FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference



Similar documents
Auditing in an Automated Environment: Appendix C: Computer Operations

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

DETAIL AUDIT PROGRAM Information Systems General Controls Review

IT - General Controls Questionnaire

General Computer Controls

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

PERFORMANCE EVALUATION AUDIT CHECKLIST EXAMPLE. EIIP Volume VI

San Francisco Chapter. Information Systems Operations

HIPAA Information Security Overview

1. Describe the staffing levels maintained in the IT department (change titles as needed): K. Tollefsen/1

FINAL May Guideline on Security Systems for Safeguarding Customer Information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Internet Banking Internal Control Questionnaire

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

General IT Controls Audit Program

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

IT Sr. Systems Administrator

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Systems and Technology

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

Master Document Audit Program

Supplier Security Assessment Questionnaire

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Payment Systems and Funds Transfer Internal Control Questionnaire

Small Business IT Risk Assessment

How To Write A Health Care Security Rule For A University

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

INFORMATION TECHNOLOGY CONTROLS

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

Audit of System Backup and Recovery Controls for the City of Milwaukee Datacenters MARTIN MATSON City Comptroller

Exhibit to Data Center Services Service Component Provider Master Services Agreement

C.T. Hellmuth & Associates, Inc.

HIPAA Security Alert

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Introduction to HIPAA and how it relates to docstar

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Supply Chain Security Audit Tool - Warehousing/Distribution

HIPAA RISK ASSESSMENT

Certified Information Systems Auditor (CISA)

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Rotherham CCG Network Security Policy V2.0

HIPAA Privacy and Security Risk Assessment and Action Planning

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Decision on adequate information system management. (Official Gazette 37/2010)

Supplier Information Security Addendum for GE Restricted Data

CHIS, Inc. Privacy General Guidelines

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

How To Protect A Hampden County Hmis From Being Hacked

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Standard: Data Center Security

BKDconnect Security Overview

Network Security Policy

U. S. Department of Energy Consolidated Audit Program Checklist 5 Laboratory Information Management Systems Electronic Data Management

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

Risk Management of Outsourced Technology Services. November 28, 2000

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

INFORMATION SECURITY PROGRAM

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

Storage Guardian Remote Backup Restore and Archive Services

HIPAA Security Checklist

Tk20 Backup Procedure

How To Ensure Security At A Site Security Site

American International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2

HIPAA: In Plain English

HIPAA Security COMPLIANCE Checklist For Employers

ULH-IM&T-ISP06. Information Governance Board

How To Protect Decd Information From Harm

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Payment Card Industry Compliance

PART 10 COMPUTER SYSTEMS

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

Information Technology Internal Audit Report

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

HIPAA Compliance Guide

Transcription:

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization chart for completeness, accuracy, and appropriateness to the situation. 3. Review the minutes of the IT Steering Committee meetings to determine the frequency of meeting and the level of the Steering Committee s involvement. 4. Prepare or update documentation describing the forms and procedures used to segregate duties within the IT Department. 5. Review the IT organization chart noting the degree to which IT functions are segregated. Ensure duties are segregated among operations, system development, security administration, and end user data control. 6. Prepare or update documentation describing the forms and procedures used to administer personnel policies for IT employees. 7. Review vacation schedules to note compliance with policy. 8. Review the procedures followed during the last instance in which a programmer or operator was terminated to note compliance with policy. Program Changes and Program Libraries procedures used to provide support for Program Change Requests (PCRs). 2. Review a random sample of five PCRs from the last six months to note compliance with the above controls to provide adequate support. procedures used to ensure authorization of all program changes. 4. Review a random sample of five PCRs to note compliance with the above controls to provide authorization. procedures used to control the implementation of program changes. 6. Account for a block of five PCRs as being completed or in process. 7. Prepare or update documentation describing the forms and procedures used to promote the accuracy and propriety of program changes. 8. Review a random sample of five PCRs to note management s review and acceptance of test results. 9. Prepare or update documentation describing the forms and procedures used to establish an audit trail over all program changes. 10. Review a random sample of five PCRs to note indication of the names of programs that were changed. 11. Review the program listings that relate to the five PCRs selected previously to note identification of the coding changes. 12. Prepare or update documentation describing the forms, procedures, and methods used to secure program libraries.

13. Identify five occurrences of access to the program libraries and determine the adequacy of support for these accesses. Documentation procedures used to update documentation. 2. Review a random sample of five PCRs to note indication of whether related documentation has been updated. procedures used to provide uniform documentation of computer systems. 4. Review documentation standards of checklist for completeness; note any deficiencies found. 5. Review selected documentation of major applications and determine whether it complies with documentation standards. 6. Prepare or update documentation describing the forms and procedures used to protect and update documentation. 7. Review the Program Change Log for the past six months. Select three program changes that appear to require documentation changes. Trace these changes to all the documentation (systems, operations, user) to note timeliness and performance of updates. 8. Confirm the existence of an off-site copy of all documentation. 9. If off-site documentation is not available, determine the adequacy of physical protection for the on-site copy. Operations procedures used to provide adequate operations supervision. 2. Obtain a copy of the IT Department organization chart; note adequacy of operations supervision. 3. Obtain copies of the history for a recent week. a. Note indication of history review by IT management. b. Identify any incidents of the use of the utility program. Trace to operations management authorization and documentation. 4. Locate two histories that are at least three months old. procedures used to promote accuracy and propriety of computer operations. 6. Determine the location of source program libraries and documentation. Note adequacy of procedures or methods to restrict operations personnel from accessing these items. 7. Review operations rotation schedules to note the extent of crosstraining practiced. 8. Prepare or update documentation describing the forms and procedures used to promote proper handling of data media. 9. Examine external labels on 10 tapes or diskettes picked at random and note adequacy of label information. Select three of these and print their labels. Note agreement of internal and external labels with regard to volume, name, contents, and date. 10. Determine the adequacy of the on-site file library organization. 1 procedures used to maintain hardware performance.

