General IT Controls Audit Program Guide v2023

For Internal Use Only
General IT Controls Audit Program Guide (APG)

Access to Programs and Data Audit Program Guide
Illustrative
Automated Illustrative control Illustrative control attribute TOE test
RAFITs Control # Illustrative D&I test procedure description
or Manual description description procedure
description
1.1 APD - 1.1 APD-1 Automated Password Configurations 1. <<Insert name>> system passwords are set 1. Inspected the <<Company Information Security policy/insert name>> Covered in
Identification to enforce the following password describing the Company's control to enforce passwords when D&I
and Access is authenticated configurations in accordance with authenticating to the system. Where policies are not documented, procedures
authentication through the use of documented <<Company Information inquired of the Company's <<IT management team/insert name>> of the
mechanisms passwords as a mechanism Security policy/insert name>> or the password policies in practice to determine whether the passwords are
are not for validating that users are password policy in practice: appropriate for the size and complexity of the entity.
implemented authorized to gain access
to restrict to the <<insert name>> 2. Inquired of the <<IT system manager/insert name>> to determine
<<a. Minimum password length: Password
logical access system. whether the entity's <<insert name>> system is configured to authenticate
length has a minimum of <<xx>> characters;
to IT systems through <<insert authentication methods (e.g. local authentication, single-
and data. sign on, mobile, etc.>>
b. Complexity requirement: Password
complexity requires alphanumeric <<add
special>> characters; 3. Inspected system evidence to determine whether local authentication is
enforced. Where users are authenticated via single-sign on <<or insert
additional authentication methods (e.g. mobile)>>, testing for passwords
c. Maximum password age: Password age
are covered in the layer that enforces single-sign on <<or insert additional
requires passwords to be replaced every
authentication methods (e.g. mobile)>>.
<<xx>> days;
4. Inspected the password configurations for <<insert name>> system to

d. Password history: Password history determine whether they are in accordance with the <<Company
prevents re-using the last <<xx>> previous Information Security policy/insert name>> or the password policy in
passwords; practice:
e. Account lockout threshold: Account <<a. Minimum password length: Password length has a minimum of
lockout enforces account locking after <<xx>> characters;
<<xx>> incorrect password attempts; and
f. Account lockout duration: Lockout duration
is set at <<xx>> minutes.>> b. Complexity requirement: Password complexity requires alphanumeric
<<add special>> characters;
Page 1
INTERNAL USE ONLY
© 2023 Copyright owned by one or more of the KPMG International entities.

KPMG International entities provide no services to clients. All rights reserved.
KPMG refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity. KPMG International Limited is a private English company limited by guarantee
and does not provide services to clients. For more detail about our structure please visit home.kpmg/governance.
Illustrative
Automated Illustrative control Illustrative control attribute TOE test
RAFITs Control # Illustrative D&I test procedure description
or Manual description description procedure
description
2. Initial passwords of vendor seeded user
IDs are disabled/removed or changed in
c. Maximum password age: Password age requires passwords to be
accordance with documented <<Company
replace every <<xx>> days;
Information Security policy/insert name>> or
the password policy in practice.
d. Password history: Password history prevents re-using the last <<xx>>
previous passwords;
e. Account lockout threshold: Account lockout enforces account locking

after <<xx>> incorrect password attempts;
f. Account lockout duration: Lockout duration is set at <<xx>> minutes.>>
5. Inspected system evidence to determine whether the initial passwords

for the <<insert name>> system vendor seeded user IDs, specifically:
<<insert vendor seeded IDs>>, have been <<disabled/removed/changed>>
in accordance with the <<Company Information Security policy/insert
name>> or the password policy in practice.
Page 2
INTERNAL USE ONLY

