ITIL ®V3 (IT Service Management)
PRINCE2 ® (Projects in Controlled Environments)
Expertise in Agile Management Innovations
Wirtschaftsinformatik - Diplom-Ingenieur (MSc)
Informatikmanagement - Mag. rer. soc. oec (MA)
Wirtschaftsinformatik - Bakk.rer. soc. oec (BA)
Social Science - DEUG
Just finished your studies in business administration, management, economics, informatics, business informatics, informatics management, etc... Are you ready to move into your new career, maybe as a career starter in Information Management System Audit? Don't Worry Be cool..
The focus of this blog is to assist Career Starter in Information Management System Audit in better understanding the basic component relating to Information Management System and to help them having passions for progressing and achieving great career results in Information Management System Audit.
Information management systems audit is an examination of the management controls within an Information technology infrastructure. This Audit enables obtained evidence and determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews are often performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. The reviews strategies and checklists depend on organizational business strategies and operations.
The Information management systems audits are formerly called electronic data processing (EDP) audits. Each Information management systems audit includes the following steps - Planning process, studying and evaluating controls process, testing and evaluating controls process, reporting and follow-up process.
An information management systems audit is complex and requires diverse processes. As career starter in Information management systems audit, well-defined checklists or frameworks could help quickly to better understand the concept and its requirements, to deep and progress with passions in the career. Furthermore, this enables a career starter in information management systems audit to master the first entry job frustration.
In the table below I will share a flexible and an adapted Audit Checklist with some useful links for Information Management Systems which I find suitable, very useful and helpful for an Information management systems audit start-up as well as a basis Information management systems audit line for all companies.
No.
|
Description
|
Yes
|
No
|
N/A
|
A
|
ORGANISATION AND ADMINISTRATION
|
|||
-
|
Audit
Objective
Does the organization of data processing
provide for adequate segregation of duties?
|
|||
-
|
Audit Procedures
Review the company organization chart, and the data processing
department organization chart.
|
|||
1
|
Is there a separate EDP department within the company?
|
|||
2
|
Is there a steering committee where the duties and responsibilities for managing MIS are clearly defined?
|
|||
3
|
Has the company developed an IT strategy linked with the long and medium term plans?
|
|||
4
|
Is the EDP Department independent of the user department and in particular the accounting department?
|
|||
5
|
Are there written job descriptions for all jobs within EDP department and these job descriptions are communicated to
designated employees?
|
|||
6
|
Are EDP personnel prohibited from having incompatible
responsibilities or duties in user departments and vice versa?
|
|||
7
|
Are there written specifications for all jobs in the EDP Department?
|
|||
8
|
Are
the following functions within the EDP Department performed by separate
sections:
|
|||
§ System design?
|
||||
§
Application
programming?
|
||||
§
Computer
operations?
|
||||
§
Database
administration?
|
||||
§
Systems
programming?
|
||||
§
Data entry
and control?
|
||||
9
|
Are the data processing personnel
prohibited from duties relating to:
|
|||
§
Initiating
transactions?
|
||||
§
Recording
of transactions?
|
||||
§
Master file
changes?
|
||||
§
Correction
of errors?
|
||||
10
|
Are all processing pre-scheduled and authorized by appropriate
personnel?
|
|||
11
|
Are there procedures to evaluate and
establish who has access to the data in the
database?
|
|||
12
|
Are the EDP personnel adequately trained?
|
|||
13
|
Are systems analysts programmers denied access to the computer room and limited in their operation
of the computer?
|
|||
14
|
Are operators barred from making changes to programs and from creating or amending data
before, during, or after processing?
|
|||
15
|
Is the custody of assets restricted to
personnel outside the EDP department?
|
|||
16
|
Is strategic data processing plan developed by the company for the achievement of long-term
business plan?
|
|||
17
|
Are there any key personnel within IT department whose absence
can leave the company within limited expertise?
|
|||
18
|
Are there any key personnel who are being over-relied?
