CHECKLIST FOR IT GENERAL CONTROLS
It is necessary to assess the IT control environment as a basis for deciding how much audit reliance
to place on data produced by computerised IT systems. Weaknesses in the IT control environment
have a pervasive impact on all applications and data maintained in that environment.
This checklist for general controls is a set of close-ended questions for use in a limited review of
the IT control environment at the audited entity. It will help auditors check the main IT control
objectives, which are based on the COBIT framework in reference to the EU's regulatory framework
and information criteria in the areas of IT governance and management, data management,
business continuity planning, information security, change management and outsourcing of IT
infrastructure.
You can jump directly to the following sections of the checklist for general controls:
A.
IT governance and management
B.
Data management
C.
Business continuity planning
D.
Information security
E.
Change management
F.
Outsourcing of IT infrastructure
A. IT GOVERNANCE AND MANAGEMENT CONTROLS
Control objectives and reference to COBIT
the regulatory framework
1. Control objective: IT strategy is
aligned with and supports the overall
business strategy.
References to regulatory
ref.
PO1.4
PO1.5
Tests of controls
1. Is there a multiannual IT strategy or IT
at an appropriate level?
2. Does the IT strategy have adequate and
relevant objectives, budget and
27(3); ICS7
performance indicators?
Effectiveness
Documents
required

plan (3-5 years) that is formally approved
framework: FR Arts 28a(2)(a) and
Related information criteria:
Evaluation
3. Are there IT annual work programmes in
line with the IT strategy?
IT strategy or IT
plan

IT annual work
programmes
Control objectives and reference to COBIT
the regulatory framework
ref.
2. Control objective: Make effective and PO5.3
efficient IT investments and set and
PO5.4
Tests of controls
1. Is IT expenditure planned, managed and
Evaluation
Documents
required

IT annual budget
monitored within an annual budget which is
(separate or a
track IT budgets in line with IT strategy DS6.3
aligned with the IT strategy and detailed
section of the
and investment decisions.
enough to reflect the organisation's
general budget of
priorities?
the organisation)
References to regulatory
framework: FR Art. 27(3); ICS7
Related information criteria:
Effectiveness and efficiency

Any documents
for follow-up of IT
annual budget
Control objectives and reference to COBIT
the regulatory framework
3. Control objective: Provide accurate,
ref.
PO6.3
Tests of controls
1. Are there written and formally approved
Evaluation
Documents
required

Policies,
understandable and approved policies, PO6.4
policies and/or procedures covering most
procedures,
procedures and guidelines, embedded PO6.5
key aspects of IT management:
guidelines and
in an IT control framework.
manuals
a. Data management and classification?
References to regulatory
framework: ICS8 and ICS12
Related information criteria:
Effectiveness
b. Business continuity?
c. Information security?
d. Risks and controls?
e. Change management?
4. Control objective: Establish
PO4.1
1. Is the IT department appropriately placed

IT process
transparent, flexible and responsive IT PO4.3
within the organisation, given the
framework,
organisational structures and define
organisation's size and mission?
documented roles
PO4.4
and implement IT processes equipped PO4.5
with owners, roles and responsibilities. PO4.6
PO4.8
References to regulatory
framework: FR Art. 28a(2)(a); ICS3,
ICS7 and ICS8.
PO4.11
PO7.1
PO7.4
Related information criteria:
PO7.8
Effectiveness and efficiency
ME3.1
and
2. Is there an IT steering committee
responsibilities
composed of executive, business and IT
management and charged with ensuring
business alignment (with supervision of IT
plans and policies) and monitoring IT

IT job descriptions

IT human
resources policy
services and projects?
and procedures
3. Are IT processes and IT-specific roles and
responsibilities properly defined, exercised

Decision or other
document relating
and monitored?
to the
4. Have a local information security officer
establishment of
(LISO) and local security officer (LSO) been
an IT steering
appointed in accordance with the
committee
Commission's regulatory framework?

Sample minutes
of IT steering
Control objectives and reference to COBIT
the regulatory framework
ref.
Tests of controls
Evaluation
Documents
required
5. Are there policies and procedures for
committee
managing staff recruitment and job
meetings
termination?
6. Are the following roles segregated:
a. Security: security officer (LSO and
LISO) – system owner – security
administrator (LSA-Local security
administrator)?
b. Changes: development – testing –
quality assurance – production?
Control objectives and reference to COBIT
the regulatory framework
5. Control objective: Identify, prioritise,
ref.
PO9.1
Tests of controls
1. Are IT risks managed in accordance with
Evaluation
Documents
required

Risk management
contain or accept relevant risks arising PO9.2
the organisation’s risk management
framework and/or
in the IT area and associated
PO9.3
framework?
policy
functions.
PO9.4
PO9.5
References to regulatory
2. Is there an IT-specific risk management
framework?
framework: IR Art. 48(e); ICS6 and
ICS12
3. Are IT risks defined and monitored regularly
in an IT risk record (separately or within
Related information criteria:
Confidentiality, integrity and availability
the organisation's general risk record)?