Control Automated Illustrative control Illustrative control attribute Illustrative TOE test
RAFITs Illustrative D&I test procedure description
# or Manual description description procedure description
1.1 APD - 1.1 APD- Manual Approval of Exceptions to 1. System owners document the 1. Inquired of the Company's <<IT management team/insert name>> 1. Inspected the <<password
Identification 2 Password Configurations rationale for exceptions to the describing the control for exceptions to password policies as exception acceptance form>>
and password policy. documented in the <<Company Information Security policy/insert to determine whether the
authentication Exceptions to the name>> or based on the policy in practice, to determine whether the business user commensurate
mechanisms password policy are 2. The exceptions are approved entity allows the businesses to formally accept the incremental risk with the entity’s IT delegation
are not documented and by an authorized user this presents to the business. of authority, has approved
implemented approved by authorized commensurate with the entity's the exception.
to restrict personnel. IT delegation of authority. 2. Inspected the exception approval documentation to determine
logical access whether the <<Company Information Security policy/insert name>>
to IT systems or password policy in practice allows the business to formally accept
and data. the incremental risk.
Page 3
INTERNAL USE ONLY

1.2 APD - Logical 1.2 APD- Automated Access Provisioning – 1. <<Insert name>> system is 1. Inspected the Company’s <<Company Information Security Covered in D&I procedures
access permissions 1 Temporary Privileged configured to automatically route policies and procedures/insert name>> describing of the
are granted (new Access temporary privileged access requests Company's control to automatically route temporary
or modified) to for approval to an authorized user privileged access requests for approval to an authorized user
users and accounts The <<insert name>> commensurate with the entity's IT commensurate with the entity’s IT delegation of authority.
(including shared system is configured to delegation of authority. Where policies are not documented, inquired of the
or generic automatically route Company's <<IT management team/insert name>> regarding
accounts) that are requests for temporary the policy in practice.
inappropriate (i.e., privileged access to the
unauthorized or appropriate approver. 2. Inspected the <<insert name>> system configuration to
not commensurate determine whether temporary privileged access requests are
with job automatically routed to the <<insert name of group, function,
responsibilities). role, etc.>> in accordance with <<Company Information
Security policies and procedures/insert name>> or the policy
in practice.
3. Inspected system evidence within <<insert name>> system

and other supporting documentation to determine whether
access to approve requests is limited to the <<insert name of
group, person, function>> commensurate with job
responsibilities and the entity’s IT delegation of authority.
4. Inspected a temporary privileged access request for

<<insert name>> system to determine whether the request
was routed for approval based on the <<insert name>>
system configuration inspected above.
1.2 APD - Logical 1.2 APD- Automated Access Provisioning – All 1. <<Insert name>> system is 1. Inspected the Company’s <<Company Information Security Covered in D&I procedures
access permissions 2 Users configured to automatically route policies and procedures/insert name>> describing of the
are granted (new new hire access requests for approval Company's control to automatically route new hire access
or modified) to The <<insert name>> to an authorized user commensurate requests and requests for changes to existing access for
users and accounts system is configured to with the entity’s IT delegation of approval to an authorized user commensurate with the
(including shared automatically route authority. entity’s IT delegation of authority. Where policies are not
or generic requests for new or documented, inquired of the Company's <<IT management
accounts) that are modified access to the 2. <<Insert name>> system is team/insert name>> regarding the policy in practice.
Page 4
INTERNAL USE ONLY

inappropriate (i.e., appropriate approver configured to automatically route

unauthorized or base on the type of requests for changes to existing 2. Inspected the <<insert name>> system configuration to
not commensurate access being requested. access for approval to an authorized determine whether new hire access requests are
with job user commensurate with the entity's automatically routed to the <<insert name of group, function,
responsibilities). IT delegation of authority. role, etc.>> in accordance with <<Company Information
Security policies and procedures/insert name>> or the policy
in practice.

access to approve new hire access requests is limited to the
<<insert name of group, person, function>> commensurate
with job responsibilities and the entity’s IT delegation of
authority.
4. Inspected the <<insert name>> system configuration to

determine whether requests for changes to existing access
are automatically routed to the <<insert name of group,
function, role, etc.>> in accordance with <<Company
Information Security policies and procedures/insert name>>
or the policy in practice.

