You are on page 1of 39

This is the AuditNet Standard Risk Control Audit Matix which incorporates formats

used by many audit organizations in their documentation working papers. There are
format templates for risk control, audit procedures, questionnaires and checklists.
There is a blank workpaper and a report summary that can in used by audit
organizations. AuditNet has prepared a monograph for guidance on preparing and
developing audit work programs, checklists, questionnaires and matrices. The
monograph is available to AuditNet subscribers. For more information go to
www.auditnet.org
AREA:
Process Control Objective Risk
Control Considerations
Assertion
E,A,C,V,P Description of control
Documentation W/P
Ref.
Do controls meet
objective?
Yes/No
Test
W/P Ref
Testing
exceptions
noted?
Yes/No
Resolution / remediation/ comments
W/P Ref
Audit Program Area: General Controls Audit Program
Auditor
AUDIT PROCEDURES WP Ref Initials
Audit Objectives are to determine:
Adequacy of personnel procedures to ensure integrity of Data Center
operations,
Adequacy of the system development life cycle (SDLC), including the
program change procedures, to ensure the integrity and accuracy of
information processes,
Existence of adequate and operational backup and disaster recovery
procedures that will minimize business interruption and protect against
loss of data in the event of a disaster,
Adequacy of physical and logical security controls maintained to prevent
unauthorized access to computers,
Adequacy of environmental controls maintained to minimize
hardware/software losses from fire or flood,
Compliance with the Company Department of Information Resources
requirements, and
The implementation schedule for new information systems being
implemented at .
ORGANIZATIONAL CONTROLS -- SYSTEM OVERVIEW,
DOCUMENTATION,& TRAINING
1. Document organizational structure.
a. Review the composition, roles and responsibilities of IS steering
committees for appropriateness. Determine whether the committee meets
periodically to review, approve or reject projects, monitors status of
projects and reviews the results of the post-implementation reviews.
b. Identify those positions responsible for maintaining the programs,
backing-up the system and data files, and using the various computer
center systems. Review the written job descriptions for each functional
duty described in the organization chart to determine accuracy.
c. Determine if appropriate segregation of duties exists. Ensure IS
functions are segregated from users and incompatible IS functions are
segregated.
d. Determine whether provisions are made for backup personnel in key
positions and if job rotation/cross-training is performed.
e. Evaluate skill sets for the IS staff and supervisory controls for
appropriateness.
f. Evaluate the effectiveness of the recruiting process in filling positions
with qualified candidates in a timely manner and evaluate turnover and
work environment.
g. Determine if termination procedures are adequate:
(1) The employee's I.D. badge should be collected when he or she is
terminated.
(2) Passwords that the terminating employee was privy to should be
removed or changed.
(3) His or her keys should be collected and/or locks be changed.
(4) Is there a termination check out briefing session or procedure?
h. Determine if adequate system training and supervision is provided to
the employees using the system.
2. Interview IS staff and distribute questionnaire to identify potential risks
and assess general controls.
3. Based on responses to questionnaire identify results as strengths or
weaknesses of the general control environment, and prepare a preliminary
risk assessment. Identify strengths to test and determine if controls are
functioning as management intends.
4. Review the IS strategic plan and budget to gain an understanding of IS
goals, projects, available resources and ensure agreement with the plan of
the university.
5. Obtain or document an overview of the Information Systems (Including
hardware resources, software, support/design staff, and users) for the data
center. Identify critical information systems.
6. Evaluate written system operation (especially for start-up, shut-down, file
maintenance, preventive maintenance, and vendor supplied
documentation), system development, and acquisition policies and
procedures for adequacy.
7. Evaluate compliance status with Department of Information Resources
requirements.
8. Inquire into the year 2000 issue and document the status and
implications.
PROGRAM CHANGE CONTROL MANAGEMENT
9. Ensure there are adequate guidelines to instruct programming personnel
in their duties.
10. Ensure that programming personnel are adequately supervised and new
programs and enhancements are adequately tested and reviewed before
being put in the production environment.
11. Identify and ensure that controls protect production application program
libraries from unauthorized changes, additions, and deletions.
12. (a) Ensure that program libraries are adequately secured to provide
recovery of critical data and applications in case of loss or destruction.
(b) Ensure that enhancements to programs are documented, including user
and data center operational procedures.
a. Examine utilization reports to determine the times of peak resource
demand.
b. Ensure that capacity planning (processor, memory, channels, disk,
network, etc.) performed are adequate for current system and long-term
strategic plans.
c. Determine whether periodic performance measurements are taken.
d. Determine whether system downtime is recorded and tracked.
a. Interview employees and/or review vendor maintenance agreements to
a. Interview employees, review scheduling policies and procedures,
review scheduling logs and observe operations to determine if there is an
effective system in place to schedule jobs.
13. Performance
COMPUTER CENTER OPERATIONS

