Itil Audit Checklist
Posted By admin On 22/05/19Published on
17-Jan-2015View
29.073Download
2
ITIL Service Support Checklists: IT Service Management (ITSM) lies at the heart of ITIL (Information Technology Infrastructure of Libraries) implementation.
DESCRIPTION
IS - Audit Checklist for all companies.
Transcript
Aug 26, 2017 - Teologia biblica y sistematica - eBook (444) by Myer. Free Ebooks descargar gratis los libros de myer pearlman for download in PDF, MOBI, EPUB. Winners will receive their reward at the end of each battle and with the reward, the players will purchase an avatar item(s) of their choice to use in future battles. Download descargar teologia biblica y sistematica myer pearlman pdf software.
- 1. Audit ChecklistManagementInformation SystemsAhmad Tariq Bhatti FCMA, FPA, MA (Economics), BSc
It Audit Checklist Template
2. No. DescriptionYes No N/AA ORGANISATION AND ADMINISTRATIONAudit Objective- Does the organization of data processing provide for adequatesegregation of duties?Audit Procedures- Review the company organization chart, and the data processingdepartment organization chart.1 Is there a separate EDP department within the company?Is there a steering committee where the duties and responsibilities2for managing MIS are clearly defined?Has the company developed an IT strategy linked with the long and3medium term plans?Is the EDP Department independent of the user department and in4particular the accounting department?Are there written job descriptions for all jobs within EDP5 department and these job descriptions are communicated todesignated employees?Are EDP personnel prohibited from having incompatible6responsibilities or duties in user departments and vice versa?7 Are there written specifications for all jobs in the EDP Department?Are the following functions within the EDP Department performed8by separate sections:System design?Application programming?Computer operations?Database administration?Systems programming?Data entry and control?Are the data processing personnel prohibited from duties relating9to:Initiating transactions?Recording of transactions?(2/20) 3. Master file changes? Correction of errors? Are all processing pre-scheduled and authorized by appropriate10 personnel? Are there procedures to evaluate and establish who has access to11 the data in the database?12 Are the EDP personnel adequately trained? Are systems analysts programmers denied access to the computer13 room and limited in their operation of the computer? Are operators barred from making changes to programs and from14 creating or amending data before, during, or after processing? Is the custody of assets restricted to personnel outside the EDP15 department? Is strategic data processing plan developed by the company for the16 achievement of long-term business plan? Are there any key personnel within IT department whose absence17 can leave the company within limited expertise?18 Are there any key personnel who are being over-relied? Is EDP audit being carried by internal audit or an external19 consultant to ensure compliance of policies and controls established by management?BPROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT Audit Objective-Development and changes to programs are authorized, tested, and approved, prior to being placed in production. Program Maintenance Audit - Procedures Review details of the program library structure, and note controls- which allow only authorized individuals to access each library.-Note the procedures used to amend programs. Obtain an understanding of any program library management- software used.(3/20) 4. 1Are there written standards for program maintenance?2Are these standards adhered to and enforced?3Are these standards reviewed regularly and approved? Are there procedures to ensure that all programs required for4 maintenance are kept in a separate program test library? Are programmers denied access to all libraries other than the test5 library? Are changes to programs initiated by written request from user6 department and approved? Are changes initiated by Data Processing Department7 communicated to users and approved by them? Are there adequate controls over the transfer of programs from8 production into the programmers test library? Are all systems developed or changes to existing system tested9 according to user approved test plans and standards? Are tests performed for system acceptance and test data10 documented? Are transfers from the development library to the production11 library carried out by persons independent of the programmers? Do procedures ensure that no such transfer can take place12 without the change having been properly tested and approved? Is a report of program transfers into production reviewed on a13 daily basis by a senior official to ensure only authorized transfers have been made?14 Are all program changes properly documented?15 Are all changed programs immediately backed up? Is a copy of the previous version of the program retained (for use16 in the event of problems arising with the amended version)? Are there standards for emergency changes to be made to17 application programs?18 Are there adequate controls over program recompilation?19 Are all major amendments notified to Internal audit for comment? Are there adequate controls over authorization, implementation,20 approval and documentation of changes to operating systems?