access to approve requests for changes to existing access is
limited to the <<insert name of group, person, function>>
commensurate with job responsibilities and the entity’s IT
delegation of authority.
6. Inspected one user request for each approval type (where

approval type may be dependent on "new hire" or
"modification to existing access", and/or on the level of user
access), to determine whether the request was routed for
approval based on the <<insert name>> system configuration
inspected above.
Page 5
INTERNAL USE ONLY

1.2 APD - Logical 1.2 APD- Manual Access Provisioning – All 1. Control operator determines that 1. Inspected the Company's <<Company Information Security 1. For a selection of <<# of
access permissions 3 Users requests for new <<insert name>> policies and procedures/insert name>> describing the control samples>> new and modified
are granted (new system access or modification to for provisioning IT system access for new users, and the <<insert name>> system access
or modified) to Management approves existing <<insert name>> system control for making changes to existing user access, including granted during the period,
users and accounts the nature and extent of access, are approved by an the level/s of management authorized to approve new or inspected the <<user access
(including shared user access permissions authorized user commensurate with changes to existing <<insert name>> system access. Where ticket/supporting evidence>> to
or generic for new and modified the entity's IT delegation of authority. policies are not documented, inquired of the Company's <<IT determine whether new or
accounts) that are user access in <<insert management team/insert name>> regarding the policy in modified user access in <<insert
inappropriate (i.e., name>> system. 2. Control operator compares the practice. name>> system was approved
unauthorized or permissions requested in the by an authorized user
not commensurate <<form/ticket>> to the <<approved 2. Inspected <<user access ticket/supporting evidence>> commensurate with the entity’s
with job security profiles or roles by job relevant to <<insert name>> system access provisioned for a IT delegation of authority.
responsibilities). function.>> new user during the period to determine whether new user
access was approved by management based on job 2. For a selection of <<# of
3. Control operator determines that responsibilities and in accordance with <<Company samples>> new and modified
the access provisioned is consistent Information Security policies and procedures/insert name>> <<insert name>> system access
with access requested and approved. or the policy in practice. granted during the period,
inspected the permissions
3. Inspected the <<provisioned system access/supporting requested in the
evidence>> to determine whether <<insert name>> system <<form/ticket>> to the
access for the new user was provisioned as requested. Where <<approved security profiles or
relevant, inspected the <<provisioned system roles for the job function>> to
access/supporting evidence>> to determine whether the user determine whether they align.
was assigned to the appropriate group for the user in
accordance with the request. 3. For a selection of <<# of
samples>> new and modified
4. Inspected <<user access ticket/supporting evidence>> <<insert name>> system access
relevant to <<insert name>> system access modifications for granted during the period,
an existing user during the period, to determine whether a inspected the relevant
modification in user access is approved by management <<provisioned system
based on job responsibilities. Inspected the <<provisioned access/supporting evidence>>
system access/supporting evidence>> to determine for the selected users from the
whether<<insert name>> system access for the existing user <<insert name>> system to
was provisioned as requested. Where relevant, inspected the determine whether new or
<<provisioned system access/supporting evidence>> to modified user access was
granted/modified based on the
Page 6
INTERNAL USE ONLY

determine whether the user was assigned to the appropriate requested system access
group for the user in accordance with the requested approved.
modification.
1.2 APD - Logical 1.2 APD- Manual Access Provisioning – 1. Control operator determines that 1. Inspected the Company's <<Company Information Security 1. For a selection of <<# of
access permissions 3 Temporary Privileged requests for temporary privileged policies and procedures/insert name>> describing the control samples>> <<insert name>>
are granted (new Access access in <<insert name>> system, for provisioning IT system access for temporary privileged system temporary privileged
or modified) to are approved by an authorized user access, including the level/s of management authorized to accesses granted during the
users and accounts Management approves commensurate with the entity's IT approve temporary privileged <<insert name>> system period, inspected the <<user
(including shared the nature and extent of delegation of authority. access. Where policies are not documented, inquired of the access ticket/supporting
or generic temporary privileged Company's <<IT management team/insert name>> regarding evidence>> to determine
accounts) that are access permissions in 2. Control operator compares the the policy in practice. whether temporary privileged
inappropriate (i.e., <<insert name>> system. permissions requested in the access in <<insert name>>
unauthorized or <<form/ticket>> to the <<approved 2. Inspected <<user access ticket/supporting evidence>> system was approved by an
not commensurate security profiles or roles by job relevant to <<insert name>> system temporary privileged authorized user commensurate
with job function.>> access provisioned during the period to determine whether with the entity’s IT delegation of
responsibilities). access was approved by management based on job authority.
3. Control operator determines that responsibilities and in accordance with <<Company

