Professional Documents
Culture Documents
- Meet with or reach out to key project members at least once a week to keep current on project developments.
- Review status of project at each staff meeting.
- Maintain notes of meetings and all recommendations/value add activities using this template.
- Keep copies of key emails, chats, supporting documents in designated repository (preferably Internal Audit OneDrive).
- Retain final project files within the Audit Tool projects upon completion.
ject developments.
Are any other systems expected to impacted? (i.e. databases, operating systems, interfaces into other applications)
Is project expected to change or add to existing ICFR controls? (if YES complete Impact to ICFR tab)
Other Considerations
Time Anticipated From Auditor
ng Guides)
R tab)
The request list below contains items required for assessment of controls over the current new system implementation or migration. Spec
not be available or may be embedded in a variety of documents. Please provide examples of any relevant items available that demonstrate
LAC 2.1 Logical access requires a unique userID and a password that is not plainly visible.
User authentication requires a password that must comply with generally accepted standards for
LAC 3.1 effectiveness, and/or additional measures to prevent unauthorized access.
Users with elevated super user and/or administrative user privileges in the application is limited to
LAC 4.1 only those personnel with corresponding job responsibilities for system administration.
Direct access to the application's database is restricted to only those personnel with corresponding
DDB1 responsibilities for data administration.
Note: The new system will also be in-scope for process-based controls (user administration and program change controls testing as
ementation or migration. Specific project documents and approaches vary, so listed items may
tems available that demonstrate the control objective was achieved.
Requested Documentation
System Migration Controls
Requirements definition, design/configuration decisions, SOD matrix or equivalent
document.
System-generated listing of parties with “super user” and administrator access (if
not already provided in the listing provided for LAC 2.2).
gram change controls testing as applicable) from the date of implementation through year-end.
Client comments (if any) Attachments
Time Tracking - this template below is optional to capture/track activites in detail - you may be
required to track in other systems at management's discretion
Impact (Addition,
Cycle Control Number Control Wording
Change, Deletion)
ntrols for Financial Reporting Documentation of Attributes of Additional Controls or Cha
Rationale Behind Change in Control Key vs. Non-Key Risk Control is Addressing
n of Attributes of Additional Controls or Changes to Existing Controls