(4/20) 5. CSYSTEM DEVELOPMENT Are there formalized standards for system development life cycle1 procedure? Do they require authorization at the various stages of development2 feasibility study, system specification, testing, parallel running, post implementation review, etc.? Do the standards provide a framework for the3 development of controlled applications?4Are standards regularly reviewed and updated?5Do the adequate system documentation exist for: Programmers to maintain and modify programs? Users to satisfactorily operate the system? Have the internal audit department been involved in the design6 stage to ensure adequate controls exist?7Testing of programs - see Program Maintenance. Procedures for authorizing new applications to production - see8 Program Maintenance. Are user and data processing personnel adequately trained to use9 the new applications? Is system implementation properly planned and implemented by10 either parallel run or pilot run? Are any differences and deficiencies during the implementation11 phase noted and properly resolved? Are there adequate controls over the setting up of the standing12 data and opening balances?13 Is a post implementation review carried out? Are user manuals prepared for all new systems developed and14 revised for subsequent changes? Is there a Quality Assurance Function to verify the integrity and15 acceptance of applications developed?DPURCHASED SOFTWARE(5/20) 6. Are there procedures addressing controls over selection, testing1and acceptance of packaged softwares?2Is adequate documentation maintained for all softwarespurchased?3 Are vendor warranties (if any) still in force?4 Is the software purchased, held in escrow?5 Are backup copies of user/operations manual kept off-site?E ACCESS TO DATA FILESAudit Objective-Is access to data files restricted to authorized users and programs?- Access to DataIs there any formal written data security policy? Consider whether1 the policy addresses data ownership, confidentiality of information,and use of password.Is the security policy communicated to individuals in the2organization?3 Is physical access to off-line data files controlled in:Computer room?On-site library?Off-site library?Does the company employ a full-time librarian who is4independent of the operators and programmers?5 Are libraries locked during the absence of the librarian?6 Are requests for on-line access to off line files approved?Are requests checked with the actual files issued and initialed by7the librarian?Are sensitive applications e.g. payroll, maintained on machines in8physically restricted areas?Are encryption techniques used to protect against unauthorized9disclosure or undetected modification of sensitive data?(6/20) 7. Are returns followed up and non returns investigated and10 adequately documented?FCOMPUTER PROCESSING1Does a scheduled system exist for the execution of programs?2Are non-scheduled jobs approved prior to being run? Is the use of utility programs controlled (in particular those that3 can change executable code or data)?4Are program tests restricted to copies of live files? Is access to computer room restricted to only authorized5 personnel?6Are internal and external labels used on files?7Are overrides of system checks by operators controlled? Are exception reports for such overrides pointed and reviewed by8 appropriate personnel? Are sufficient operating instructions exist covering procedures to9 be followed at operation?10 If so, are these independently reviewed? Is integrity checking programs run periodically for checking the11 accuracy and correctness of linkages between records?GACCESS CONTROLS Is there any proper password syntax in-force ie minimum 5 and1 maximum 8 characters and include alphanumeric characters? Are there satisfactory procedures for reissuing passwords to users2 who have forgotten theirs? Are procedures in place to ensure the compliance of removal of3 terminated employee passwords? Are system access compatibilities properly changed with regard to4 personnel status change? Are individual job responsibilities considered when granting users5 access privileges?(7/20) 8. 6Is each user allocated a unique password and user account? Are there procedures in place to ensure forced change of password7 after every 30 days?8Is application level security violations logged? Do standards and procedures exist for follow up of security9 violations? Do formal and documented procedures exist for use and10 monitoring of dial up access facility?11 Is use made of passwords to restrict access to specific files?12 Do terminals automatically log off after a set period of time? Is there a limit of the number of invalid passwords before the13 terminal closes down? Are there any administrative regulations limiting physical access to14 terminals? Are invalid password attempts reported to user department15 managers? Are restrictions placed on which applications terminals can16 access? Are keys, locks, cards or other physical devises used to restrict17 access to only authorized user?HAPPLICATION CONTROLS - INPUT Audit Objective Do controls provide reasonable assurance that for each transaction-type, input is authorized, complete and accurate, and that errors are promptly corrected? Are all transactions properly authorized before being processed by1 computers?2Are all batches of transactions authorized? (8/20) 9. Do controls ensure unauthorized batches or transactions are3 prevented from being accepted ie they are detected?4Is significant standing data input verified against the master file? Is maximum use made of edit checking e.g. check digits, range and5 feasibility checks, limit tests, etc.? Are there procedures to ensure all vouchers have been processed6 e.g. batch totals, document counts, sequence reports, etc.? Are there procedures established to ensure that transactions or7 batches are not lost, duplicated or improperly changed?8Are all errors reported for checking and correction?9Are errors returned to the user department for correction?10 Do procedures ensure these are resubmitted for processing? Is an error log maintained and reviewed to identify recurring11 errors? Are persons responsible for data preparation and data entry12 independent of the output checking and balancing process? Are persons responsible for data entry prevented from amending13 master file data?IOUTPUT AND PROCESSING Audit Objective-The controls provide reasonable assurance that transactions are properly processed by the computer and output (hard copy or other) is complete and accurate, and that calculated items have been accurately computed: Where output from one system is input to another, are run to run1totals, or similar checks, used to ensure no data is lost or corrupted?2Are there adequate controls over forms that have monetary value?