the access provisioned is consistent Information Security policies and procedures/insert name>> 2. For a selection of <<# of
with access requested and approved. or the policy in practice. samples>> <<insert name>>
system temporary privileged
3. Inspected the <<provisioned system access/supporting accesses granted during the
evidence>> to determine whether <<insert name>> system period, re-performed the
temporary privileged access was provisioned as requested. operation of the control and
inspected the permissions
requested in the
<<form/ticket>> to the
<<approved security profiles or
roles for the job function>> to
determine whether they align.
3. For a selection of <<# of

samples <<insert name>>
system temporary privileged
accesses granted during the
period, inspected the relevant
<<provisioned system
Page 7
INTERNAL USE ONLY

access/supporting evidence>>
for the selected users from the
<<insert name>> system to
determine whether temporary
privileged access was
granted/modified based on the
requested system access
approved.
Page 8
INTERNAL USE ONLY

1.3 APD - 1.3 APD-1 Automated Access De-provisioning 1. The <<insert name>> system is 1. Inspected the Company's <<Company Information Security policies and Covered in D&I procedures
Logical - Temporary Privileged configured to automatically revoke procedures/insert name>> describing the control for revoking temporary
access Access temporary privileged access within privileged access. Where policies are not documented, inquired of the
permissions <<insert frequency>> of <<check- Company's <<IT management team/insert name>> regarding the policy in
are not Temporary privileged out, initial log-in, etc.>> in practice.
revoked in access is revoked accordance with <<Company
a timely automatically within Information Security policy>> or 2. Inspected the system configuration to revoke temporary privileged
manner. <<insert frequency>>. the policy in practice. access to <<insert name>> system to determine whether access was
revoked within <<insert frequency>> of <<check-out, initial log-in, etc.>> in
accordance with <<Company Information Security policies and
procedures/insert name>> or the policy in practice.
3. Inspected one temporary privileged access request, to determine

whether the access was revoked based on the <<insert name>> system
configuration inspected above.
Page 9
INTERNAL USE ONLY

Automated or Illustrative control Illustrative control attribute Illustrative D&I test procedure Illustrative TOE test
RAFITs Control #
Manual description description description procedure description
1.3 APD - Logical 1.3 APD-2 Automated Access De- 1. The <<insert name>> system is 1. Inspected the Company's <<Company Covered in D&I procedures
access provisioning – All configured to revoke terminated/resigned Information Security policies and
permissions are Users user’s access every <<insert frequency>> procedures/insert name>> describing the
not revoked in a based on <<terminated, resigned, etc.>> control for de-provisioning <<insert name>>
timely manner. Access for status provided by the <<relevant HR system access users upon
terminated/resigned system/Identity Access Management termination/resignation from the entity
users is removed Solution (IAM)>>. within <<insert frequency>>. Where policies
every <<insert are not documented, inquired of the
frequency>>, via an Company's <<IT management team/insert
automated process, name>> regarding the policy in practice.
based on system
updates from the 2. For each status type terminated/resigned
<<relevant HR access request, inspected the system
system/Identity configuration for <<insert name>> system to
Access Management revoke access every <<insert frequency>> in
Solution (IAM)>>. accordance with <<Company Information
Security policies and procedures/insert
name>> or the policy in practice.
3. Inspected one for each status type -

terminated/resigned access request, to
determine whether the access was revoked
based on the <<insert name>> system
Page 10
INTERNAL USE ONLY

