QUESTIONS YES OR NO

6. 1 Does your agency have a secu ri ty/ protection scheme for your Information and
Com munication Technology resources?
6.2 If YES, what is/ are the measure/s being used by your offi~e? (Check all items
that are app licable)

0 Security Po li cy, 0 Regul ar security training o f

Guideline, and
Proced ure
0 Back-up power unit (e.g.
UPS, Generator)
0 Encryption
0 Hard ware Firewa ll
0 Software Firewall
0 Anti-virus Software
0 Intrusion Detection
System
0 Prevention Detection
System
employees
0 Disaster Recovery Plan
0 Digital Signatures
0 Off-site back-up
0 Storage of back-up med ia in off-site
0 Restricted Data Center or Computer
Room
0 Others, please
specify

QUESTIONS YES OR NO
7. 1 Does your agency have a data archi vi ng system?
7.2 If YES, what type of system does your agency use?
0 Manual
0 Electronic
0 Both/ Combination
7.3 If ELECTRONIC data archi ving is being utili zed, what is the mode?
0 Conventional
0 Cloud
7.4 If CONVENTIONAL mode, what is the medium of storage ofthe archived
data?
0 Tape
0 Hard Disk
0 External Hard Drive
·o Optical disks (e.g. CD-ROM, DVD)
0 Others, please spec ify
7.5 What in formation is archived by your agency electronically? (Check all items
that are applicab le)

0 Annual Reports 0 Unprocessed/ Raw data

0 Public Forms 0 Journal Entries
0 Letters, Memo, 0 Others, please specify
Commun icatio ns, etc.
0 Business transactions

,
 Name o f Third Party Brief Description of Service

9. I Number of co mputing dev ices and periph erals

Total Number of F unctioning Units

TYPES
OWNED LEASED DONATION
Servers
Desktop PC
Laptop/Notebook/Netbook PC
Mobi le Phone (incl. smart phones)
T ab let PC
Mu lti - funct ion printer (print, copy, scan, etc.)
Printer on ly
Digital Camera (Include DSLR, if any) \

Scan ner
Smart Card Reader
Externa l Hard Drive
Generator Set
Others, please
spec ify

Accomplished by: (Agency Authorized Officer)

Signature over Printed Name

Designation/ Position
Date
 stem Life time License? lfNot, Write The Year Of Ex

2.2.2 OS f9r Worksta tion (indicate if desktops or la ptops)

O perating System Lifet ime License? lfNo t, Write The Year Of Exp iration
W indows 10 No 12/30/2020

2.2.3 O S for Stand-alone (indi cate if desktops and lapto ps)

Operating Sy_stem Lifeti me License? If Not, Write The Year Of Expiration

none

2.3 Databases

Own Inte llectual

Name Of Database Management Acquisition Maintenance
Property,
Database Software Used 4 Cost Cost
Yes Or No
CMS No MySQ L None none

2.4 O ffi ce Automatio n Software

Software/ Application Package Lifet ime L icense? If Not, Write The Year Of Expiration
MS Office 20 16 No 12/30/2020
MS Office 20 13 No 12/30/2020
MS Office 20 I 0 No 12/30/2020
MS Office 20 17 No 12/30/2020
MS Office XP
MS Office 2003
Ol der than MS Office 2003
Open Pro ject
Open Office
Others, please spec ify

Date Of Acquisition Main tenance

S pec ial Solutio n Package Use O r Purpose
Imp lementation Cost Cost
Biometr·i c System DTR I 0/ 10/2017 100,000.00 20,000.00
CCTV System
C loud Computing
Geographic Informatio n System
O thers, p lease specify

4
E.g. DBMS are MS excel, MS access, MS SQL Server, My SQL, Oracle. SAP, IBM 082, etc.
 QUESTIONS YES OR
NO
7.4 If CONVENTIONAL mode, what is the medium of storage of the archived data?
0 Tape
0 Hard Disk
0 External Hard Drive
0 Optical disks (e.g. CD-ROM, DVD)
0 Others, please specify
7.5 What information is archived by your agency electronically? (Check all items that
are applicab le)

0 Annual Reports 0 Unprocessed/ Raw data

0 Public Forms 0 Jou rnal Entries
0 Letters, Memo, 0 Others, pl ease specify
Communications, etc.
0 Business transactions

Name of Third Party Brief Description of Service

PLDT Internet Service Provider
'