(9/20) 10. Is maximum use made of programmed checks on limits, ranges3reasonableness, etc. and items that are detected reported for investigation? Where calculations can be forced i.e. bypass a programmed4 check, are such items reported for investigation? Where errors in processing are detected, is there a formal5 procedure for reporting and investigation? Is reconciliation between input, output and brought forward6 figures carried out and differences investigated?7Are suspense accounts checked and cleared on a timely basis? Are key exception reports reviewed and acted upon on a timely8 basis?JVIRUSES1Is there any formal written anti-virus policy? Is the policy effectively communicated to individuals in the2 organization?3Is there a list of approved software and suppliers?4Is only authorized software installed on microcomputers?5Is there a master library of such software?6Are directories periodically reviewed for suspicious files?7Are files on the system regularly checked for size changes?8Is anti-virus software installed on all microcomputers/laptops?9Is anti-virus software regularly updated for new virus definitions? Are suspicious files quarantined and deleted from the terminals10 hard drive and network drive on regular basis?11 Are diskettes formatted before re-use? Have procedures been developed to restrict or oversee the transfer12 of data between machines?13 Is staff prohibited from sharing machines (laptops/desktops)? Is software reloaded from the master diskettes after machine14 maintenance?(10/20) 11. 15Has all staff been advised of the virus prevention procedures?Are downloads from internet controlled by locking the hard-drive16and routing it through network drive to prevent the virus (if any)from spreading?K INTERNETIs there any proper policy regarding the use of internet by the1employees?Does the policy identify the specific assets that the firewall is2intended to protect and the objectives of that protection?Does the policy support the legitimate use and flow of data and3information?4 Is information passing through firewall is properly monitored?Determine whether management approval of the policy has been5 sought and granted and the date of the most recent review of thepolicy by the management?Is the policy properly communicated to the users and awareness is6maintained?7 Have the company employed a Firewall Administrator?8 Is firewall configured as per security policy?9 Is URL screening being performed by Firewall?10Is anti-virus inspection enabled?Are packets screened for the presence of prohibited words? If so,11determine how the list of words is administered and maintained.Are access logs regularly reviewed and any action is taken on12questionable entries?L CONTINUITY OF OPERATIONSPhysical ProtectionL.I Fire Hazard (11/20) 12. 1 Check the safety against fire in the following ways: Building materials fire resistant? Wall and floor coverings non-combustible? Separation from hazardous areas (e.g. fire doors)? Separation from combustible materials (e.g. paper, fuel)? Smoking restriction? Fire resistant safes (for tapes, disks and documentation)? 2 Check the appropriate arrangements of fire detection devices: Smoke/ Heat-rise detectors? Detectors located on ceiling and under floor? Detectors located in all key EDP areas? Linked to fire alarm system? 3 Check the appropriate arrangements for fire fighting: Halon gas system (for key EDP areas) Automatic sprinkler system Portable CO2, extinguishers (electrical fires) Ease of access for fire services 4 Check appropriate arrangements in case of fire emergency: Fire instructions clearly posted Fire alarm buttons clearly visible Emergency power-off procedures posted Evacuation plan, with assignment of roles and responsibilities 5 Check if there is training to avoid fire emergecny: Regular fire drill and training Regular inspection/testing of all computing equipmentL.II AIR CONDITIONING Monitoring of temperature and humidity in EDP area(12/20) 13. Heat, fire and access protection of sensitive air-conditioningparts (eg. cooling tower) Air intakes located to avoid undesirable pollution Back-up air conditioning equipmentL.III Power Supply Reliable local power supply Separate computer power supply Line voltage monitored Power supply regulated (For voltage fluctuation) Uninterrupted power supply (eg. Battery system) available Alternative power supply (eg. Generator) Emergency lightingsystemL.IVCommunications Network Physical protection of communications lines modems,multiplexors and processors Location of communication equipment separate from mainEDP equipment Back-up and dial-up lines for direct linesL.V Machine (Servers) Room Layout Printers, plotters located in separate area Printout preparation (eg. bursting) located in separate area Tape/Disk library in separate area Machine room kept tidy Practical