use
the document?
f. How are documents of each type circulated? Are the right documents available
at each point of use?
g. If this is controlled by a computer system, what happens if this system is not
available?
 h. Are any documents used at other/remote locations? If so, how do you know the
correct version is being used?

For external documents:

a. what controls are in place to identify any updates to:
- Legislation and standards?
- Changes to customer designs and requirements?
- Changes in any contracts/service level agreements?

For obsolete documents:

a. What happens to obsolete documents?
- When new documents are issued, are you sure the old documents are
removed from use?
- Is it obvious which documents are obsolete or is there a chance of
confusion?
- Are old documents retained for reference? If so, are these identified?

5. Prepare the audit findings.

- Once each document and records controls were reviewed and assessed, make
conclusions or findings based on the results of the review and assessment.

6. Conduct an audit meeting with the assigned department.

- Present and discuss the audit findings for the following document and records controls
and identify recommendations/suggestions.
- The respective department must come up with a response and take corrective actions
regarding the audit findings.