Information Management System AudIT Start-ups

ITIL ®V3 (IT Service Management)

PRINCE2 ® (Projects in Controlled Environments)

Expertise in Agile Management Innovations

Wirtschaftsinformatik - Diplom-Ingenieur (MSc)

Informatikmanagement - Mag. rer. soc. oec (MA)

Wirtschaftsinformatik - Bakk.rer. soc. oec (BA)

Social Science - DEUG

Just finished your studies in business administration, management, economics, informatics, business informatics, informatics management, etc... Are you ready to move into your new career, maybe as a career starter in Information Management System Audit? Don't Worry Be cool..

The focus of this blog is to assist Career Starter in Information Management System Audit in better understanding the basic component relating to Information Management System and to help them having passions for progressing and  achieving great career results in Information Management System Audit.

Information management systems audit is an examination of the management controls within an Information technology infrastructure. This Audit enables obtained evidence and determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews are often performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. The reviews strategies and checklists depend on organizational business strategies and operations.

The Information management systems audits are formerly called electronic data processing (EDP) audits. Each Information management systems audit includes the following steps - Planning process, studying and evaluating controls process, testing and evaluating controls process, reporting and follow-up process.

An information management systems audit is complex and requires diverse processes. As career starter in Information management systems audit, well-defined checklists or frameworks could help quickly to better understand the concept and its requirements, to deep and progress with passions in the career. Furthermore, this enables a career starter in information management systems audit to master the first entry job frustration.

In the table below I will share a flexible and an adapted Audit Checklist with some useful links for Information Management Systems which I find suitable, very useful and helpful for an Information management systems audit start-up as well as a basis Information management systems audit line for all companies.