|
|||
19
|
Is EDP audit being carried by internal audit or an external consultant to ensure compliance of
policies and controls established by management?
|
|||
B
|
PROGRAM
MAINTENANCE AND SYSTEM DEVELOPMENT
|
|||
-
|
Audit
Objective
Development and changes to programs are authorized,
tested, and approved, prior to being placed in
production.
|
|||
Program
Maintenance Audit - Procedures
|
||||
-
|
Review details of the program library structure, and note
controls which allow only authorized individuals to access each library.
|
|||
-
|
Note the procedures used to amend programs.
|
|||
-
|
Obtain an understanding of any program library management
software used.
|
|||
1
|
Are there written standards for program maintenance?
|
|||
2
|
Are these standards adhered to and enforced?
|
|||
3
|
Are these standards reviewed regularly and approved?
|
|||
4
|
Are there procedures to ensure that all
programs required for maintenance are kept in a separate program test
library?
|
|||
5
|
Are programmers denied access to all libraries
other than the test library?
|
|||
6
|
Are changes to programs initiated by written request from user
department and approved?
|
|||
7
|
Are changes initiated by Data Processing Department communicated to users and approved by them?
|
|||
8
|
Are there adequate controls over the transfer of programs from production into the programmer's
test library?
|
|||
9
|
Are all systems developed or changes to existing system tested
according to user approved test plans and standards?
|
|||
10
|
Are tests performed for system acceptance and test data
documented?
|
|||
11
|
Are transfers from the development library
to the production library carried out by persons independent of the
programmers?
|
|||
12
|
Do procedures ensure that no such transfer can take place
without the change having been properly tested and approved?
|
|||
13
|
Is a report of program transfers into production reviewed on a daily
basis by a senior official to ensure only
authorized transfers have been made?
|
|||
14
|
Are all program changes properly documented?
|
|||
15
|
Are all changed programs immediately backed up?
|
|||
16
|
Is a copy of the previous version of the program retained (for use in the event of problems
arising with the amended version)?
|
|||
17
|
Are
there standards for emergency changes to be made to application programs?
|
|||
18
|
Are there adequate controls over program recompilation?
|
|||
19
|
Are all major amendments notified to Internal audit for comment?
|
|||
20
|
Are there adequate controls over authorization, implementation, approval and documentation of
changes to operating systems?
|
|||
C
|
SYSTEM
DEVELOPMENT
|
|||
1
|
Are there formalized standards for system development life cycle procedure?
|
|||
2
|
Do they require authorization at the
various stages of development – feasibility
study, system specification, testing, parallel running, post implementation
review, etc.?
|
|||
3
|
Do
the standards provide a framework for the
development of controlled applications? |
|||
4
|
Are standards regularly reviewed and updated?
|
|||
5
|
Do the adequate system documentation exist for:
|
|||
§
Programmers
to maintain and modify programs?
|
||||
§
Users to
satisfactorily operate the system?
|
||||
6
|
Have the internal audit department been
involved in the design stage to ensure adequate controls exist?
|
|||
7
|
Testing of programs - see Program Maintenance.
|
|||
8
|
Procedures for authorizing new applications
to production - see Program Maintenance.
|
|||
9
|
Are user and data processing personnel
adequately trained to use the new applications?
|
|||
10
|
Is system implementation properly planned and implemented by either
parallel run or pilot run?
|
|||
11
|
Are any differences and deficiencies during the implementation phase noted and properly
resolved?
|
|||
12
|
Are there adequate controls over the setting up of the standing
data and opening balances?
|
|||
13
|
Is a post implementation review carried out?
|
|||
14
|
Are user manuals prepared for all new systems developed and
revised for subsequent changes?
|
|||
15
|
Is there a Quality Assurance Function to verify the integrity
and acceptance of applications developed?
|
|||
D
|
PURCHASED SOFTWARE
|
|||
1
|
Are
there procedures addressing controls over selection,
testing and acceptance of packaged softwares?
|
|||
2
|
Is adequate documentation maintained for all softwares purchased?