IT risk record/map
Control objectives and reference to COBIT
the regulatory framework
ref.
6. Control objective: Identify, implement ME2.1
Tests of controls
1. Has a set of IT controls aligned with the
Evaluation
Documents
required

Documentation of
and monitor an internal control process ME2.2
organisation's internal control framework
internal IT
for IT-related activities.
been established?
controls or the
ME2.7
ME3.1
References to regulatory
framework: FR Art. 28a(2)(a,b,c); IR
organisation's
2. Has a set of IT controls designed to
internal control
mitigate IT risks been identified?
standards (e.g.
Arts 22a and 48(e); ICS9, ICS11, ICS
12 and ICS15
the ICS at the
3. Is there regular monitoring of and reporting
European
on the effectiveness of IT controls?
Commission)
Related information criteria:
Effectiveness and efficiency
4. Does the organisation of IT conform to the
applicable rules and regulations in areas

Audit reports in
such as data protection and intellectual
the field of IT (last
property rights?
3 years)
5. Have any internal or external audit reports
been produced on IT topics?
Control objectives and reference to COBIT
the regulatory framework
7. Control objective: Define a
ref.
PO10.2 1. Is there an IT project management
programme and project management
PO10.3
approach that is applicable to all IT
AI2.2
projects, enables stakeholder
AI4.3
participation and monitors project risks AI4.4
and progress.
References to regulatory
framework: ICS7
Related information criteria:
Effectiveness and efficiency
Tests of controls
Evaluation
Documents
required

methodology?
Project
management
guideline/
2. Are IT projects managed in line with the
documentation
project management methodology?
3. Are new IT systems developed in line with
a software development methodology (e.g.
RUP@EC)?

Software
development
methodology
Control objectives and reference to COBIT
the regulatory framework
ref.
Tests of controls
8. Control objective: Monitor and report ME.1.1 1. Are senior management (or the steering
process metrics and identify and
ME.1.4
committee) given regular progress reports
implement performance improvement
ME.1.5
on the overall contribution made by IT to
actions.
ME.4.1
the business so that they can monitor the
ME.4.2
extent to which the planned objectives have
References to regulatory
framework: IR Art. 22a(1)(e); ICS9
and ICS15
Related information criteria:
Effectiveness and efficiency
been achieved, budgeted resources have
been used, performance targets have been
met and identified risks have been
mitigated?
Evaluation
Documents
required

Regular progress
reports
B.
DATA MANAGEMENT CONTROLS
Control objectives and
reference to the regulatory
framework
COBIT
ref.
Tests of controls
Evaluation
Documents
required
1. Control objective: Ensure
DS11.
1. Are there policies established to store

Data
that data are properly stored,
2
documents, data and source programmes in
management
archived and disposed of.
DS11.
accordance with the organisation's activities,
policy
4
size and mission?
References to regulatory
framework: FR Art.
28a(2)(b,c); IR Arts 22a(1)(d),
48(f,g), 107 and 108; ICS10,
DS11.
5
DS11.
6

2. Do adequate policies and procedures exist for
the backup of systems, applications, data and
documentation:
Backup
procedures

Procedures for
disposal of
ICS11, ICS12 and ICS13
a. Do backup procedures provide guarantees of
Related information criteria:
data recovery (with frequencies, copies,
Integrity
verifications, etc.) and correspond to the
business continuity plan?
media

Contracts with
third parties or
service-level
b. Are all relevant data backed up (e.g. by means
of audit logs, documents, spreadsheets)?
c. Is there well-defined logical and physical
security for data sources and backup copies?
d. Has responsibility been assigned for the
making and monitoring of backups?
agreements
(data
management
clauses)
Control objectives and
reference to the regulatory
framework
COBIT
ref.
Tests of controls
3. Are systems, applications, data and
documentation maintained or processed by
third parties adequately backed up and/or
secured?
4. Does the organisation have policies to ensure
the protection of sensitive data and software
when data and hardware are disposed of or
transferred?
5. Are the retention periods for data in line with
contractual, legal and regulatory requirements?
Evaluation
Documents
required