location of security devices Emergency power off switches(13/20) 14. Alarms Extinguishers Environment monitoring equipmentL.VI Access Control Entrance Routes (EDP areas): No unnecessary entrances to the computer room Non-essential doors always shut and locked to the outside (eg, Fire exits) Air vent and daylight access location Protected and controlled use of all open doorsMACCESS CONTROL 1 Access restricted to selected employees 2 Prior approval required for all other employees 3 Entrance door controlled by: Screening by a guard Locks/combinations Electronic badge/key Other - biological identification devices 4 Positive identification of all employees (eg. identification card) 5 Verification of all items taken into and out of the computer room Access controlled on 24 hours basis including weekends (eg, 6 automatic control mechanism) 7 Locks, combinations, badge codes changed periodicallyM.IVisitor Control(14/20) 15. 1Positive identification always required 2Badges issued, controlled and returned on departure 3All visits logged in and out 4Visitors accompanied and observed at all timesM.IITerminal Security 1All terminals located in secure areasAlarm system used to control microcomputers from being 2disconnected or moved from its location.Sensitive applications eg payroll, maintained on machines in 3physically restricted area. 4Terminal keys/locks used 5Passwords changed regularly 6Identification labels been placed on each terminal.M.III General SecurityWaste regularly removed from EDP area and sensitive data 1shredded. 2Window and door alarm system. 3Closed circuit television monitoring ie CCTV cameras. NPERSONNEL POLICIES MIS STAFFNew employees recruited according to job description and job 1specification. 2Employee identity cards issued. 3Performance evaluation and regular counseling. 4Continuing education program. 5Training in security, privacy and recovery procedures. 6All functions covered by cross training.(15/20) 16. Critical jobs rotated periodically (e.g. operators, program 7 maintenance). 8 Clean desk policy enforced. 9 Fidelity insurance for key personnel.10 Contract service personnel vetted (e.g. cleaners)OINSURANCE 1 Does adequate insurance exist to cover: Equipment? Software and documentation? Storage media? Replacement/ re-creation cost? Loss of data/assets (eg. Accounts receivable)? Business loss or interruption (business critical systems)? Is adequate consideration given to cover additional cost of working 2 and consequential losses? P BACK-UP PROCEDURESP.IEquipment (computer and ancillary) 1 Regular preventive maintenance Reliable manufacturer service Arrangements for back-up 2 installation Formal written agreement 3 Compatibility regularly checked 4 Sufficient computer time available at back-up 5 Testing at back-up regularly performedP.II Outside Suppliers (non continuance/ disaster) (16/20) 17. -(eg, suppliers of equipment, computer time, software) 1Alternative sources of supply/ maintenance/ service availableAdequate and secure documentation/ back-up of data and 2programsAre backup copies of system documentation kept in a secure 3location?P.III Off-site Storage: 1Secure separate location 2Adequate physical protection. Log maintained of off-site materials 3Off- site Inventory regularly reviewed 4File transportation under adequate physical protection 5Back-up files periodically testedP.IVData Files 1File criticality and retention procedure regularly reviewedP.V Tape 1At least three generations of important tape files retained 2Copies of all updating transactions for above retainedAt least one generation and all necessary updating transactions in 3off-site storageP.VIDisc 1Checkpoint/restart procedures provided forAudit trail (log file) of transactions updating on-line files (data 2base) maintained 3Regular tape dumps of all disc files stored off-site (17/20) 18. 4Audit trail (log file) regularly dumped and stored off-siteP.VIISoftware Copies of following maintained at off-site storage: Production1 application programs Major programs under development System and program documentation Operating procedures Operation and system software All copies regularly updated Back-up copies regularly testedP.VIII Operations1Back-up procedure manual2Priority assignments for all applications Procedures for restoring data files and software Procedures for3 back-up installationQDISASTER RECOVERY PLANS Is a comprehensive contingency plan developed, documented and1periodically tested to ensure continuity in data processing services? Does the contingency plan provide for recovery and extended2processing of critical applications in the event of catastrophic disaster?3Has any Business Impact Analysis carried out by the company? Are all recovery plans approved and tested to ensure their4 adequacy in the event of disaster?5Communicated to all management and personnel concerned (18/20) 19. Critical processing priorities identified (eg. Significant accounting6 applications) Are disaster recovery teams established to support disaster7 recovery plan? Are responsibilities of individuals within disaster recovery team8 defined and time allocated for completion of their task? Operations procedures for use of equipment and software back-9 up Has the company developed and implemented10 adequate plan maintenance procedures?11 Are priorities set for the development of critical systems? Does a hardware maintenance contract exist with a reputable12 supplier?13 Does the recovery plan ensure, in the event of failure: No loss of data received but not processed No reprocessing of data already processed Files not corrupted by partially completed processing14 Are recovery plans regularly tested?(19/20)