No.	Description	Yes	No	N/A
A	ORGANISATION AND ADMINISTRATION
-	Audit Objective Does the organization of data processing provide for adequate segregation of duties?
-	Audit Procedures Review the company organization chart, and the data processing department organization chart.
1	Is there a separate EDP department within the company?
2	Is there a steering committee where the duties and responsibilities for managing MIS are clearly defined?
3	Has the company developed an IT strategy linked with the long and medium term plans?
4	Is the EDP Department independent of the user department and in particular the accounting department?
5	Are there written job descriptions for all jobs within EDP department and these job descriptions are communicated to designated employees?
6	Are EDP personnel prohibited from having incompatible responsibilities or duties in user departments and vice versa?
7	Are there written specifications for all jobs in the EDP Department?
8	Are the following functions within the EDP Department performed by separate sections:
	§    System design?
	§    Application programming?
	§    Computer operations?
	§    Database administration?
	§    Systems programming?
	§    Data entry and control?
9	Are the data processing personnel prohibited from duties relating to:
	§    Initiating transactions?
	§    Recording of transactions?
	§    Master file changes?
	§    Correction of errors?
10	Are all processing pre-scheduled and authorized by appropriate personnel?
11	Are there procedures to evaluate and establish who has access to the data in the database?
12	Are the EDP personnel adequately trained?
13	Are systems analysts programmers denied access to the computer room and limited in their operation of the computer?
14	Are operators barred from making changes to programs and from creating or amending data before, during, or after processing?
15	Is the custody of assets restricted to personnel outside the EDP department?
16	Is strategic data processing plan developed by the company for the achievement of long-term business plan?
17	Are there any key personnel within IT department whose absence can leave the company within limited expertise?
18	Are there any key personnel who are being over-relied?
19	Is EDP audit being carried by internal audit or an external consultant to ensure compliance of policies and controls established by management?
B	PROGRAM MAINTENANCE AND SYSTEM DEVELOPMENT
-	Audit Objective Development and changes to programs are authorized, tested, and approved, prior to being placed in production.
	Program Maintenance Audit  - Procedures
-	Review details of the program library structure, and note controls which allow only authorized individuals to access each library.
-	Note the procedures used to amend programs.
-	Obtain an understanding of any program library management software used.
1	Are there written standards for program maintenance?
2	Are these standards adhered to and enforced?
3	Are these standards reviewed regularly and approved?
4	Are there procedures to ensure that all programs required for maintenance are kept in a separate program test library?
5	Are programmers denied access to all libraries other than the test library?
6	Are changes to programs initiated by written request from user department and approved?
7	Are changes initiated by Data Processing Department communicated to users and approved by them?
8	Are there adequate controls over the transfer of programs from production into the programmer's test library?
9	Are all systems developed or changes to existing system tested according to user approved test plans and standards?
10	Are tests performed for system acceptance and test data documented?
11	Are transfers from the development library to the production library carried out by persons independent of the programmers?
12	Do procedures ensure that no such transfer can take place without the change having been properly tested and approved?
13	Is a report of program transfers into production reviewed on a daily basis by a senior official to ensure only authorized transfers have been made?
14	Are all program changes properly documented?
15	Are all changed programs immediately backed up?
16	Is a copy of the previous version of the program retained (for use in the event of problems arising with the amended version)?
17	Are there standards for emergency changes to be made to application programs?
18	Are there adequate controls over program recompilation?
19	Are all major amendments notified to Internal audit for comment?
20	Are there adequate controls over authorization, implementation, approval and documentation of changes to operating systems?
C	SYSTEM DEVELOPMENT
1	Are there formalized standards for system development life cycle procedure?
2	Do they require authorization at the various stages of development – feasibility study, system specification, testing, parallel running, post implementation review, etc.?
3	Do the standards provide a framework for the development of controlled applications?
4	Are standards regularly reviewed and updated?
5	Do the adequate system documentation exist for:
	§    Programmers to maintain and modify programs?
	§    Users to satisfactorily operate the system?
6	Have the internal audit department been involved in the design stage to ensure adequate controls exist?
7	Testing of programs - see Program Maintenance.
8	Procedures for authorizing new applications to production - see Program Maintenance.
9	Are user and data processing personnel adequately trained to use the new applications?
10	Is system implementation properly planned and implemented by either parallel run or pilot run?
11	Are any differences and deficiencies during the implementation phase noted and properly resolved?
12	Are there adequate controls over the setting up of the standing data and opening balances?
13	Is a post implementation review carried out?
14	Are user manuals prepared for all new systems developed and revised for subsequent changes?
15	Is there a Quality Assurance Function to verify the integrity and acceptance of applications developed?
D	PURCHASED SOFTWARE
1	Are there procedures addressing controls over selection, testing and acceptance of packaged softwares?
2	Is adequate documentation maintained for all softwares purchased?
3	Are vendor warranties (if any) still in force?
4	Is the software purchased, held in escrow?
5	Are backup copies of user/operations manual kept off-site?
E	ACCESS TO DATA FILES
-	Audit Objective Is access to data files restricted to authorized users and programs?
-	Access to Data
1	Is there any formal written data security policy? Consider whether the policy addresses data ownership, confidentiality of information, and use of password.
2	Is the security policy communicated to individuals in the organization?
3	Is physical access to off-line data files controlled in:
	§    Computer room?
	§    On-site library?
	§    Off-site library?
4	Does the company employ a full-time librarian who is independent of the operators and programmers?
5	Are libraries locked during the absence of the librarian?
6	Are requests for on-line access to off line files approved?
7	Are requests checked with the actual files issued and initialed by the librarian?
8	Are sensitive applications e.g. payroll, maintained on machines in physically restricted areas?
9	Are encryption techniques used to protect against unauthorized disclosure or undetected modification of sensitive data?
10	Are returns followed up and non returns investigated and adequately documented?
F	COMPUTER PROCESSING
1	Does a scheduled system exist for the execution of programs?
2	Are non-scheduled jobs approved prior to being run?
3	Is the use of utility programs controlled (in particular those that can change executable code or data)?
4	Are program tests restricted to copies of live files?
5	Is access to computer room restricted to only authorized personnel?
6	Are internal and external labels used on files?
7	Are overrides of system checks by operators controlled?
8	Are exception reports for such overrides pointed and reviewed by appropriate personnel?
9	Are sufficient operating instructions exist covering procedures to be followed at operation?
10	If so, are these independently reviewed?
11	Is integrity checking programs run periodically for checking the accuracy and correctness of linkages between records?
G	ACCESS CONTOLS
1	Is there any proper password syntax in-force ie minimum 5 and maximum 8 characters and include alphanumeric characters?
2	Are there satisfactory procedures for reissuing passwords to users who have forgotten theirs?
3	Are procedures in place to ensure the compliance of removal of terminated employee passwords?
4	Are system access compatibilities properly changed with regard to personnel status change?
5	Are individual job responsibilities considered when granting users access privileges?
6	Is each user allocated a unique password and user account?
7	Are there procedures in place to ensure forced change of password after every 30 days?
8	Is application level security violations logged?
9	Do standards and procedures exist for follow up of security violations?
10	Do formal and documented procedures exist for use and monitoring of dial up access facility?
11	Is use made of passwords to restrict access to specific files?
12	Do terminals automatically log off after a set period of time?
13	Is there a limit of the number of invalid passwords before the terminal closes down?
14	Are there any administrative regulations limiting physical access to terminals?
15	Are invalid password attempts reported to user department managers?
16	Are restrictions placed on which applications terminals can access?
17	Are keys, locks, cards or other physical devises used to restrict access to only authorized user?
H	APPLICATION CONTROLS - INPUT
-	Audit Objective Do controls provide reasonable assurance that for each transaction type, input is authorized, complete and accurate, and that errors are promptly corrected?
1	Are all transactions properly authorized before being processed by computers?
2	Are all batches of transactions authorized?
3	Do controls ensure unauthorized batches or transactions are prevented from being accepted ie they are detected?
4	Is significant standing data input verified against the master file?
5	Is maximum use made of edit checking e.g. check digits, range and feasibility checks, limit tests, etc.?
6	Are there procedures to ensure all vouchers have been processed e.g. batch totals, document counts, sequence reports, etc.?
7	Are there procedures established to ensure that transactions or batches are not lost, duplicated or improperly changed?
8	Are all errors reported for checking and correction?
9	Are errors returned to the user department for correction?
10	Do procedures ensure these are resubmitted for processing?
11	Is an error log maintained and reviewed to identify recurring errors?
12	Are persons responsible for data preparation and data entry independent of the output checking and balancing process?
13	Are persons responsible for data entry prevented from amending master file data?
I	OUTPUT AND PROCESSING
-	Audit Objective The controls provide reasonable assurance that transactions are properly processed by the computer and output (hard copy or other) is complete and accurate, and that calculated items have been accurately computed:
1	Where output from one system is input to another, are run to run totals, or similar checks, used to ensure no data is lost or corrupted?
2	Are there adequate controls over forms that have monetary value?