RAFITs Control #
1.3 APD - Logical 1.3 APD -3 Manual Access De- 1. Control operator revokes <<insert 1. Inspected the Company's <<Company 1. For a selection of <<# of
access provisioning – All name>> system access of the Information Security policies and samples>>
permissions are Users terminated/resigned user within <<xx days - procedures/insert name>> describing the terminated/resigned users in
not revoked in a the specified period>> of the user's control for revoking <<insert name>> system the period that had access to
timely manner. Access for termination/resignation date, in access within <<xx days - the specified the <<insert name>> system,
terminated/resigned accordance with the <<Company period>> of termination/resignation. Where inspected the <<revoked
users is removed Information Security policy>> or the policy policies are not documented, inquired of the system access/supporting
within <<xx days - the in practice. Company's <<IT management team/insert evidence>>, to determine
specified period>> name>> regarding the policy in practice. whether access was revoked
from <<insert within <<xx days - the
name>> system. 2. Inspected <<revoked system specified period>> after the
access/supporting evidence>> within the user's termination/resignation
<<insert name>> system to determine date, in accordance with the
whether <<insert name>> system access <<Company Information
was revoked within <<xx days - the specified Security policy>> or the policy
period>> of the user's in practice.
termination/resignation date, in accordance
with the <<Company Information Security
policy>> or the policy in practice.
Page 11
INTERNAL USE ONLY

RAFITs Control #
1.3 APD - Logical 1.3 APD-4 Manual Access De- 1. Control operator revokes temporary 1. Inspected the Company's <<Company 1. For a selection of <<# of
access provisioning - privileged <<insert name>> system access Information Security policies and samples>> temporary
permissions are Temporary Privileged within <<insert frequency>> of <<check- procedures/insert name>> describing the privileged access in the period
not revoked in a Access out, initial log-in, etc.>>, in accordance with control for revoking temporary privileged that had access to the
timely manner. <<Company Information Security policy>> access. Where policies are not documented, <<insert name>> system,
Temporary privileged or the policy in practice. inquired of the Company's <<IT inspected the <<revoked
access is revoked management team/insert name>> regarding system access/supporting
within <<insert the policy in practice. evidence>>, to determine
frequency>>. whether access was revoked
2. Inspected <<revoked system within <<insert frequency>>,
access/supporting evidence>> to determine in accordance with company
whether temporary privileged access to the policies and procedures.
<<insert name>> system is revoked within
<<insert frequency>> of <<check-out, initial
log-in, etc.>>, in accordance with
<<Company Information Security policy>> or
the policy in practice.
Page 12
INTERNAL USE ONLY

RAFITs Control #
1.3 APD - Logical 1.3 APD-5 Manual User Access Review 1. User access reviews of <<insert name>> 1. Inspected the Company's <<Company 1. For a selection of <<# of
access system are conducted <<insert frequency>> Information Security policies and samples>>, inspected the
permissions are Every <<insert in accordance with <<Company Information procedures/insert name>> describing <<supporting evidence>> from
not revoked in a frequency>>, Security policy>> or the policy in practice. the process for reviewing user access to the user access review to
timely manner. business/functional the <<insert name>> systems on a determine whether user
managers review user 2. Business/functional managers <<insert frequency>> basis and access was reviewed by a
1.2 APD - Logical access to determine commensurate with the entity's IT investigating unauthorized access. business/functional manager
access whether user access is delegation of authority perform user access Where policies are not documented, commensurate with the
permissions are authorized and reviews. inquired of the Company's <<IT entity’s IT delegation of
granted (new or commensurate with management team/insert name>> authority, every <<insert
modified) to users job responsibilities. regarding the policy in practice. frequency >> in accordance
3. Inappropriate access identified as a result with documented <<Company
and accounts of the user access review is investigated to
(including shared 2. Inspected <<supporting evidence>> Information Security policy>>
determine if unauthorized tasks or functions or the policy in practice.
or generic were performed. relevant to a user access review
accounts) that are performed during the period, to
inappropriate (i.e., determine whether user access was
unauthorized or 4. Control operators modify user access in reviewed by a business/functional
accordance with the instruction from the 2. For a selection of <<# of
not manager commensurate with the samples>> requested
commensurate business/functional managers as a result of entity’s IT delegation of authority, every
the user access review. modification to <<insert
with job <<insert frequency>>, in accordance name>> system access as a
responsibilities). with <<Company Information Security result of user access reviews
policy>> or the policy in practice. during the period, inspected
1.4 APD - Logical the <<supporting evidence>>,
access to users 3. For a requested access modification, to determine whether:
and accounts that resulted from the user access a. Unauthorized tasks
(including shared review, inspected <<supporting or functions were
or generic evidence>> to determine whether performed, as a
accounts) that can inappropriate access identified was result of the
perform privileged investigated and the access modification inappropriate
tasks and was processed as requested. access; and
functions within IT b. User access is
systems is modified based on
inappropriate (i.e., the instruction.
unauthorized or
not
commensurate
Page 13
INTERNAL USE ONLY