2. Control objective: Establish
PO2.3
1. Has a data dictionary been defined so that data
an enterprise data model
PO2.4
redundancy/incompatibility can be identified
management
incorporating a data
DS5.1
and data elements can be shared among
policy
classification scheme to
1
applications and systems?
ensure the integrity and
DS11.
consistency of all data.
1

2. Is the data dictionary applied to existing
major changes to IT applications?
framework: FR Art.
28a(2)(b,c); IR Arts 22a(1)(d),
48(c,f) and 107; ICS11, ICS12
Data
classification
systems, application development projects and
References to regulatory
Data
scheme

3. Are owners identified for each data element
Assigned data
classifications
(files, folders, applications, etc.)?

and ICS13
4. Are data classified by information criterion:
Related information criteria:
a. confidentiality (public, limited, etc.);
Confidentiality and integrity
b. integrity (moderate, sensitive, etc.);
c. availability (moderate, critical, etc.)?
5. Is there a document showing the classification
of each data element in accordance with the
data classification scheme?
Data dictionary
Control objectives and
reference to the regulatory
framework
COBIT
ref.
3. Control objective (non-
AC2
COBIT): Ensure reliable
AC5
production of financial and
Tests of controls
1. Have controls been designed to ensure the
reliability of computerised data, with source
documents?
management information.
2. Have controls been designed to ensure the
References to regulatory
integrity and security of documents or files
framework: FR Arts 28a2(b)
(such as spreadsheets) which are kept on
and 61(e); IR Art. 48 (f);
personal computers or shared drives and are
ICS12 and ICS13
relied on by the organisation in its financial
workflow where:
Related information criteria:
Confidentiality and integrity
a. those files are used to gather financial data or
make calculations and serve as a basis for
manual entries in financial systems (e.g.
ABAC) instead of source documents?
b. the files are used for financial reporting?
Evaluation
Documents
required
C.
BUSINESS CONTINUITY CONTROLS
Control objectives and
reference to the
regulatory framework
COBIT
ref.
Tests of controls
Evaluation
Documents
required
1. Control objective: Build
DS2.5
1. Are there a written and formally approved
the capabilities to carry out
DS4.2
business continuity plan (BCP) and disaster
day-to-day automated
DS4.3
recovery plan (DRP)?
business activities with
DS4.4
minimal, acceptable
DS4.5
2. Does the BCP cover:
interruption.
a. Business impact analysis (BIA)?
References to regulatory
b. All key business functions and processes?
framework:
FR Art. 28a(2)(c);
IR Art. 48(c); ICS10
Related information
criteria: Availability and
effectiveness
c. Roles, responsibilities and communication
processes?
3. Are BCP tests scheduled and completed on a
regular basis?
4. Is the BCP kept updated so that it continually
reflects actual business requirements?
5. Are all critical backup media, documentation,
data and other IT resources necessary for IT
recovery stored offsite?

BCP and DRP

Test reports
6. Do the BCP and DRP define recovery point
objectives (RPOs) and recovery time objectives
(RTOs)?
7. Are backup policies defined in accordance with
RPOs and RTOs?
NB: in the absence of a suitable BCP the audited entity should be advised of the risk without delay.
D.
INFORMATION SECURITY CONTROLS
Control objectives and reference to
COBIT
the regulatory framework
ref.
Tests of controls
Evaluation
Documents
required
1. Control objective: Establish and
PO6.3
1. Has an IT security policy and/or plan
maintain IT security roles,
DS5.1
been drawn up and approved at the
responsibilities, policies, standards and
DS5.2
appropriate level?
procedures.
2. Does the IT security plan
References to regulatory framework:
include/cover the following:
FR Art. 28a(2)(c); IR Art. 48(c); ICS12
a. A complete set of security policies
Related information criteria:
and standards in line with the
Confidentiality, integrity and
established IT security policy
effectiveness
framework?
b. Procedures for implementing and
enforcing those policies and
standards?
c. Roles and responsibilities?
d. Staffing requirements?
e. Security awareness and training?
f. Enforcement procedures?

