Informations Systems Audit Checklist

A ORGANIZATION AND ADMINISTRATION

B PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT

C SYSTEM DEVELOPMENT
D PURCHASED SOFTWARE
E ACCESS TO DATA FILES

F COMPUTER PROCESSING
G ACCESS CONTROLS
H APPLICATION CONTROLS - INPUT

I OUTPUT AND PROCESSING

J VIRUSES

K INTERNET

L CONTINUITY OF OPERATIONS

Physical Protection
L.I Fire Hazard
L.II Air Conditioning
L.III Power Supply

L.IV Communications Network

L.V Machine (Servers) Room Layout

L.VI Access Control

M ACCESS CONTROL
M.I Visitor Control
M.II Terminal Security
M.III General Security
N PERSONNEL POLICIES – MIS STAFF
O INSURANCE

P BACK-UP PROCEDURES
 P.I Equipment (computer and ancillary)
P.II Outside Suppliers (non continuance/ disaster)

P.III Off-site Storage:

P.IV Data Files

P.V Tape
P.VI Disc
P.VII Software
P.VIII Operations

Q DISASTER RECOVERY PLANS

A
ORGANISATION AND ADMINISTRATION

Audit Obejective
Does the organization of data processing provide for adequate segregation of duties?

Audit Procedures
Review the company organization chart, and the data processing department organization cha

No. Description Yes

1 Is there a separate EDP department within the company?

Is there a steering committee where the duties and responsibilities for managing MIS
2 are clearly defined?
Has the company developed an IT strategy linked with the long and medium term
3 plans?
Is the EDP Department independent of the user department and in particular the
4 accounting department?
Are there written job descriptions for all jobs within EDP department and these job
5 descriptions are communicated to designated employees?
Are EDP personnel prohibited from having incompatible responsibilities or duties in
6 user departments and vice versa?
7 Are there written specifications for all jobs in the EDP Department?
Are the following functions within the EDP Department performed by separate
8 sections:
 System design?
 Application programming?
 Computer operations?
 Database administration?
 Systems programming?
 Data entry and control?
9 Are the data processing personnel prohibited from duties relating to:
 Initiating transactions?
 Recording of transactions?
 Master file changes?
 Correction of errors?
10 Are all processing pre-scheduled and authorized by appropriate personnel?
Are there procedures to evaluate and establish who has access to the data in the
11 database?
12 Are the EDP personnel adequately trained?
13 Are systems analysts programmers denied access to the computer room and limited
in their operation of the computer?
Are operators barred from making changes to programs and from creating or
14 amending data before, during, or after processing?

15 Is the custody of assets restricted to personnel outside the EDP department?

 Is strategic data processing plan developed by the company for the achievement of
16 long-term business plan?

Are there any key personnel within IT department whose absence can leave the
17 company within limited expertise?
18 Are there any key personnel who are being over-relied?
Is EDP audit being carried by internal audit or an external consultant to ensure
19 compliance of policies and controls established by management?
gation of duties?

ent organization chart.

No N/A
B PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT

Audit Objective
Development and changes to programs are authorized, tested, and approved, prior to being placed

Program Maintenance Audit - Procedures

*Review details of the program library structure, and note controls which allow only authorized individuals to acce
*Note the procedures used to amend programs.
*Obtain an understanding of any program library management software used.

No. Description Yes No

1 Are there written standards for program maintenance?
2 Are these standards adhered to and enforced?
3 Are these standards reviewed regularly and approved?
Are there procedures to ensure that all programs required for
4 maintenance are kept in a separate program test library?
Are programmers denied access to all libraries other than the test
5 library?
Are changes to programs initiated by written request from user
6 department and approved?
Are changes initiated by Data Processing Department
7 communicated to users and approved by them?
Are there adequate controls over the transfer of programs from
8 production into the programmer's test library?
Are all systems developed or changes to existing system tested
9 according to user approved test plans and standards?
Are tests performed for system acceptance and test data
10 documented?

