IT审计底稿-CheckList

ClientNamePeriodendedContributedAugust23,2001byKhurramUqailikhurram@khurramuqaili.netInformationSystemsChecklistAuditProgrammeITAuditCL.docPage1of25ORGANISATIONANDADMINISTRATIONAuditObjectiveDoestheorganisationofdataprocessingprovideforadequatesegregationofduties?AuditProceduresReviewthecompanyorganisationchart,andthedataprocessingdepartmentorganisationchart.Yes/NoComments1IsthereaseparateEDPdepartmentwithintheCompany?2IsthereasteeringcommitteeandtheirdutiesandresponsibilitiesformanagingMISareclearlydefined?3HastheCompanydevelopedanITstrategylinkedwiththelongandmediumtermplans?4IstheEDPDepartmentindependentoftheuserdepartmentandinparticulartheaccountingdepartment?5AretherewrittenjobdescriptionsforalljobswithinEDPdepartmentandthesejobdescriptionsarecommunicatedtodesignatedemployees?6AreEDPpersonnelprohibitedfromhavingincompatibleresponsibilitiesordutiesinuserdepartmentsandviceversa?7AretherewrittenspecificationsforalljobsintheEDPDepartment?8ArethefollowingfunctionswithintheEDPDepartmentperformedbyseparatesections:nSystemdesignnApplicationprogrammingnComputeroperationsnDatabaseadministrationnSystemsprogrammingnDataentryandcontrol?ITAuditCL.docPage2of25Yes/NoComments9Arethedataprocessingpersonnelprohibitedfromdutiesrelatingto:nInitiatingtransactions?nRecordingoftransactions?nMasterfilechanges?nCorrectionoferrors?10Areallprocessingprescheduledandauthorisedbyappropriatepersonnel?11Arethereprocedurestoevaluateandestablishwhohasaccesstothedatainthedatabase?12AretheEDPpersonneladequatelytrained?13Aresystemsanalystsprogrammersdeniedaccesstothecomputerroomandlimitedintheiroperationofthecomputer?14Doanyofthecomputeroperatorshaveprogrammingknowledge?15Areoperatorsbarredfrommakingchangestoprogramsandfromcreatingoramendingdatabefore,during,orafterprocessing?16IsthecustodyofassetsrestrictedtopersonneloutsidetheEDPdepartment?17Isstrategicdataprocessingplandevelopedbythecompanyfortheachievementoflong-termbusinessplan?18ArethereanykeypersonnelwithinITdepartmentwhoseabsencecanleavethecompanywithinlimitedexpertise?19Arethereanykeypersonnelwhoarebeingover-relied?20IsEDPauditbeingcarriedbyinternalauditoranexternalconsultanttoensurecomplianceofpoliciesandcontrolsestablishedbymanagement?ITAuditCL.docPage3of25PROGRAMMAINTENANCEANDSYSTEMDEVELOPMENTAuditObjectiveDevelopmentandchangestoprogramsareauthorised,tested,andapproved,priortobeingplacedinproduction.ProgramMaintenanceAuditProcedures(i)Reviewdetailsoftheprogramlibrarystructure,andnotecontrolswhichallowonlyauthorisedindividualstoaccesseachlibrary.(ii)Notetheproceduresusedtoamendprograms.(iii)Obtainanunderstandingofanyprogramlibrarymanagementsoftwareused.Yes/NoComments1Aretherewrittenstandardsforprogrammaintenance?2Arethesestandardsadheredtoandenforced?3Arethesestandardsreviewedregularlyandapproved?4Arethereprocedurestoensurethatallprogramsrequiredformaintenancearekeptinaseparateprogramtestlibrary?5Areprogrammersdeniedaccesstoalllibrariesotherthanthetestlibrary?6Arechangestoprogramsinitiatedbywrittenrequestfromuserdepartmentandapproved?7ArechangesinitiatedbyDataProcessingDepartmentcommunicatedtousersandapprovedbythem?8Arethereadequatecontrolsoverthetransferofprogramsfromproductionintotheprogrammer'stestlibrary?9Areallsystemsdevelopedorchangestoexistingsystemtestedaccordingtouserapprovedtestplansandstandards?ITAuditCL.docPage4of25Yes/NoComments10Aretestsperformedforsystemacceptanceandtestdatadocumented?11Aretransfersfromthedevelopmentlibrarytotheproductionlibrarycarriedoutbypersonsindependentoftheprogrammers?12Doproceduresensurethatnosuchtransfercantakeplacewithoutthechangehavingbeenproperlytestedandapproved?13Isareportofprogramtransfersintoproductionreviewedonadailybasisbyaseniorofficialtoensureonlyauthorisedtransfershavebeenmade?14Areallprogramchangesproperlydocumented?15Areallchangedprogramsimmediatelybackedup?16Isacopyofthepreviousversionoftheprogramretained(foruseintheeventofproblemsarisingwiththeamendedversion)?17Aretherestandardsforemergencychangestobemadetoapplicationprograms?18Arethereadequatecontrolsoverprogramrecompilation?19AreallmajoramendmentsnotifiedtoInternalauditforcomment?20Arethereadequatecontrolsoverauthorisation,implementation,approvalanddocumentationofchangestooperatingsystems?SystemDevelopment1Arethereformalisedstandardsforsystemdevelopmentlifecycleprocedure?2Dotheyrequireauthorisationatthevariousstagesofdevelopment–feasibilitystudy,systemspecification,testing,parallelrunning,postimplementationreview,etc.?ITAuditCL.docPage5of25Yes/NoComments3Dothestandardsprovideaframeworkforthedevelopmentofcontrolledapplications?4Arestandardsregularlyreviewedandupdated?5Dotheadequatesystemdocumentationexistfor:nProgrammerstomaintainandmodifyprograms?nUserstosatisfactorilyoperatethesystem?nOperatorstorunthesystem?6Havetheinternalauditdepartmentbeeninvolvedinthedesignstagetoensureadequatecontrolsexist?7Testingofprograms-seeProgramMaintenance.8Proceduresforauthorisingnewapplicationstoproduction-seeProgramMaintenance.9Areuseranddataprocessingpersonneladequatelytrainedtousethen