Title IT Application Audit Program Fieldwork Steps Testing Procedures Performed By W/P Ref. Date Reviewed A. Familiarization and Documentation of Systems Operating Practices Objective: To obtain an understanding of application systems functions and features, system development activity, control points and current utilization level by user. To analyze and evaluate the adequacy of the documentation supporting transaction origination, data entry, data communication, computer processing, data storage and retrieval, and output processing 1 2 3 4 Determine who is responsible for systems administration and maintenance. Obtain current organizational chart. Obtain copies of all systems, users and operational documentation. Review any plans for development, enhancement/modification, and maintenance activity relative to the systems under review. Review the systems and user documentation. Evaluate for completeness and ease of use. Verify adequacy and currency of all documentation. B. Review of Access Procedures and Controls Objective: To determine existence and adequacy of procedures and controls for accessing applications, databases, and systems. 1 2 3 Evaluate the authentication and authorization mechanisms used to control access. Determine if access is authorized and approved. Review password policies and enforcement. a. Check password rules for length and composition enforced. b. Review periodic password changes for frequency and compliance. c. Determine if passwords are encrypted. d. Determine if invalid password attempts are detected and blocked. 7/30/2005 1:06 AM Page 1 Title IT Application Audit Program Fieldwork Steps 4 5 6 7 Testing Procedures Performed By W/P Ref. Date Reviewed Conduct an interview with appropriate personnel to gain an understanding of the procedures for creating and removing access to applications, databases, and systems. Obtain a list of all users with access and review for authorization. Examine exit procedures and management approvals to remove access when an employee leaves a position. Determine if unused accounts are deleted. C. Evaluation of Application Change Controls Objective: To ensure that practices and procedures provide adequate controls for changes made to the system. 1 2 3 4 Review authorization and approval of changes. Review testing process for changes. Determine if a change log is maintained. Review changes made to production systems for appropriate management authorizations. D. Assessment of Server Environment Objective: To assess the server environment in terms of availability, security, monitoring, procedures, and access controls. 1 2 3 4 Obtain an inventory of all critical servers, including details on hardware configurations, peripherals, operating systems, purpose of server, applications enabled or running, backup cycle, data backed up procedure, system or accounting logs maintained, and responsible system administrator. Run a security scan on critical servers Determine who has admin access. Determine if ongoing monitoring of critical servers is occurring. 7/30/2005 1:06 AM Page 2 Title IT Application Audit Program Fieldwork Steps 5 6 Testing Procedures Performed By W/P Ref. Date Reviewed Determine server hours of operation and support staff availability. Review support staff procedures (i.e. on-call procedures). E. Evaluation of Transaction Integrity and Input Controls Objective: To ensure practices and procedures provide adequate controls for all data entering the processing stream. 1 2 3 4 Determine if required or critical fields can be left blank. Determine if edits are performed for the following: a. numerical value checks (positive, negative, zero, etc); b. character checks (numeric or alphabetic); c. dates; d. limit checks (does not exceed a specific value); e. reasonableness; and f. internal compatibility (cross-checking with other fields or data). Verify that duplicate transactions are identified and rejected. Review suspended or rejected transaction reports and determine if corrections were made timely. F. Assessment of Audit Trails and Logs Objective: To ensure the ability to protect sensitive data against discovery and misuse and allow tracing from incident to underlying cause and back. 1 2 3 Conduct interviews with appropriate personnel to determine what auditing and logging is performed. Obtain documentation describing which transactions and records and fields are currently audited. Review backup, retention and approval procedures for audit reports and logs retained. 7/30/2005 1:06 AM Page 3 Title IT Application Audit Program Fieldwork Steps 4 Testing Procedures Performed By W/P Ref. Date Reviewed Review the audit file to verify that auditing is being done and checked for unusual entries. G. Review of Contingency Planning Objective: To ensure the continuity of critical processing by establishing backup, business continuity and disaster recovery procedures. 1 2 3 4 Determine that backups are performed and stored offsite. Determine if any redundancy exists for critical components (e.g. disk mirroring, power supplies). Determine if critical systems are covered by maintenance plans that provide timely on-site response. Review business continuity and disaster recovery plans and procedures for the following: a. offsite storage of data; b. hot/cold site; c. redundant data center; d. calling tree; e. periodic review; and f. testing. H. Assessment of Physical and Environmental Controls Objective : To ensure that a satisfactory level of security and control is maintained over physical access to the computer facilities. 1 2 3 Determine if all hardware is located in physically secured areas. Review computer room physical security and access controls. Determine if equipment is protected against environmental factors such as power failures, flooding, heat, and humidity. 7/30/2005 1:06 AM Page 4 Title IT Application Audit Program Fieldwork Steps 4 5 Testing Procedures Performed By W/P Ref. Date Reviewed Perform on-site inspections to evaluate controls. Verify that sensitive or confidential reports are subject to proper disposal procedures. 7/30/2005 1:06 AM Page 5