Are transfers from the development library to the production

11 library carried out by persons independent of the programmers?
12 Do procedures ensure that no such transfer can take place without
the change having been properly tested and approved?
Is a report of program transfers into production reviewed on a daily
13 basis by a senior official to ensure only authorized transfers have
been made?
14 Are all program changes properly documented?
15 Are all changed programs immediately backed up?
16 Is a copy of the previous version of the program retained (for use in
the event of problems arising with the amended version)?
17 Are there standards for emergency changes to be made to
application programs?
18 Are there adequate controls over program recompilation?
19 Are all major amendments notified to Internal audit for comment?
Are there adequate controls over authorization, implementation,
20 approval and documentation of changes to operating systems?
 roved, prior to being placed in production.

ures
nly authorized individuals to access each library.
ograms.
gement software used.

N/A
C SYSTEM DEVELOPMENT

No. Description Yes No

Are there formalized standards for system development life cycle
1 procedure?
Do they require authorization at the various stages of development –
2 feasibility study, system specification, testing, parallel running, post
implementation review, etc.?
Do the standards provide a framework for the development of controlled
3 applications?
4 Are standards regularly reviewed and updated?
5 Do the adequate system documentation exist for:
 Programmers to maintain and modify programs?
 Users to satisfactorily operate the system?
6 Have the internal audit department been involved in the design stage to
ensure adequate controls exist?
7 Testing of programs - see Program Maintenance.
8 Procedures for authorizing new applications to production - see Program
Maintenance.
Are user and data processing personnel adequately trained to use the new
9 applications?
Is system implementation properly planned and implemented by either
10 parallel run or pilot run?

Are any differences and deficiencies during the implementation phase

11 noted and properly resolved?

Are there adequate controls over the setting up of the standing data and
12 opening balances?
13 Is a post implementation review carried out?
Are user manuals prepared for all new systems developed and revised for
14 subsequent changes?

Is there a Quality Assurance Function to verify the integrity and

15 acceptance of applications developed?
N/A
 D PURCHASED SOFTWARE

No. Description Yes No

Are there procedures addressing controls over selection, testing
1 and acceptance of packaged softwares?
2 Is adequate documentation maintained for all softwares purchased?

3 Are vendor warranties (if any) still in force?

4 Is the software purchased, held in escrow?
5 Are backup copies of user/operations manual kept off-site?
N/A
 E ACCESS TO DATA FILES

Audit Objective
Is access to data files restricted to authorized users and programs?
Audit Procedure
Access to Data
No. Description Yes No
Is there any formal written data security policy? Consider whether
1 the policy addresses data ownership, confidentiality of information,
and use of password.
Is the security policy communicated to individuals in the
2 organization?
3 Is physical access to off-line data files controlled in:
 Computer room?
 On-site library?
 Off-site library?
Does the company employ a full-time librarian who is independent
4 of the operators and programmers?
5 Are libraries locked during the absence of the librarian?
6 Are requests for on-line access to off line files approved?
Are requests checked with the actual files issued and initialed by
7 the librarian?

Are sensitive applications e.g. payroll, maintained on machines in

8 physically restricted areas?

Are encryption techniques used to protect against unauthorized

9 disclosure or undetected modification of sensitive data?
10 Are returns followed up and non returns investigated and
adequately documented?
sers and programs?

N/A
 F COMPUTER PROCESSING

No. Description Yes No

1 Does a scheduled system exist for the execution of programs?
2 Are non-scheduled jobs approved prior to being run?
Is the use of utility programs controlled (in particular those that can
3 change executable code or data)?
4 Are program tests restricted to copies of live files?
5 Is access to computer room restricted to only authorized personnel?
6 Are internal and external labels used on files?
7 Are overrides of system checks by operators controlled?
Are exception reports for such overrides pointed and reviewed by
8 appropriate personnel?

Are sufficient operating instructions exist covering procedures to be

9 followed at operation?
10 If so, are these independently reviewed?
Is integrity checking programs run periodically for checking the accuracy
11 and correctness of linkages between records?
N/A
 G ACCESS CONTROLS

No. Description Yes

Is there any proper password syntax in-force ie minimum 5 and maximum 8
1 characters and include alphanumeric characters?

Are there satisfactory procedures for reissuing passwords to users who have
2 forgotten theirs?

Are procedures in place to ensure the compliance of removal of terminated

3 employee passwords?

Are system access compatibilities properly changed with regard to personnel

4 status change?