RAFITs Control #
with job
responsibilities).
1.2 APD - Logical 1.4 APD-1 Automated Privileged Access 1. <<insert name >> system is configured 1. Inspected the <<Company Covered in D&I procedures
access with <<roles, groups, users, permissions, Information Security policies/insert
permissions are Privileged access (i.e., privileges, etc. (including shared or generic name>> describing the control for
granted (new or configuration, data accounts).>> to restrict privileged access. restriction of privileged access within
modified) to users and security <<insert name>> system. Where
and accounts administrators) in 2. Privileged access in <<insert name >> policies are not documented, inquired of
(including shared <<insert name >> system is restricted to <<insert name of the Company's <<IT management
or generic system is configured group, person, function>>, commensurate team/insert name>> regarding the
accounts) that are to restrict access to with job responsibilities, specifically <<roles, policy in practice.
inappropriate (i.e., <<insert name of groups, users, permissions, privileges, etc.
unauthorized or group, person, (including shared or generic accounts>>. 2. Inquired of the Company's <<IT
not function, etc>> management team/insert name>>
commensurate commensurate with regarding the configured <<roles,
with job job responsibilities. groups, users, permissions, privileges,
responsibilities). etc. (including shared or generic
accounts)>> to restrict privileged access
1.3 APD - Logical within <<insert name>> system.
access
permissions are 3. Inspected system evidence to
not revoked in a determine whether <<insert name>>
timely manner. system <<roles, groups, users,
permissions, privileges, etc. (including
1.4 APD - Logical shared or generic accounts)>> restricted
access to users privileged access based on the <<insert
and accounts name>> system configuration inspected
(including shared above.
or generic
accounts) that can 4. Inspected system evidence within
perform privileged <<insert name>> system and other
tasks and supporting documentation to determine
functions within IT whether privileged access is limited to
systems is the <<insert name of group, person,
inappropriate (i.e., function>> commensurate with job
unauthorized or responsibilities, specifically <<roles,
Page 14
INTERNAL USE ONLY

RAFITs Control #
not groups, users, permissions, privileges
commensurate etc. (including shared or generic
with job accounts)>>.
responsibilities).
2.3 PC- Logical

access to
implement
changes to IT
system program
or configurations
into the
production
environment is
inappropriate (i.e.,
unauthorized or
not
commensurate
with job
responsibilities).
1.4 APD - Logical 1.4 APD-2 Automated Temporary Privileged 1. <<insert name >> system is configured 1. Inspected the <<Company Covered in D&I procedures
access to users Access with <<roles, groups, users, permissions, Information Security policies/insert
and accounts privileges, etc.>> (including shared or name>> describing the control for
(including shared Temporary privileged generic accounts) to restrict temporary restriction of temporary privileged
or generic access (i.e., privileged access. access within <<insert name>> system.
accounts) that can configuration, data Where policies are not documented,
perform privileged and security 2. Temporary privileged access in <<insert inquired of the Company's <<IT
tasks and administrators) in name >> system is restricted to <<insert management team/insert name>>
functions within IT <<insert name>> name of group, person, function>>, regarding the policy in practice.
systems is system is configured commensurate with job responsibilities,
inappropriate (i.e., to restrict access to specifically <<roles, groups, users, 2. Inquired of the Company's <<IT
unauthorized or <<insert name of permissions, privileges, etc.>> (including management team/insert name>>
Page 15
INTERNAL USE ONLY