12. Examine current maintenance contracts for the following components: CPU, consoles, disk storage devices, and line printer. Note adequacy of the hours covered. Security procedures used to ensure authorized usage of on-line terminals. 2. Examine documentation concerning assignment of passwords to note the frequency with which they are changed. 3. Using a valid password, attempt to initiate an activity restricted from that password. 4. Observe terminals that are not in immediate use to note whether they are signed off. procedures used to control processing performed online. 6. Attempt to enter restricted transactions and note whether they were rejected or not. 7. Locate five consecutive access logs to note their retention and indication of management s review. 8. Prepare or update documentation describing the forms and procedures used to provide processing of on-line functions on a batch basis. 9. For each major on-line accounting system, determine the existence of programs that provide batch processing for (normally) on-line transactions. 10. For each major on-line accounting system, determine the adequacy of forms and procedures that provide for manual input of transactions which are normally entered in an on-line mode. 11. For each major on-line accounting system, determine the availability of hardcopy reports to replace on-line inquiry and review them for adequacy. 12. Prepare or update documentation describing the forms and procedures used to control access to the IT Department. 13. Observe operations throughout the audit and note compliance with access restrictions. 14. Review access levels of all employees and compare that to their current responsibilities. Determine their access is necessary based on current job duties. Ensure no terminated employees still have access to the bank s systems. 15. Review procedures around terminated employees and how system access is removed, keys are obtained, and combinations are changed. 16. Obtain and review the bank s current computer use and e-mail use policies and verify employees are required to sign for reading them. 17. Verify the bank has policies requiring passwords to be changed periodically and never to be written. 18. Review all external access points to the network and mainframe and ensure they are properly documented, reviewed on a regular basis, and access is monitored. 19. Review firewalls surrounding the internal network and systems. Verify intrusion detection procedures are in place and regularly monitored.

20. Review the use of encryption for the transmission of sensitive information within the bank s systems and information going outside the bank. Safety Measures 1. Prepare or update documentation describing the physical protection of the IT Department. 2. Tour the computer room to note the presence and location of: a. Portable fire extinguishers (are they recently inspected?) b. Fire detection sensors and alarms c. Automatic fire extinguishing system d. Electric power shut-off switch e. Telephone f. Emergency lighting g. No smoking signs h. Emergency exit signs 3. Review physical security (locked doors, etc.). 4. Review the emergency action/disaster recovery plan for adequacy and content: a. Actions to be taken (e.g., equipment shutdown) b. Individuals to phone c. Materials to be removed from the computer room Backup Systems procedures used to help ensure the capability of off-site processing facilities. 2. Confirm backup agreements with the management of the primary backup facility. procedures used to help ensure the availability of backup resources. 4. Verify the presence of the off-site file containing the copy of the operating system. 5. Verify the presence of the off-site files containing the copies of source and object program libraries. 6. Select one major application and verify that all master files and transaction files are present, by printing the labels of the off-site backup files. 7. Examine off-site copies of documentation to verify their existence and ensure that they are reasonably complete. 8. Determine the date of the last off-site program backup and evaluate its timeliness. 9. Evaluate the physical protection of the off-site backup location. 10. Prepare or update documentation describing the forms and procedures used to plan the off-site processing of data. 11. Obtain a copy of the contingency plan and review it for completeness and currency. 12. Review results of most recent test of contingency plan and back-up site. Testing should be performed at least annually. 13. Verify a copy of the disaster recovery/contingency plan is maintained off-site.

14. Prepare or update documentation describing the forms and procedures used to plan the off-site processing of data. 15. Verify an IT risk assessment has been performed. Insurance 1. Obtain a copy of the most recent report of the IT Insurance Review and note any recommendations or weaknesses. 2. Obtain copies of the IT insurance policies and note that effective dates are current. 3. Review insurance policies and note stipulations or requirements that must be met by the IT Department to prevent voiding the insurance coverage. Verify that IT management is aware of these requirements and has instituted policies or procedures to meet these requirements. 4. Prepare or update documentation describing the forms and procedures used to control data processing performed for outside organizations. Customer Service 1. Review service contracts to find one for each service customer. Ensure the contracts are current. 2. Examine contracts to find that terms include: a. Description of work to be performed and established time schedule b. Formula for processing fees c. Statement of bank liability d. Signatures of both parties 3. Determine that service logs are complete and currently maintained. 4. Determine that customer personnel signatures are current by comparing signatures on recently received work with the samples of authorized signatures. 5. Obtain and review SAS 70s for third-party processors. Follow up on any weaknesses noted. Information Security 1. Review the bank s information security program and verify all requirements of the Gramm-Leach-Bliley Act (GLBA) are included. 2. Review the controls over the exchange of nonpublic customer information with both internal and external parties and ensure compliance with GLBA. Internet Banking 1. Review the bank s Web site for compliance issues, including FDIC insured and equal housing lender logos and terms and conditions. 2. Review the internal controls surrounding access and distribution of customer PINs and passwords, including changes to them. 3. Obtain and review the third-party provider s SAS 70 and follow up on any significant weaknesses. 4. Review the adequacy of the third party s intrusion detection and monitoring procedures.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information