|
|||
3
|
Are
vendor warranties (if any) still in force?
|
|||
4
|
Is the software purchased, held in escrow?
|
|||
5
|
Are backup copies of user/operations
manual kept off-site?
|
|||
E
|
ACCESS TO
DATA FILES
|
|||
-
|
Audit
Objective
Is access to data files restricted to authorized users and
programs?
|
|||
-
|
Access to Data
|
|||
1
|
Is
there any formal written data security policy? Consider whether the policy
addresses data ownership, confidentiality
of information, and use of password.
|
|||
2
|
Is the security policy communicated to individuals in the
organization?
|
|||
3
|
Is physical access to off-line data files controlled in:
|
|||
§
Computer
room?
|
||||
§
On-site
library?
|
||||
§
Off-site
library?
|
||||
4
|
Does the company employ a full-time librarian who is independent
of the operators and programmers?
|
|||
5
|
Are libraries locked during the absence of the librarian?
|
|||
6
|
Are requests for on-line access to off line files approved?
|
|||
7
|
Are requests checked with the actual files issued and initialed
by the librarian?
|
|||
8
|
Are sensitive applications e.g. payroll, maintained on machines
in physically restricted areas?
|
|||
9
|
Are encryption techniques used to protect against unauthorized
disclosure or undetected modification of sensitive data?
|
|||
10
|
Are returns followed up and non returns investigated and
adequately documented?
|
|||
F
|
COMPUTER
PROCESSING
|
|||
1
|
Does
a scheduled system exist for the execution of programs?
|
|||
2
|
Are non-scheduled jobs approved prior to being run?
|
|||
3
|
Is
the use of utility programs controlled (in particular those that can change
executable code or data)?
|
|||
4
|
Are program tests restricted to copies of live files?
|
|||
5
|
Is access to computer room restricted to only authorized
personnel?
|
|||
6
|
Are internal and external labels used on files?
|
|||
7
|
Are overrides of system checks by operators controlled?
|
|||
8
|
Are exception reports for such overrides pointed and reviewed by
appropriate personnel?
|
|||
9
|
Are sufficient operating instructions exist covering procedures
to be followed at operation?
|
|||
10
|
If so, are these independently reviewed?
|
|||
11
|
Is integrity checking programs run periodically for
checking the accuracy and correctness of linkages between records?
|
|||
G
|
ACCESS CONTOLS
|
|||
1
|
Is there any proper password syntax
in-force ie minimum 5 and maximum 8 characters and include alphanumeric
characters?
|
|||
2
|
Are there satisfactory procedures for
reissuing passwords to users who have forgotten theirs?
|
|||
3
|
Are procedures in place to ensure the
compliance of removal of terminated employee passwords?
|
|||
4
|
Are system access compatibilities properly
changed with regard to personnel status change?
|
|||
5
|
Are individual job responsibilities
considered when granting users access privileges?
|
|||
6
|
Is each user allocated a unique password
and user account?
|
|||
7
|
Are there procedures in place to ensure
forced change of password after every 30 days?
|
|||
8
|
Is application level security violations
logged?
|
|||
9
|
Do standards and procedures exist for
follow up of security violations?
|
|||
10
|
Do formal and documented procedures exist
for use and monitoring of dial up access facility?
|
|||
11
|
Is use made of passwords to restrict access
to specific files?
|
|||
12
|
Do terminals automatically log off after a
set period of time?
|
|||
13
|
Is there a limit of the number of invalid
passwords before the terminal closes down?
|
|||
14
|
Are there any administrative regulations
limiting physical access to terminals?
|
|||
15
|
Are invalid password attempts reported to
user department managers?
|
|||
16
|
Are
restrictions placed on which applications terminals can access?
|
|||
17
|
Are keys, locks, cards or other physical devises used to
restrict access to only authorized user?
|
|||
H
|
APPLICATION
CONTROLS - INPUT
|
|||
-
|
Audit
Objective
Do controls provide reasonable assurance
that for each transaction type, input is authorized,
complete and accurate, and that errors are promptly corrected?
