Information systems audits are becoming an integral part of procedural initiatives taken by organisations. With the proliferation of cloud systems, changes in ways of working and intensified cyber-attacks; IT system audits are more commonplace.
In the course of the information system audit means, you will be required to carry out a variety of tasks; it is important to have a checklist. You need to keep track of what tasks are completed and which ones remain outstanding. In this article, we will discuss the basic checklist required for an IT auditor in field of security and infrastructure check.
Part 1: People
The audit objective of this stage is to confirm whether the organization’s data processing procedures provide for adequate segregation of duties. To meet this objective, you will need to review the organizational chart and the structure of the IT department. Some questions to guide you at this stage include:
- Is there a separate IT department within the company? Is this function independent of the user departments and what is the level of control exercised by the finance/accounting function over IT?
- Do all the employees in the IT function have clear job descriptions and have these been communicated to designated employees? Do IT personnel perform any of the below tasks?
- Originating transactions
- Amending transactions/ errors
- Master data changes (if so, is there an authorised procedure?)
- Does the organisation have an IT strategy? Is strategic data processing plan? and is there a steering committee where the duties and responsibilities for managing information systems are directed from?
- Are IT personnel restricted from having conflicting responsibilities with the user departments? Is there adequate segregation of duties on the following activities:
- Data entry
- System design
- System and applications programming
- Database administration
- Are there any key personnel who are being over-relied? Are there any key personnel within IT department whose absence can leave the organisation crippled?
- Who has access to the server room? Is there a policy in place that defines system access levels including physical access? Who is the custodian of key IT assets?
- Are system and application updates processing pre-scheduled and authorized at the appropriate management level?
- Are the IT personnel adequately trained and do they participate in continuous professional education?
Part 2: System development and maintenance
The objective of this part is to confirm whether the development and changes made to IT programs are tested and approved before being put into production. To achieve this objective, you will need to review the details of the program library structure, and observe the completeness or lack thereof of the controls in place by performing the following tests:
- Are there any existing standards for program maintenance? What is the effectiveness of these standards? Are they followed? Who reviews and approves the standards and at what interval?
- Who initiates changes to programs? Are requests authorised at the appropriate level? Are the changes initiated by Data team communicated to users and approved by them?
- What is the involvement of the Internal audit function or other supervisory team during the change? Are they informed of the proposed changes for their review?
- Do programmers have access to libraries other than the test library? What is the procedure to ensure that all programs scheduled for maintenance are kept in a separate program test library?
- Are there adequate controls over the transfer of programs from production into the programmer’s test library? Are transfers from the development library to the production library carried out by persons independent of the programmers?
- Are all program changes properly documented? Are tests performed for system acceptance and test data documented? Is a copy of the previous version of the program retained (for use in the event of problems arising with the amended version)?
- What controls are put in place to ensure that there is no program recompilation?
- Are all systems developed or changes to existing system tested according to user approved test plans and standards? What controls are put in place to ensure authorization, implementation, approval and documentation of changes to production systems?
Part 3: System development
At this point, your objective is an auditor is to ensure that systems development activities are completed in accordance with approved policies and that the systems which have been put into production are as originally designed and free from material errors. You will achieve this objective by conducting the following tests:
- Is there an approved standard for system development life cycle? Who reviews the standards? What is the frequency of update?
- Do the standards allow the development of controlled applications?
- What authorization is required at the various stages of development i.e., feasibility study, system specification, testing, production run and post implementation review?
- What is the level of the internal audit department involvement in the design stage? Is there a review to ensure that adequate controls exist?
- Do users and data processing teams get adequate training on the new applications? Are user manuals prepared and revised with updates on the subsequent changes?
- Is there system implementation plan? Is there a parallel run or pilot phase before full production? Are differences and deficiencies noted during the implementation stage noted and resolved?
- Is a post implementation review of the system carried out? Does the organisation have a Quality Assurance Function to verify the integrity and acceptance of new applications?
Part 4: Purchased software
At this point, your objective is an auditor is to ensure that software purchase activities are completed in accordance with approved policies and that the systems which have been put into production are as originally designed and that reasonable assurance has been obtained that software is free from material errors. You will achieve this objective by conducting the following tests:
- What procurement procedures are there in place to ensure that selection, testing and acceptance of ready-made software fits into the organisational needs?
- Are vendor warranties secured for all purchased software
- Are users adequately trained before putting the software into production?
- Who maintains the back-up data? Where data is held on cloud, are there adequate safeguards that organisational data is secure from misuse?
- For cloud service providers? Are there agreed Service level agreements on the software performance? Are the contracts enforceable?
In our next article, we will discuss part 2 of the IT system audits. You may subscribe to our FHC newsletter get an update.