IT security policy
and/or plan

Relevant security
policies and
procedures
Control objectives and reference to
COBIT
the regulatory framework
ref.
Tests of controls
Evaluation
Documents
required
g. Investment in the necessary
security resources?
2. Control objective: Implement
procedures for controlling access based
DS5.3
DS5.4
1. Are there procedures for defining

User access
access rights
rights policy/ user
on the individual’s need to view, add,
(view/add/change/delete) to financial
management
change or delete data.
systems (ABAC, etc.) and
policy
data/documents?
References to regulatory framework:
FR Art. 28a(2)(c); IR Art. 48(c); ICS12
Related information criteria:
Confidentiality and integrity

Access control
lists (for financial
systems and
data)
Control objectives and reference to
COBIT
the regulatory framework
ref.
3. Control objective: Ensure that all users
(internal, external and temporary) and
DS5.3
AC6
Tests of controls
1. Are there authentication and
authorisation mechanisms, such as
their activity on IT systems are uniquely
passwords, tokens or digital
identifiable.
signatures, for enforcing access rights
according to the sensitivity and
References to regulatory framework:
criticality of information?
FR Art. 28a(2)(c); IR Art. 48(c); ICS12
2. Are IDs unique and individual and
Related information criteria:
Confidentiality and integrity
passwords known only to the persons
concerned?
Evaluation
Documents
required
Control objectives and reference to
COBIT
the regulatory framework
ref.
4. Control objective: Controls on the
Tests of controls
Evaluation
Documents
required

DS5.3
1. Are user access rights requested by
appropriate segregation of duties for
DS5.4
user management, approved by
lists (for financial
requesting and granting access to
PO4.1
system/data owners and implemented
systems and
systems and data exist and are
1
by the security administrator?
data)
followed.
2. Are the following roles segregated:
References to regulatory framework:
FR Art. 28a(2)(c); IR Art. 48(c); ICS8
a. Infrastructure: security officer
(LSO and LISO) – system owner –
Related information criteria:
security administrator
Confidentiality and integrity
(implementing access by LSA
etc.)?
b. Applications: system owner
(authorisation and monitoring) –
security administrator (e.g. profile
administrator in ABAC)?

Access control
Job descriptions
Control objectives and reference to
COBIT
the regulatory framework
ref.
5. Control objective: Make sure one
Tests of controls
Evaluation
Documents
required

DS5.4
1. Is there a security officer in charge of
person (security administrator) is
DS13.
the organisation's IT security who
of security officer
responsible for managing all user
4
obtains his/her authority from the
and security
senior management?
administrator
accounts and security tokens
(passwords, cards, devices, etc.) and
that appropriate emergency procedures
are defined. Periodically review/confirm
his/her actions and authority.
References to regulatory framework:
FR Art. 28a(2)(c); IR Art. 48(c); ICS8
and ICS12
2. Is only the security officer able to
manage user accounts and
passwords?
3. Are the actions of the security
administrator periodically reviewed (by
the LISO), attention being given to the
segregation of duties?
Related information criteria:
Confidentiality and integrity
Job descriptions
Control objectives and reference to
COBIT
the regulatory framework
ref.
Tests of controls
Evaluation
Documents
required

6. Control objective: Provide and
DS12.
maintain a suitable physical
2DS12
implemented, concerning the physical
to physical
environment to protect IT assets from
.3
security and access control measures
security
access, damage or theft.
DS12.
that are to be followed to prevent fire,
5
water damage, power outages, theft,
References to regulatory framework:
1. Has a policy been defined, and is it
etc. at IT premises?
FR Art. 28a(2)(c); IR Arts 48(c) and 108;
ICS12
2. Is access to IT premises (IT rooms
and facilities) granted, limited and
Related information criteria:
Confidentiality and integrity
revoked in accordance with physical
security policies?
3. Is there a procedure for logging and
monitoring all access to IT premises
(including by contractors and
vendors)?
Policies relating
E.
CHANGE MANAGEMENT CONTROLS
Control objectives
and reference to the
regulatory framework
COBI
T ref.
Tests of controls
Evaluatio
Documents
n
required
1. Control objective:
AI6.1
1. Is there a formally approved, implemented and monitored

Change
Control the impact
AI6.2
framework/procedures for managing changes to IT
management
assessment,
AI6.3
applications, programs and databases?
framework/
authorisation and
AI6.4
implementation of all
AI6.5
changes to IT
AI6.6
procedures
2. Does the change management framework include/cover:
a. Roles and responsibilities?
infrastructure,
applications and
technical solutions;
b. Change request procedures?
specifications; and halt
implementation of
unauthorised changes.
References to
regulatory
framework:
IR Arts 22a(1)(d) and
107; ICS8
All records of a
sample of
changes (from
change request
c. The assessment of risks and the impacts of changes?
minimise errors due to
incomplete request