|
|||
1
|
Are all transactions properly authorized
before being processed by computers?
|
|||
2
|
Are all batches of transactions
authorized?
|
|||
3
|
Do controls ensure unauthorized batches or
transactions are prevented from being accepted ie they are detected?
|
|||
4
|
Is significant standing data input
verified against the master file?
|
|||
5
|
Is maximum use made of edit checking e.g.
check digits, range and feasibility checks, limit tests, etc.?
|
|||
6
|
Are there procedures to ensure all
vouchers have been processed e.g. batch totals, document counts, sequence
reports, etc.?
|
|||
7
|
Are there procedures established to ensure
that transactions or batches are not lost, duplicated or improperly changed?
|
|||
8
|
Are all errors reported for checking and
correction?
|
|||
9
|
Are errors returned to the user department
for correction?
|
|||
10
|
Do
procedures ensure these are resubmitted for processing?
|
|||
11
|
Is an error log maintained and reviewed to
identify recurring errors?
|
|||
12
|
Are persons responsible for data
preparation and data entry independent of the output checking and balancing
process?
|
|||
13
|
Are persons responsible for data entry
prevented from amending master file data?
|
|||
I
|
OUTPUT AND
PROCESSING
|
|||
-
|
Audit
Objective
The controls provide reasonable assurance that transactions are
properly processed by the computer and
output (hard copy or other) is complete and accurate, and that calculated
items have been accurately computed:
|
|||
1
|
Where output from one system is input to another, are run to run
totals, or similar checks, used to ensure no data is lost or corrupted?
|
|||
2
|
Are there adequate controls over forms that
have monetary value?
|
Conclusion
This blog helps me to responding to the fear and problem that everybody could have in the career entry level as an Information Management System Audit starter. I hope this checklist could help companies, organizations and Information Management System Auditors to sharp their own Information Management System checklists and policies for better responding to the Information Management System trends.
References
[1] Agile Strategy: the power of human factors in the design and support of your business applications management
[2] ISACA - Information Technology management
URL: https://www.isaca.org/Pages/default.aspx
[3] INTOSAI- Organisation Internationale des
Institutions Supérieures de Contrôle des Finances Publiques
URL: http://www.intosai.org/fr/actualites.html
[4] Best Management Practice
URL: http://www.best-management-practice.com
[5] PAM Platform for agile management
URL: http://p-a-m.org/
[6] APMG international - Certifications
URL: http://www.apmg-international.com
[7] Project Management Professional
URL:
http://www.pmi.org/Certification/Project-Management-Professional-PMP.aspx
[8] Project Management
URL: http://www.prince2.com
[8] Le guide du chef de projet efficace,
Les bonnes pratiques du management
URL: http://www.piloter.org/projet
[9] The Open Source Initiative
URL: http://opensource.org/
[10] Management System Standards.
URL: http://www.iso.org
[11] Evaluating the Performance of an Organization
URL:
http://betterevaluation.org/theme/organizational_performance
[12] International Organization for Cooperation in
Evaluation
URL: http://www.ioce.net/en/index.php
[13] American Evaluation Association
URL: http://www.eval.org
[14] Audit Checklist, Management Information Systems, Ahmad Tariq Bhatti, FCMA, FPA, MA (Economics), BSc
URL: http://de.slideshare.net/bedibruno/savedfiles?s_title=audit-checklist-for-information-systems-14849697&user_login=ATBHATTI
URL: http://de.slideshare.net/bedibruno/savedfiles?s_title=audit-checklist-for-information-systems-14849697&user_login=ATBHATTI
*Author, Amouzou Bedi - Business Application Management - Operations&Infrastructures by KPMG Austria - Expertise and knowledge of the science management and its cultural implications in the developed and developing world in particular), contact on LinkedIn. I will try to update this paper on a regular basis if a need arises. Many thanks for taking your time to read this paper, and for sharing this with the others.