Title
IT Application Audit Program
Fieldwork
Steps
Testing Procedures
Performed By
W/P Ref.
Date Reviewed
A. Familiarization and Documentation of Systems Operating Practices
Objective: To obtain an understanding of application systems functions and features,
system development activity, control points and current utilization level by user. To
analyze and evaluate the adequacy of the documentation supporting transaction
origination, data entry, data communication, computer processing, data storage and
retrieval, and output processing
1
2
3
4
Determine who is responsible for systems administration and maintenance. Obtain
current organizational chart.
Obtain copies of all systems, users and operational documentation.
Review any plans for development, enhancement/modification, and maintenance
activity relative to the systems under review.
Review the systems and user documentation. Evaluate for completeness and
ease of use. Verify adequacy and currency of all documentation.
B. Review of Access Procedures and Controls
Objective: To determine existence and adequacy of procedures and controls for
accessing applications, databases, and systems.
1
2
3
Evaluate the authentication and authorization mechanisms used to control access.
Determine if access is authorized and approved.
Review password policies and enforcement.
a. Check password rules for length and composition enforced.
b. Review periodic password changes for frequency and compliance.
c. Determine if passwords are encrypted.
d. Determine if invalid password attempts are detected and blocked.
7/30/2005 1:06 AM
Page 1
Title
IT Application Audit Program
Fieldwork
Steps
4
5
6
7
Testing Procedures
Performed By
W/P Ref.
Date Reviewed
Conduct an interview with appropriate personnel to gain an understanding of the
procedures for creating and removing access to applications, databases, and
systems.
Obtain a list of all users with access and review for authorization.
Examine exit procedures and management approvals to remove access when an
employee leaves a position.
Determine if unused accounts are deleted.
C. Evaluation of Application Change Controls
Objective: To ensure that practices and procedures provide adequate controls for
changes made to the system.
1
2
3
4
Review authorization and approval of changes.
Review testing process for changes.
Determine if a change log is maintained.
Review changes made to production systems for appropriate management
authorizations.
D. Assessment of Server Environment
Objective: To assess the server environment in terms of availability, security,
monitoring, procedures, and access controls.
1
2
3
4
Obtain an inventory of all critical servers, including details on hardware
configurations, peripherals, operating systems, purpose of server, applications
enabled or running, backup cycle, data backed up procedure, system or
accounting logs maintained, and responsible system administrator.
Run a security scan on critical servers
Determine who has admin access.
Determine if ongoing monitoring of critical servers is occurring.
7/30/2005 1:06 AM
Page 2
Title
IT Application Audit Program
Fieldwork
Steps
5
6
Testing Procedures
Performed By
W/P Ref.
Date Reviewed
Determine server hours of operation and support staff availability.
Review support staff procedures (i.e. on-call procedures).
E. Evaluation of Transaction Integrity and Input Controls
Objective: To ensure practices and procedures provide adequate controls for all data
entering the processing stream.
1
2
3
4
Determine if required or critical fields can be left blank.
Determine if edits are performed for the following:
a. numerical value checks (positive, negative, zero, etc);
b. character checks (numeric or alphabetic);
c. dates;
d. limit checks (does not exceed a specific value);
e. reasonableness; and
f. internal compatibility (cross-checking with other fields or data).
Verify that duplicate transactions are identified and rejected.
Review suspended or rejected transaction reports and determine if corrections
were made timely.
F. Assessment of Audit Trails and Logs
Objective: To ensure the ability to protect sensitive data against discovery and misuse
and allow tracing from incident to underlying cause and back.
1
2
3
Conduct interviews with appropriate personnel to determine what auditing and
logging is performed.
Obtain documentation describing which transactions and records and fields are
currently audited.
Review backup, retention and approval procedures for audit reports and logs
retained.
7/30/2005 1:06 AM
Page 3
Title
IT Application Audit Program
Fieldwork
Steps
4
Testing Procedures
Performed By
W/P Ref.
Date Reviewed
Review the audit file to verify that auditing is being done and checked for unusual
entries.
G. Review of Contingency Planning
Objective: To ensure the continuity of critical processing by establishing backup,
business continuity and disaster recovery procedures.
1
2
3
4
Determine that backups are performed and stored offsite.
Determine if any redundancy exists for critical components (e.g. disk mirroring,
power supplies).
Determine if critical systems are covered by maintenance plans that provide timely
on-site response.
Review business continuity and disaster recovery plans and procedures for the
following:
a. offsite storage of data;
b. hot/cold site;
c. redundant data center;
d. calling tree;
e. periodic review; and
f. testing.
H. Assessment of Physical and Environmental Controls
Objective : To ensure that a satisfactory level of security and control is maintained over
physical access to the computer facilities.
1
2
3
Determine if all hardware is located in physically secured areas.
Review computer room physical security and access controls.
Determine if equipment is protected against environmental factors such as power
failures, flooding, heat, and humidity.
7/30/2005 1:06 AM
Page 4
Title
IT Application Audit Program
Fieldwork
Steps
4
5
Testing Procedures
Performed By
W/P Ref.
Date Reviewed
Perform on-site inspections to evaluate controls.
Verify that sensitive or confidential reports are subject to proper disposal
procedures.
7/30/2005 1:06 AM
Page 5