Are individual job responsibilities considered when granting users access

5 privileges?
6 Is each user allocated a unique password and user account?
Are there procedures in place to ensure forced change of password after every 30
7 days?
8 Is application level security violations logged?
9 Do standards and procedures exist for follow up of security violations?
Do formal and documented procedures exist for use and monitoring of dial up
10 access facility?
11 Is use made of passwords to restrict access to specific files?
12 Do terminals automatically log off after a set period of time?
Is there a limit of the number of invalid passwords before the terminal closes
13 down?

14 Are there any administrative regulations limiting physical access to terminals?

15 Are invalid password attempts reported to user department managers?
16 Are restrictions placed on which applications terminals can access?
Are keys, locks, cards or other physical devises used to restrict access to only
17 authorized user?
No N/A
 H APPLICATION CONTROLS - INPUT

Audit Objective
Do controls provide reasonable assurance that for each transaction type, input is authorized, complete
that errors are promptly corrected?

No. Description Yes No

Are all transactions properly authorized before being processed by
1 computers?
2 Are all batches of transactions authorized?
Do controls ensure unauthorized batches or transactions are
3 prevented from being accepted ie they are detected?
4 Is significant standing data input verified against the master file?
Is maximum use made of edit checking e.g. check digits, range and
5 feasibility checks, limit tests, etc.?
Are there procedures to ensure all vouchers have been processed
6 e.g. batch totals, document counts, sequence reports, etc.?
Are there procedures established to ensure that transactions or
7 batches are not lost, duplicated or improperly changed?
8 Are all errors reported for checking and correction?
9 Are errors returned to the user department for correction?
10 Do procedures ensure these are resubmitted for processing?
Is an error log maintained and reviewed to identify recurring
11 errors?

Are persons responsible for data preparation and data entry

12 independent of the output checking and balancing process?

Are persons responsible for data entry prevented from amending

13 master file data?
nput is authorized, complete and accurate, and
ted?

N/A
 I OUTPUT AND PROCESSING

Audit Objective
The controls provide reasonable assurance that transactions are properly processed by the computer
copy or other) is complete and accurate, and that calculated items have been accurately com

No. Description Yes No

Where output from one system is input to another, are run to run
1 totals, or similar checks, used to ensure no data is lost or corrupted?

2 Are there adequate controls over forms that have monetary value?

Is maximum use made of programmed checks on limits, ranges

3 reasonableness, etc. and items that are detected reported for
investigation?
Where calculations can be 'forced' i.e. bypass a programmed check,
4 are such items reported for investigation?
Where errors in processing are detected, is there a formal
5 procedure for reporting and investigation?
Is reconciliation between input, output and brought forward figures
6 carried out and differences investigated?
7 Are suspense accounts checked and cleared on a timely basis?
Are key exception reports reviewed and acted upon on a timely
8 basis?
y processed by the computer and output (hard
ms have been accurately computed:

N/A
 J VIRUSES

No. Description Yes No

1 Is there any formal written anti-virus policy?
2 Is the policy effectively communicated to individuals in the
organization?
3 Is there a list of approved software and suppliers?
4 Is only authorized software installed on microcomputers?
5 Is there a master library of such software?
6 Are directories periodically reviewed for suspicious files?
7 Are files on the system regularly checked for size changes?
8 Is anti-virus software installed on all microcomputers/laptops?
9 Is anti-virus software regularly updated for new virus definitions?
Are suspicious files quarantined and deleted from the terminal’s
10
hard drive and network drive on regular basis?
11 Are diskettes formatted before re-use?
Have procedures been developed to restrict or oversee the transfer
12 of data between machines?
13 Is staff prohibited from sharing machines (laptops/desktops)?
Is software reloaded from the master diskettes after machine
14 maintenance?
15 Has all staff been advised of the virus prevention procedures?
Are downloads from internet controlled by locking the hard-drive
16 and routing it through network drive to prevent the virus (if any)
from spreading?
N/A
 K INTERNET

No. Description Yes No

Is there any proper policy regarding the use of internet by the
1 employees?

Does the policy identify the specific assets that the firewall is
2 intended to protect and the objectives of that protection?