RAFITs Control #
not group, person, shared or generic accounts). regarding the configured <<roles,
commensurate function, etc>>, groups, users, permissions, privileges,
with job commensurate with etc.>> to restrict temporary privileged
responsibilities). job responsibilities. access within <<insert name>> system.
3. Inspected system evidence to

determine whether <<insert name>>
system <<roles, groups, users,
permissions, privileges, etc.>> restricted
temporary privileged access based on
the <<insert name>> system
4. Inspected system evidence within

<<insert name>> system and other
supporting documentation to determine
whether temporary privileged access is
limited to the <<insert name of group,
person, function>> commensurate with
job responsibilities, specifically <<roles,
groups, users, permissions, privileges
etc.>>.
Page 16
INTERNAL USE ONLY

Automated or Illustrative control attribute Illustrative D&I test procedure Illustrative TOE test
RAFITs Control # Illustrative control description
Manual description description procedure description
1.5 APD - 1.5 APD-1 Automated Physical Access Approval 1. <<Insert name>> system is 1. Inspected the Company’s <<Company Covered in D&I procedures
Physical access configured to automatically route Information Security policies and
to facilities The <<insert name>> system is requests for IT facility access for procedures/insert name>> describing of the
housing IT configured to automatically route approval, to an authorized user Company's control to automatically route
systems and/or requests for IT facility access to the commensurate with the entity’s IT requests for IT facility access for approval to
electronic appropriate approver base on the delegation of authority. an authorized user commensurate with the
media is type of access being requested. entity’s IT delegation of authority. Where
unauthorized or policies are not documented, inquired of the
not Company's <<IT management team/insert
commensurate name>> regarding the policy in practice.
with job
responsibilities. 2. Inspected the <<insert name>> system
configuration to determine whether new IT
facility access requests are automatically
routed for approval to an authorized user
commensurate with the entity's IT delegation
of authority.
3. Inspected one user request for each IT

facility location, to determine whether the
request was routed for approval based on the
<<insert name>> system configuration
inspected above.
Page 17
INTERNAL USE ONLY

1.5 APD - 1.5 APD-2 Automated Physical Access Removal 1. The <<insert name>> system is 1. Inspected the Company's <<Company Covered in D&I procedures
Physical access configured to revoke Information Security policies and
to facilities Access for terminated/resigned terminated/resigned user’s access procedures/insert name>> describing the
housing IT users is removed every <<insert every <<insert frequency>> based control for de-provisioning <<insert name>>
systems and/or frequency>>, via an automated on <<terminated, resigned, etc.>> system access upon termination/resignation
electronic process, based on system updates status provided by the <<relevant from the entity within <<insert frequency>>.
media is from the <<relevant HR HR system/Identity Access Where policies are not documented, inquired
unauthorized or system/Identity Access Management Solution (IAM)>>. of the Company's <<IT management
not Management Solution (IAM)>>. team/insert name>> regarding the policy in
commensurate practice.
with job
responsibilities. 2. For each status type terminated/resigned
access request, inspected the system
configuration to revoke access every <<insert
frequency.>>
3. Inspected one for each status type -

terminated/resigned and IT facility location,
to determine whether the access was revoked
based on the <<insert name>> system
Page 18
INTERNAL USE ONLY

