GENERAL

Client: (Company)

Audit Time Frame: (Date)

(Company) Internal
Audit Team

Performed By: (Insert Names)

People Interviewed Job Title/Role for Treasury

PLANNING AND INITIATION

The review will be performed in the following risk areas:
• Segregation of Duties
• Application Security Analysis
• (Insert Company Name) User Access Analysis
• Granting/Revoking User Access
• Default PS User ID access
• UNIX Security
• Oracle Database Security

1. SEGREGATION OF DUTIES

Step Completed WP Client Implications/

Audit Steps Results
No. By Ref Contact Root Cause

1.1 (Insert Obtain the appropriate (Insert

Name) Company Name) data files to
conduct the analysis.
Load the tables into the internal
auditor (Insert Company Name)
analyzer tool and run the setup
process. This process will allow
access to some of the
segregation of duties (SOD) and
security reports, which need to
be investigated and validated
with the users for implications
and/or business reasons.

1.2 (Insert Obtain and review any SOD

2 Source: www.knowledgeleader.com
Step Completed WP Client Implications/
Audit Steps Results
No. By Ref Contact Root Cause

Name) documentation available for

treasury.

1.3 (Insert Identify users with access to

Name) enter transactions and confirm
that transactions/generate bank
files.

1.4 (Insert Identify users with access to edit

Name) configuration items and
transactions.

1.5 (Insert Identify users with access to

Name) confirm transaction/generated
bank files and edit information in
the outgoing bank file and send
the file to the bank.

1.6 (Insert Identify and review users that

Name) have access to define
Chartfields. Provide the report to
(Company)’s internal audit
group.
Verify if the access is
appropriate.

1.7 (Insert Identify and review users who

Name) have access to treasury general
options. Provide the report to
(Company)’s internal audit
group.
Verify if the access is
appropriate.

1.8 (Insert Identify and review users who

Name) have access to establish
business units. Provide the
report to (Company)’s internal
audit group.
Verify if the access is
appropriate.

1.9 (Insert Identify the permissions that

Name) have more than the required
access.
Match these permissions to the
operators.
Review this finding with
(Company)’s internal audit
group.

3 Source: www.knowledgeleader.com
2. APPLICATION SECURITY ANALYSIS

Step Completed WP Client Implications/

Audit Steps Results
No. By Ref Contact Root Cause

2.1 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer tool to identify, review
and validate duplicate
passwords.

2.2 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer tool to identify, review
and validate failed login
attempts.
Obtain a screenshot of the
password control screen in
(Insert Company Name) to
review if the Failed Login
Attempts setting is turned on.
Obtain password control for all
users accessing treasury and
compare it to company
standards.
• Age
• Minimum length
• Character requirements
(combination of characters
and numbers)
• Changing the assigned
password when logging in for
the first time

2.3 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer tool to identify, review
and validate appropriateness.
Determine if the user is part of
the FSCC group.

2.4 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer tool to review and
validate locked accounts.

2.5 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer to identify, review and
validate access to administer
security.

4 Source: www.knowledgeleader.com
 Step Completed WP Client Implications/
Audit Steps Results
No. By Ref Contact Root Cause

2.6 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer to identify, review and
validate access to the application
designer.

2.7 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer to identify, review and
validate access to the application
engine.

2.8 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer to identify, review and
validate access to Data Mover.

2.9 (Insert Run a query using internal

Name) auditor (Insert Company Name)
analyzer to identify, review and
validate access to maintain
security.

2.10 (Insert Run a query using internal

Name) auditor (Insert Company Name)
analyzer to identify, review and
validate access to Mass Change.

2.11 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer to identify, review and
validate access to Query.

2.12 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer to identify, review and
validate access to (System).

2.13 (Insert Run a query using the internal

Name) auditor (Insert Company Name)
analyzer to identify, review and
validate access to Workflow
Administrator.

5 Source: www.knowledgeleader.com
3. (INSERT COMPANY NAME) USER ACCESS ANALYSIS

Step Completed WP Client Implications/

Audit Steps Results
No. By Ref Contact Root Cause

3.1 (Insert Select a sample of users to

Name) identify and review for
appropriateness to access.