Does the policy support the legitimate use and flow of data and
3 information?
4 Is information passing through firewall is properly monitored?
Determine whether management approval of the policy has been
5 sought and granted and the date of the most recent review of the
policy by the management?
Is the policy properly communicated to the users and awareness is
6 maintained?
7 Have the company employed a Firewall Administrator?
8 Is firewall configured as per security policy?
9 Is URL screening being performed by Firewall?
10 Is anti-virus inspection enabled?
Are packets screened for the presence of prohibited words? If so,
11 determine how the list of words is administered and maintained.

Are access logs regularly reviewed and any action is taken on

12 questionable entries?
N/A
 L CONTINUITY OF OPERATIONS

Physical Protection
LI.: Fire Hazard
No. Description Yes No
1 Check the safety against fire in the following ways:
 Building materials fire resistant?
 Wall and floor coverings non-combustible?
 Separation from hazardous areas (e.g. fire doors)?
 Separation from combustible materials (e.g. paper, fuel)?
 Smoking restriction?
 Fire resistant safes (for tapes, disks and documentation)?
2 Check the appropriate arrangements of fire detection devices:
 Smoke/ Heat-rise detectors?
 Detectors located on ceiling and under floor?
 Detectors located in all key EDP areas?
 Linked to fire alarm system?
3 Check the appropriate arrangements for fire fighting:
 Halon gas system (for key EDP areas)
 Automatic sprinkler system
 Portable CO2, extinguishers (electrical fires)
 Ease of access for fire services
4 Check appropriate arrangements in case of fire emergency:
 Fire instructions clearly posted
 Fire alarm buttons clearly visible
 Emergency power-off procedures posted
 Evacuation plan, with assignment of roles and responsibilities
5 Check if there is training to avoid fire emergecny:
 Regular fire drill and training
 Regular inspection/testing of all computing equipment
Physical Protection
LII.: Air Conditioning
No. Description Yes No
Monitoring of temperature and humidity in EDP area
 Heat, fire and access protection of sensitive air-conditioning
parts (eg. cooling tower)
 Air intakes located to avoid undesirable pollution
 Back-up air conditioning equipment
Physical Protection
LIII.: Power Supply
No. Description Yes No
 Reliable local power supply
  Separate computer power supply
 Line voltage monitored
 Power supply regulated (For voltage fluctuation)
 Uninterrupted power supply (eg. Battery system) available
 Alternative power supply (eg. Generator) Emergency lighting
system
Physical Protection
LIV.: Communications Network
No. Description Yes No
 Physical protection of communications lines modems,
multiplexors and processors
 Location of communication equipment separate from main EDP
equipment
 Back-up and dial-up lines for direct lines
Physical Protection
LV.: Machine Servers Layout Room
No. Description Yes No
 Printers, plotters located in separate area
 Printout preparation (eg. bursting) located in separate area
 Tape/Disk library in separate area Machine room kept tidy
 Practical location of security devices
 Emergency power off switches
 Alarms
 Extinguishers
 Environment monitoring equipment
Physical Protection
LVI.: Assess Control
No. Description Yes No
Entrance Routes (EDP areas):
 No unnecessary entrances to the computer room
 Non-essential doors always shut and locked to the outside (eg,
Fire exits)
 Air vent and daylight access location
 Protected and controlled use of all open doors
N/A

N/A

N/A
rk
N/A

om
N/A

N/A
Is there monitoring of temperature and humidity in electronic data process (EDP) (Server rooms) and Communication closet areas?
munication closet areas?
 M ACCESS CONTROL

No. Description Yes No

1 Access restricted to selected employees
2 Prior approval required for all other employees
3 Entrance door controlled by:
 Screening by a guard
 Locks/combinations
 Electronic badge/key
 Other - biological identification devices
4 Positive identification of all employees (eg. identification card)
5 Verification of all items taken into and out of the computer room
Access controlled on 24 hours basis including weekends (eg, automatic
6 control mechanism)
7 Locks, combinations, badge codes changed periodically

MI. Visitor Control

No. Description Yes No
1 Positive identification always required
2 Badges issued, controlled and returned on departure
3 All visits logged in and out
4 Visitors accompanied and observed at all times

MII.: Terminal Security

No. Description Yes No
1 All terminals located in secure areas
Alarm system used to control microcomputers from being disconnected
2 or moved from its location.

Sensitive applications eg payroll, maintained on machines in physically

3 restricted area.
4 Terminal keys/locks used
5 Passwords changed regularly
6 Identification labels been placed on each terminal.