Conclusion

This blog helps me to responding to the fear and problem that everybody could have in the career entry level as an Information Management System Audit starter. I hope this checklist could help companies, organizations and Information Management System Auditors to sharp their own Information Management System checklists and policies for better responding to the Information Management System trends.

References



[1] Agile Strategy: the power of human factors in the design and support of your business applications management

URL: http://amouzoubedi.blogspot.co.at/2013/04/agile-strategy-power-of-human-factors.html

[2] ISACA - Information Technology management

URL: https://www.isaca.org/Pages/default.aspx

[3] INTOSAI- Organisation Internationale des Institutions Supérieures de Contrôle des Finances Publiques

URL: http://www.intosai.org/fr/actualites.html

[4] Best Management Practice

URL: http://www.best-management-practice.com

[5] PAM Platform for agile management

URL: http://p-a-m.org/

[6] APMG international - Certifications

URL: http://www.apmg-international.com

[7] Project Management Professional

URL: http://www.pmi.org/Certification/Project-Management-Professional-PMP.aspx

[8] Project Management

URL: http://www.prince2.com

[8] Le guide du chef de projet efficace,

Les bonnes pratiques du management

URL: http://www.piloter.org/projet

[9] The Open Source Initiative

URL: http://opensource.org/

[10] Management System Standards.

URL: http://www.iso.org

[11] Evaluating the Performance of an Organization

URL: http://betterevaluation.org/theme/organizational_performance

[12] International Organization for Cooperation in Evaluation

URL: http://www.ioce.net/en/index.php

[13] American Evaluation Association

URL: http://www.eval.org

[14] Audit Checklist, Management Information Systems, Ahmad Tariq Bhatti, FCMA, FPA, MA (Economics), BSc
URL: http://de.slideshare.net/bedibruno/savedfiles?s_title=audit-checklist-for-information-systems-14849697&user_login=ATBHATTI

*Author, Amouzou Bedi - Business Application Management - Operations&Infrastructures by KPMG Austria - Expertise and knowledge of the science management and its cultural implications in the developed and developing world in particular), contact on LinkedIn. I will try to update this paper on a regular basis if a need arises. Many thanks for taking your time to read this paper, and for sharing this with the others.