3.2 (Insert Identify and review users with

Name) access for appropriateness and
accuracy to maintain security.

3.3 (Insert Run a query using the internal

Name) auditor (Insert Date) analyzer
tool to identify all users having
access to the Correction mode.
Verify if the access is accurate
with the security administrator.
Provide the list to (Company)’s
internal audit team for further
analysis and mapping with
business needs.

3.4 (Insert Run a query using the internal

Name) auditor (Insert Date) analyzer
tool to identify all users having
access to the Add and
Update/Display feature all to the
developers and administrators.
Provide the list to (Company)’s
internal audit team for further
analysis and mapping with
business needs.

3.5 (Insert Interview the admin group to

Name) determine if the audit is turned
on.
Obtain a dump of it from the
Oracle database to ensure that it
is effective.

3.6 (Insert Determine if system reports are

Name) run periodically.
Inquire from the (Insert Date)
admin group and obtain a
sample to ensure that they are
run.

6 Source: www.knowledgeleader.com
4. GRANTING/REVOKING USER ACCESS

Step Completed WP Client Implications/

Audit Steps Results
No. By Ref Contact Root Cause

4.1 (Insert Identify the methods in place to

Name) add users to treasury:
• Obtain policies and
procedures to grant user
access.
• Walk through this process with
the administrators from
obtaining a request all the way
to grant access notification.
• Determine the process to
ensure that the access is in
accordance with the job
description.
• Obtain the approval forms for
the initial request.

4.2 (Insert Identify the procedure to revoke

Name) access for terminated employees:
• Select a sample of 10
terminated employees and
ensure that their access is
revoked.

4.3 (Insert Identify the procedures to change

Name) access to existing employees:
• Walk through a scenario for
modifying user access and
ensure that it’s in accordance
with company policy.

5. DEFAULT PS USER ID ACCESS

Step Completed WP Client Implications/

Audit Steps Results
No. By Ref Contact Root Cause

5.1 (Insert Identify and review the access to

Name) (Insert Date) delivered
superclasses. If these classes are
enabled, review the need, and
verify it with the security
administrator.

5.2 (Insert Identify and review access to

Name) master users. Review the need
and verify it with the security
administrator.

7 Source: www.knowledgeleader.com
6. UNIX SECURITY OVER PS DIRECTORIES

Step Completed WP Client Implications/

Audit Steps Results
No. by Ref Contact Root Cause

6.1 (Insert Determine root access for the

Name) database server and batch
server:
• Obtain the access list to the
root user ID from the security
administrator.
• Determine who has access to
the root password.
• Ensure that root access
corresponds to the business
operation.
• Ensure that the root logins
are done via “su” command to
have an audit trail that can be
associated with a user ID
(default, login file, etc.).

6.2 (Insert Obtain the names of all

Name) production servers. Get a
screenshot of the root directories
of the batch server.
Obtain the owner of root
directories for the server.

6.3 (Insert Obtain a list of users that are

Name) part of the group.

6.4 (Insert Obtain a list of users logging in

Name) as the owner of the root
directories. This is done through
reviewing the Syslog file and
grepping it for the root owner.

6.5 (Insert Determine the execution of

Name) production root directories in all
servers. The production
directories should be nonwritable
by the development staff.

6.6 (Insert Determine who has access to

Name) create the Process Scheduler
file.

6.7 (Insert Obtain the network diagram and

Name) inventory of the development
and production servers.

8 Source: www.knowledgeleader.com
Step Completed WP Client Implications/
Audit Steps Results
No. by Ref Contact Root Cause

6.8 (Insert Verify access to production

Name) support in the development
environment.

7. ORACLE DATABASE SECURITY

Step Completed WP Client Implications/

Audit Steps Results
No. by Ref Contact Root Cause

7.1 (Insert Obtain the version of the Oracle

Name) database.

7.2 (Insert Obtain a list of all users that

Name) have privileges and verify
appropriateness.

7.3 (Insert Obtain a list of all users that

Name) have access passwords and
verify appropriateness.

7.4 (Insert Ensure that the password was

Name) modified from its original and
verify appropriateness.

7.5 (Insert Ensure that users don’t have

Name) direct access to the tables to
update, insert and delete rows.

9 Source: www.knowledgeleader.com