SYSTEMS AND DATA AUDIT WORK PROGRAM

Risk Mitigating Results/

No. Issue/Risk Testing Controls Ref.
Rank* Control** Recommendations

Systems and Data Audit Work Program

Ask management about the process-specific critical systems and software used by the department. Document
these applications below and perform testing of controls indicated in this section. Note: Depending on the
nature of the application, not all the controls below may need to be tested for the application.

1. Information Ask Ask management if current

systems may management information systems
not adequately about the adequately support
support controls in management’s informational
management’s place to needs.
informational mitigate each
and filing risk identified
needs. in the column
to the left.

2. User access User Maintenance

controls for
Ask management about the
process-
process for adding, deleting
specific critical
and changing user access
applications
rights. 
may not be
adequate. Test one walkthrough sample
to validate that the process is
occurring as indicated. Test
for documented evidence
such as standard user access
forms. Generally, our IT team
recommends that
documentation is retained for
the audit year, but you should
also refer to the document
retention policy for further
information.
Monitoring
Ask management about the
process for performing user
access reviews (e.g., Who
does it and how frequently?).
This should be performed at
least annually.
Test based on the frequency
of review, select a sample of
user access reviews and
perform the following:
• Test evidence that the
user access review is

1 Source: www.knowledgeleader.com
 Risk Mitigating Results/
No. Issue/Risk Testing Controls Ref.
Rank* Control** Recommendations

performed (i.e., look at the

user access list and see
that there is signoff.)
• Select a sample of users
from the user access
reports for substantive
testing in accordance with
the internal auditor way
sample. 
• Confirm that users have a
business need for their
access. This would involve
knowing their title and
looking at the roles to
make sure they made
sense; this may also
involve following up with
the person’s department
manager to
understand/validate that
the person’s level of
access is truly needed.
• For this same sample,
determine whether duties
are appropriately
segregated. Assess the
security settings for
appropriate segregation of
duties, reviewing controls
over user administration,
(i.e., adding, changing,
and deleting users and
their roles) and monitoring
the appropriateness of
user access.

3. Change control Change Management

procedures for Process
process-
Ask management if the
specific critical
application is under a change
applications
management process and
may not be
understand what the process
adequate.
looks like.
Walk through a sample of one
change to determine the
following:
• Changes are documented,
reviewed and approved
prior to the change being
made.
• User acceptance testing is
performed prior to

2 Source: www.knowledgeleader.com
 Risk Mitigating Results/
No. Issue/Risk Testing Controls Ref.
Rank* Control** Recommendations

promotion into production.

• Signoff is required in order
to promote changes to
production.
• A change tracking system
is being used.
Segregation of Duties
Ask management who has
access to make changes to
the system and to promote
the changes to production.
These duties should be
segregated.
Test: For a few people with
the ability to make system
changes, perform a walk-
through of their access rights
to confirm that they don’t
have access to promote
changes to production.
Potentially include these
individuals in the internal
auditor way sample
discussed in user access in
Section F3 above.

5. Backup Ask management whether the

procedures for application and Excel files are
process- backed up, how often and on
specific critical which server.
applications
Test: Ask the business owner
and
which server the relevant
electronically
information is on and request
stored
the most recent backup log
documents
for that server from IT.
may not be
Perform a walk-through of the
adequate.
selected backup log. Review
the backup log to confirm that
the application was backed
up successfully. If the backup
was not successful, review
evidence that a successful
backup was performed within
a reasonable amount of time.
(“Reasonable” can vary
depending on the criticality of
the application).

3 Source: www.knowledgeleader.com
 Risk Mitigating Results/
No. Issue/Risk Testing Controls Ref.
Rank* Control** Recommendations

6. Critical Test: Obtain a list of specific

spreadsheets critical spreadsheets from
may not be management. Complete the
accurately following for each critical
calculating as spreadsheet:
intended.
• Obtain the most recent
version, and judgmentally
select a sample of different
calculations according to
the internal auditor way
sample.
• Recalculate totals to
determine that the
formulas are accurately
calculating as intended.
Note: Make sure to keep
support or documentation
of recalculations.

7. Access or Ask management about the

unintended following regarding all the
formula critical spreadsheets
changes to identified in Section F6
critical above:
spreadsheets
• The spreadsheets are
may not be
located on a secured
appropriately
shared drive. Identify and
controlled.
document the drive.
• Identify and assess
additional controls
surrounding access and
protecting change to
formulas (e.g., manual
review and approval).
Test: Determine that the
drive noted in the inquiry
above is secured and that
access is restricted. Obtain a
print screen of the drive’s
current access list from IT.
Determine that the list of
users is appropriate
according to their roles and
responsibilities.

8. System reports Ask management what

used by reports are used to monitor
management the process and where the
may not be report information comes
complete or from.
accurate.
Test: Based on the
discussion with management,

4 Source: www.knowledgeleader.com
 Risk Mitigating Results/
No. Issue/Risk Testing Controls Ref.
Rank* Control** Recommendations

judgmentally select a sample

of management reports and
determine that each was
reviewed for accuracy and
completeness before it was
used by management. For
any reports that involve an
interface between systems,
verify that the information
interface was also reviewed
for accuracy and
completeness.

9. Personally Ask management what PII is

identifiable available on the information
information they are using and, if PII is
(PII) (e.g., accessible to employees, how
social security it is being safeguarded and
numbers, how is access to the
home respective systems restricted.
addresses,
Test 1: Based on the
etc.) may not
discussion with management,
be properly
observe that PII is properly
safeguarded,
safeguarded.
and the
systems on Test 2: Obtain a print screen
which the of the system’s current
information is access list from IT. Determine
stored may not that the list of users is
be adequately appropriate according to their
restricted. roles and responsibilities.

10. The company Ask management how a

may not be up product is licensed, including
to date with its what is the basis of the
license license (e.g., may be based
compliance on the number of employees
requirements. or perhaps the ability of
concurrent uses). Ask if they
are up to date with their
license compliance
requirements. (Consider what
we know about the client
when determining compliance
inquiry [e.g., consider who will
likely need to use the system
– for instance, are there new
locations that will need
licensing to use the
system?].)

*Risk ratings should be “High” or “Medium.” This risk rating can help guide staff on how much time/how much
effort to concentrate on a specific risk.

**Consider the following control categories (defined below) when documenting the controls.

5 Source: www.knowledgeleader.com
EXISTENCE
Controls exist to ensure that only valid assets and liabilities are recorded, assets are appropriately safeguarded,
and periodic accountability is maintained.

COMPLETENESS
Controls exist to ensure that actual transactions are not omitted from the records, all transactions (not duplicate or
fictitious) are reflected in the proper accounting period, transactions are recorded in the correct amounts, and
supporting records and ledgers agree to the general ledger (GL).

APPROVAL
Approval points and levels are identified for procedures in each process. Are approval points communicated
properly? System access levels support approval points and levels based on business needs only.

SEGREGATION
Conflicting tasks are not assigned to the same person/job description. System access levels support appropriate
segregation.

RELIABILITY
Transaction inputs and outputs are accurate and have operating integrity. Documentation exists and is available
to support transactions. Are validity points built into each step?

TIMELINESS
Transactions are recorded in a timely manner. Information is made available on a timely basis. When bottlenecks
are identified, appropriate resources are acquired or shared to handle workload increases.

MONITORING
Transactions outputs are monitored regularly. Workflow is incorporated into processes, and the appropriate
resources review data. System reports are available to adequately display management information. Key
Performance Indicators are identified, implemented and reviewed.

6 Source: www.knowledgeleader.com