d. Management authorisation for change requests?
e. Approval by the key stakeholders, such as users and
system owners, before changes move into production?
f. Management review and approval of changes before
they move into production?
g. The classification of changes (major, minor, emergency
changes, etc.)?
h. The tracking of changes?
log to move into
production)
Related information
i.
Version control mechanisms?
j.
The definition of rollback procedures?
criteria: Integrity,
availability,
effectiveness and
k. The use of emergency change procedures?
efficiency
l.
Audit trails?
3. Are the following criteria for the segregation of duties
respected in the context of program changes:
a. Is the segregation of duties for development, testing,
quality assurance and production tasks clearly
established?
b. Do program developers and testers conduct activities
on "test" data only?
4. Do end users or system operators have direct access to
program source codes?
2
Control objective:
AI7.2
Test that applications
AI7.6
and infrastructure
1. Are all major changes tested against functional and
free from errors, and
that adequate data
other documents
goals are achieved?
relevant to the
testing of a
2. Are all major changes executed in accordance with a test
plan which covers:
a. Organisational standards, roles and responsibilities?
conversion has
occurred.
b. Test preparation, including site preparation?
References to
c. Training requirements, if needed?
regulatory
d. Installation or update of a defined test environment?
framework: IR Arts
22a(1)(d) and 107;
ICS8
Related information
criteria: Effectiveness
Test plans and
operational requirements to ensure that original business
solutions are fit for the
intended purpose and

e. Planning/performance/documentation/retention of test
cases?
f. Error and problem handling?
g. Correction and escalation?
h. Formal approval?
major change to
an IT application/
program
3. Are tests implemented on the live production system or in
a test environment?
F.
CONTROLS ON OUTSOURCING IT INFRASTRUCTURE
Control objectives and
reference to the regulatory
framework
1. Control objective: Identify
services delivered by IT.
COBIT
ref.
DS1.1
Tests of controls
1. Are there clearly-defined benefits and business
objectives in support of the decision to outsource?
Define, agree upon and
regularly review service-level
agreements, which should
cover service support
2. Are management requirements and expectations
clearly defined in the contract/SLA?
3. Were the risks assessed when deciding to
requirements, related costs,
outsource and taken into account when specifying
roles and responsibilities,
the necessary controls?
etc., and be expressed in
business terms.
4. Was the IT project carried out in accordance with
existing project management standards?
Evaluatio
Documents
n
required

Contract(s)

SLA(s)
Control objectives and
reference to the regulatory
framework
COBIT
ref.
References to regulatory
AI 4.1
framework: FR Art.
AI 5.2
28a(2)(c); IR Arts 22a(1)(d),
DS1.3
48(c,f) and 108; ICS5, ICS8,
DS1.6
ICS10, ICS11 and ICS12
DS2.4
Related information
Tests of controls
5. Does the contract/SLA clearly define security
requirements:
a. Network security?
b. Physical security?
c. Anti-virus protection?
criteria: Confidentiality,
integrity, efficiency and
effectiveness
d. Logical access controls?
6. Are the data backup requirements clearly defined?
7. Are provisions included for business continuity
procedures?
8. Is there a clause on compliance with personal data
protection regulations?
Evaluatio
Documents
n
required
Control objectives and
reference to the regulatory
framework
COBIT
ref.
Tests of controls
9. Does the contract/SLA give a detailed description of
the service to be provided:
a. Hardware and software requirements?
b. Service support (help desk, incident
management, problem management)?
c. Maintenance and change management?
d. IT staffing needs?
Evaluatio
Documents
n
required
10. Does the contract/SLA include/cover the following:
a. Formal management and legal approval?
b. Costs, with specifications for payment (including
frequency)?
c. The principals' roles and responsibilities?
d. User/provider communications procedure and
frequency?
e. Contract duration?
f. Problem resolution procedures?
g. Non-performance penalties?
h. The dissolution procedure?
i.
The contract modification procedure?
j.
Non-disclosure guarantees?
k. Right to access and right to audit?
Control objectives and
reference to the regulatory
framework
COBIT
ref.
Tests of controls
Evaluatio
Documents
n
required
Control objectives and
reference to the regulatory
framework
2. Control objective:
COBIT
ref.
DS1.5
Tests of controls
1. Does the contract/SLA define reporting procedures
Continuously monitor
ME1.4
as regards the type, content, frequency and
specified service-level
ME1.5
distribution of reports?
performance criteria. Reports
ME1.6
on achievement of service
levels should be provided in a
format that is meaningful to
stakeholders.
References to regulatory
framework: IR Art. 22a(1)(e);
ICS9 and ICS15
Related information
criteria: Efficiency and
effectiveness
2. Is a procedure in place for continuous monitoring
and regular reporting on the achievement of
objectives?
3. Have formal performance criteria been established
to facilitate and measure the achievement of the
SLA objectives?
Evaluatio
Documents
n
required

Monitoring
report(s)