9.1 Number of computing devices and peripherals

Total Number of Functioning Units

'TYPES
OWNED LEASE D DONATION
Servers 2 3
Desktop PC 50
Laptop/Notebook/Netbook PC 50
Mobile Phone (incl. smart p_hones)
Tablet PC
Mu lti-function printer (print, copy, scan, etc.)
Printer only 20
Digital Camera (Include DSLR, if any)
Scanner
S mart Card Reader
External Hard Dri ve
Generator Set I
Others, please
specify

Accomplished by: (Agency Authorized Officer)

Signature over Printed Name

Designation/ Position
Date
 Annex B

INFORMATION SYSTEMS REVIEW OBSERVATION

MEMORANDUM TEMPLATE
IS/IT Audit of the (Name of System and Agency)

Reference No. : ISROM-201X-OX Date:

For Head of the Agency

Position
Name of Agency

Attention: H ead of IT Department/Others

Position
Name of Office

Thru Name of Resident Auditor

From Name of Team Supervisor

IS Audit Team Supervisor

Name of Team Leader Name ofCo-TL

IS Audit Team Leader Co-Team Leader

Name of Team Member

IS Audit Team Member

Subject Audit Area

In the course o f our audit, the following are our observations relative to the above
subject based on the applicable laws, rules, regulations, current industry standard, and best
practice:

I. TOPIC SENTENCE - It should indicate the highlights/summary of the audit

observation. The topic sentence should be briefly discussed and be able to present
information on the condition, criteria, ri sk statement, cause and effect.
 2. BODY OF THE TSROM- This consists ofthe detailed discussion of the ISROM.
This should discuss the fo llowing items in a comprehensive manner:

• INTRODUCTION TO THE AUDIT SUBJECT - it may include a

definition of the audit subject and the importance of implementin g
appropriate protection to this subject.

• RISK STATEMENT - A fundamental work of an IS/IT auditor is to

identi fy and analyze risk. Furthermore, risk factors need to be stated clearly
and concisely to support effective management of risk. Thus, it is critical
that IS audit and control professionals know how to write a good risk
statement that is impactful and aligned to better practice. Amarker of a good
quality risk statement is that it can answer the following questions: 1
o What could happen?
o Why could it happen?
o Why do we care?

• CONDITION -state the situation prevailing in the agency at the time of

audit, the actual practice wh ich v iolated the prescribed standards, laws,
rules, regulations, and/or policies.

• CRITER IA - appropriate standard/s used which may be derived from

standards, laws, rules, regu lations, and/or policies.

• CAUSE - thi s states the action, inaction or inadequacy of action o f

management or its employees as measured against app licable criteria.

• EFFECT/S - it states the o utcome of an event affecti ng the business

objectives. This element of the risk statement is important because it
highlights why one should care about the risk. It is crucial that this is
relevant, plausible and , ideally, can be quantified to give this element
mean ing in real terms 2 .

3. RECOMMEND ATION/S- this discusses the course of action offered to correct

or remedy the deficiencies observed. The recommendations should neither be
specific to any brand of products nor a detailed procedure ofmanagement actions.
Management should use their own' decision making on what is best suitable fo r their
.agency whi le considering their risk exposure. Due care should be taken in issuing
reco mmendations such that it won't appear as a detailed step by step dictation of
what shou ld be done. The mandate of the agency to decide on its own should still
be preserved.

I Writing Good Risk Statements, ISACA, https://www.isaca.org/Journa l/a rchives/2014/Volume-

3/Documents/ Writing-Good-Risk-Statementsjoa_Eng_0514.pdf (accessed on 12/10/2020).
2 /bid.
 We shall be grateful to receive your comments on the foregoing information
systems review observations, dul y signed and dated, five (5) days from receipt hereof.

Proof of Receipt:

Name and Signature

Date:
-----------------
 Annex C

<(Name of the Agency >

<AddressJ>

AGENCY ACTION PLAN and STATUS OF IMPLEMENTATION (AAPSI)

Informatio n Systems Review Observation and Recommendations
on <Agency's system/s (subject of audit)>
Asof _ _,20_

Note: Status of lmplementation may either be (a) Fully Implemented, (b) Ongoing, (c) Not lmn.l<>m<>nte·rl
•To be filled-out by COA auditor

Agency sign off:

Name Date
Position of Agency Officer

Page 1 of 1

«.