14. Preventative Maintenance
SECURITY AND ENVIRONMENTAL CONTROLS
15. Job Scheduling
NOTE: A negative response to any of the questions in the Physical
Security and Environmental Controls and Backup sections does not
necessarily represent a significant control weakness. The environment
should be evaluated as a whole and an overall determination made of the
general controls.
16. Determine if the security responsibility has been assigned to an IS staff
member. Determine if physical security policies and procedures are
adequate by evaluating controls through interview and observation. Use the
following audit steps/questions as a guideline in determining adequacy:
a. Ensure that there are written procedures in effect which prevent
unauthorized persons from gaining access to computer facilities.
b. Ensure that authorized personnel are specifically defined in operation
standards and/or procedures.
c. Observe at several different times whether only authorized personnel
are in the processing area.
d. Determine whether the data center facilities are restricted by the use of
keys, badges or other automated security devices.
e. Does the computer site have a ground floor location and possibly a
showcase window?
h. Is direct access into the data center possible from the outside or
through a public hallway?
I. Are keys to cabinets, equipment rooms, and wiring closets held under
proper custody?
j. Are all telecommunication line junction points (wiring and router closets,
etc.) secured to prevent tampering?
k. Is the data center subject to catastrophic mishap, i.e., aircraft collision,
etc.?
17. The adequacy of fire protection systems should be determined by using
the following issues as a guideline:
a. Clear and adequate fire instructions should be posted in strategic
locations.
b. Fire alarm pull boxes and emergency power switches should be clearly
visible and unobstructed.
f. Is computer site below ground level?
g. Is air conditioning air intake outside at the ground level?
c. The computer room should have an automatic fire extinguishing system
which would be tested periodically by the manufacturer or service
representative.
d. The detection system should detect smoke, temperature, humidity,
water, or combustible fumes.
e. The detectors should be located in the ceiling air ducts and beneath the
raised flooring. Detectors should be tested frequently and protected by a
backup power supply.
f. When the fire alarm is activated, it should sound outside the computer
room area at a guard station and a local fire station or emergency control
center. Data Center personnel should be able to identify the sound of the
fire alarm.
g. What are the exposures to flooding? Would a burst pipe or rising river
cause damage?
h. The computer room should be kept clean at all times.
18. The environmental equipment and controls should be adequate to
protect the computer hardware from damage. Use the following areas as a
guideline in determining adequacy:
a. Ventilation and air conditioning should be adequate to maintain
appropriate temperature level specified by the manufacturer.
b. Recording thermometers and humidity indicators should be located so
the readings can be obtained easily. These instruments should be
monitored on a routine basis by a trained person.
c. The hardware should automatically shut down to protect itself from
damage if unacceptable temperatures reached.
d. The computer equipment should be subject to periodic maintenance,
cleaning and inspection and a record kept of such.
e. The computer room ceiling should be adequately constructed to
prevent water from entering the computer room.
f. Overhead water steam and pipes should be avoided.
g. Adequate drainage should be provided.
h. Independent air conditioning system with backup power supply should
be installed.
19. Ensure physical controls exist over IS physical inventory.
a. Periodic inventories should be taken.
b. Identify the operating privileges and review accounts having elevated
privileges and system over-ride capabilities for propriety.
c. Evaluate the use of proxy accounts and privileges assigned.
d. Evaluate user privileges by determining job function and privileges.
23. Test to determine if access for recently terminated or transferred
employees was removed or disabled in a timely manner.
24. Evaluate sufficiency of password administration considering: syntax,
minimum and maximum lengths, periodic changes and expiration time
frames.
25. Determine if the access authorization tables and password files are
adequately secured against unauthorized access.
26. Evaluate controls related to remote access to the data center. Ensure
that dial-in lines include a call back feature or some other means of control
to ensure only authorized access.
27. Determine if audit security logs are activated and monitored for unusual
activity (i.e. break-in attempts). Determine if internal audit is receiving logs.
28. Gain an understanding of the MVS and RACF environments and
evaluate security controls for effectiveness.
29. Evaluate the procedures for handling and disposing of confidential and
sensitive documents and reports.
BACKUP AND DISASTER RECOVERY CONTROLS
30. Ensure that system and data file backup procedures are adequate to
minimize recovery time and/or loss of data.
31. Ensure that backups are maintained off-site, rotated, and if a periodic
inventory is taken. Visit off-site facility and evaluate security, if necessary.
32. Identify the backup power supplies/equipment and determine adequacy
relating to the following areas:
b. All software copies should have proper licenses.
20. Determine whether vendor service personnel are supervised while on site?
LOGICAL CONTROLS
21. Evaluate procedures for creating and removing user IDs.
22. Obtain listing of user IDs:
a. Sample to determine if appropriate authorization was obtained.
a. Emergency backup lights.
b. Computer systems.
c. Telecommunications system.
33. Review the disaster recovery plan for adequacy.
Other
34. Determine the implementation schedule for new information systems
being implemented at .
35. Identify other information systems connected to the data center that may
compromise security established within the data center.
Time Date Date Checked
Spent Expected Finished Remarks By:
Audit Program
Audit Procedure Control Objective