MIII. General Security

No. Description Yes No
1 Waste regularly removed from EDP area and sensitive data shredded.
2 Window and door alarm system.
3 Closed circuit television monitoring ie CCTV cameras.
N/A

N/A

N/A

N/A
 N PERSONNEL POLICIES – MIS STAFF

No. Description Yes No

New employees recruited according to job description and job
1 specification.
2 Employee identity cards issued.
3 Performance evaluation and regular counseling.
4 Continuing education program.
5 Training in security, privacy and recovery procedures.
6 All functions covered by cross training.
Critical jobs rotated periodically (e.g. operators, program
7 maintenance).
8 Clean desk policy enforced.
9 Fidelity insurance for key personnel.
10 Contract service personnel vetted (e.g. cleaners)
N/A
 O INSURANCE

No. Description Yes No

1 Does adequate insurance exist to cover:
 Equipment?
 Software and documentation?
 Storage media?
 Replacement/ re-creation cost?
 Loss of data/assets (eg. Accounts receivable)?
 Business loss or interruption (business critical systems)?
Is adequate consideration given to cover additional cost of working and
2 consequential losses?
N/A
 P BACK-UP PROCEDURES

PI.: Equipment (computer and ancillary)

No. Description
1 Regular preventive maintenance
Reliable manufacturer service Arrangements for back-up installation Formal written
2 agreement
3 Compatibility regularly checked
4 Sufficient computer time available at back-up
5 Testing at back-up regularly performed

PII.: Outside Suppliers (non continuance/ disaster)

No. Description
- (eg, suppliers of equipment, computer time, software)
1 Alternative sources of supply/ maintenance/ service available
2 Adequate and secure documentation/ back-up of data and programs
3 Are backup copies of system documentation kept in a secure location?

PIII.: Off-site Storage

No. Description
1 Secure separate location
2 Adequate physical protection. Log maintained of off-site materials
3 Off- site Inventory regularly reviewed
4 File transportation under adequate physical protection
5 Back-up files periodically tested

PIV.: Data Files

No. Description
1 File criticality and retention procedure regularly reviewed

PV.: Tape
No. Description
1 At least three generations of important tape files retained
2 Copies of all updating transactions for above retained
3 At least one generation and all necessary updating transactions in off-site storage

PVI.: Disc
No. Description
1 Checkpoint/restart procedures provided for
2 Audit trail (log file) of transactions updating on-line files (data base) maintained
3 Regular tape dumps of all disc files stored off-site
4 Audit trail (log file) regularly dumped and stored off-site
 PVII.: Software
No. Description
1 Copies of following maintained at off-site storage: Production application programs
 Major programs under development
 System and program documentation
 Operating procedures
 Operation and system software
 All copies regularly updated
 Back-up copies regularly tested

PVIII.: Operations
No. Description
1 Back-up procedure manual
2 Priority assignments for all applications
3 Procedures for restoring data files and software Procedures for back-up installation
nd ancillary)
Yes No N/A

inuance/ disaster)
Yes No N/A

age
Yes No N/A

Yes No N/A

Yes No N/A

Yes No N/A
 Yes No N/A

ns
Yes No N/A
 Q DISASTER RECOVERY PLANS

No. Description Yes

1
Is a comprehensive contingency plan developed, documented and periodically
tested to ensure continuity in data processing services?
2
Does the contingency plan provide for recovery and extended processing of critical
applications in the event of catastrophic disaster?
3 Has any Business Impact Analysis carried out by the company?

4
Are all recovery plans approved and tested to ensure their adequacy in the event of
disaster?
5 Communicated to all management and personnel concerned
6 Critical processing priorities identified (eg. Significant accounting applications)
7 Are disaster recovery teams established to support disaster recovery plan?

8
Are responsibilities of individuals within disaster recovery team defined and time
allocated for completion of their task?
9 Operations procedures for use of equipment and software back- up

10
Has the company developed and implemented adequate plan maintenance
procedures?
11 Are priorities set for the development of critical systems?
12 Does a hardware maintenance contract exist with a reputable supplier?
13 Does the recovery plan ensure, in the event of failure:
 No loss of data received but not processed
 No reprocessing of data already processed
 Files not corrupted by partially completed processing
14 Are recovery plans regularly tested?
No N/A