Risk if Objective Not Met Control Technique
Performed
By
Date
Expected
Date
Completed
Budget
Hours
Actual
Hours
Document
Reference Source Reviewed By
Remarks/Comments
Audit Program Area

Global
Ref No,
Audit Procedure Control Objective Risks Control
Activity
Number
Control
Description
KeyControl? Frequency

Owner Exceptions Type Document
Reference
Mapping to
Standards
AREA:
Process Control Objective Risk
Control Considerations
Assertion
E,A,C,V,P Description of control
Documentation W/P
Ref.
Do controls meet
objective?
Yes/No
Test
W/P Ref
Testing
exceptions
noted?
Yes/No
Resolution / remediation/ comments
W/P Ref
Client Name
Internal Control Framework

Completed By:
Reviewed By:
Question Yes No* Comments /Description
Name and Title of Person Completing Form (please print)
Date Completed:
To the best of my knowledge, the answers and comments noted above are accurate and reflect the current
Name and Title of Department Director (please print)
* For a No answer, cross-reference to either a compensating control or to audit work which has been performed
or is to be performed. Questionnaire
Signature of Person Completing Form
10/3/2014
Date Form Completed
Signature of Department Director
Date of Department Director's Signature
* For a No answer, cross-reference to either a compensating control or to audit work which has been performed
or is to be performed. Questionnaire
Employee Responsible for Task
To the best of my knowledge, the answers and comments noted above are accurate and reflect the current
Name and Title of Department Director (please print)
* For a No answer, cross-reference to either a compensating control or to audit work which has been performed
or is to be performed. Questionnaire
Signature of Department Director
Date of Department Director's Signature
* For a No answer, cross-reference to either a compensating control or to audit work which has been performed
or is to be performed. Questionnaire
Finding Ref # Control Testing Finding
Management Response & Treatment