1.5 APD - 1.5 APD-3 Manual Physical Access Approval 1. Control operator determines 1. Inspected the Company's <<Company 1. For a selection of <<# of
Physical access that request for new IT facility Information Security policies and samples>> new and
to facilities IT facility access is approved by access, or modification to existing procedures/insert name>> describing the modified IT facility access
housing IT management based on job access levels, are approved by an control for provisioning IT facility access for granted during the period,
systems and/or responsibilities authorized user commensurate new users, and the control for making changes inspected the <<facility
electronic with the entity's IT delegation of to existing user access, including the level/s of access ticket/supporting
media is authority. management authorized to approve new, or evidence>>, to determine
unauthorized or changes to existing, facility access. Where whether new or modified IT
not 2. Control operator compares the policies are not documented, inquired of the facility access is approved
commensurate IT facility access permissions Company's <<IT management team/insert by an authorized user
with job requested in the <<form/ticket>> name>> regarding the policy in practice. commensurate with the
responsibilities. to the approved <<roles by job entity's IT delegation of
function.>> 2. Inspected <<facility access ticket/supporting authority.
evidence>> relevant to IT facility access
3. Control operator determines provisioned for a new user during the period,
that the IT facility access to determine whether new user access is 2. For a selection of <<# of
provisioned is consistent with approved by management based on job samples>> new and
access requested and approved. responsibilities. Inspected <<provisioned modified IT facility access
facility access/supporting evidence>> to granted during the period,
determine whether IT facility access for the inspected the permissions
new user was processed as requested. requested in the
<<form/ticket>>, to
3. Inspected <<facility access ticket/supporting determine they align with
evidence>> relevant to IT facility access the approved <<roles by job
changed for an existing user during the period, function.>>
to determine whether a change in user access
is approved by management based on job 3. For a selection of <<# of
responsibilities. Inspected <<provisioned samples>> new and
facility access/supporting evidence>> to modified IT facility access
determine whether IT facility access for the granted during the period,
existing user was processed as requested. inspected the
<<provisioned facility
access/supporting
evidence>>, to determine
whether new or modified IT
Page 19
INTERNAL USE ONLY

facility access is
granted/modified based on
the requested access
approved.
1.5 APD - 1.5 APD-4 Manual Physical Access Removal 1. Control operator revokes IT 1. Inspected the Company's <<Company 1. For a selection of <<# of
Physical access facility access of the Information Security policies and samples>> IT facility access
to facilities IT facility access for terminated terminated/resigned user within procedures/insert name>> describing the revoked during the period
housing IT users is removed within <<insert <<xx days – the specified period>> control for de-provisioning IT facility access due to
systems and/or frequency e.g. xx days – the of the user's upon termination/resignation from the entity. termination/resignation,
electronic specified period >>. termination/resignation date, in Where policies are not documented, inquired inspected the <<revoked
media is accordance with company policies of the Company's <<IT management facility access/supporting
unauthorized or and procedures. team/insert name>> regarding the policy in evidence>>, to determine
not practice. whether IT facility access
commensurate was revoked within <<xx
with job 2. Inspected <<revoked facility days – specified period>>
responsibilities. access/supporting evidence>> relevant to after the user's
revoked IT facility access for a user during the termination/resignation
period, to determine whether corresponding date, in accordance with
access was deactivated in a timely manner. company policies and
procedures.
1.5 APD - 1.5 APD-5 Manual Physical Access Review 1. IT facility access reviews of 1. Inspected the Company's <<Company 1. For a selection of <<# of
Physical access <<insert name>> system are Information Security policies and samples>>, inspected the
to facilities Every <<insert frequency>>, conducted <<insert frequency>> in procedures/insert name>> describing the <<supporting evidence>>
housing IT business/functional managers accordance with <<Company process for reviewing physical access to the IT from the physical access
systems and/or review IT facility access to Information Security policy>> or facilities on a <<insert frequency>> basis and review to determine
Page 20
INTERNAL USE ONLY

electronic determine whether physical access the policy in practice. investigating unauthorized physical access. whether physical access was
media is is authorized and commensurate Where policies are not documented, inquired reviewed by a
unauthorized or with job responsibilities. 2. Business/functional managers of the Company's <<IT management business/functional
not commensurate with the entity's IT team/insert name>> regarding the policy in manager commensurate
commensurate delegation of authority perform practice. with the entity’s IT
with job physical access reviews. delegation of authority,
responsibilities. 2. Inspected <<supporting evidence>> every <<insert frequency >>
relevant to a physical access review in accordance with
3. Inappropriate physical access documented <<Company
identified as a result of the physical performed during the period, to determine
whether physical access was reviewed by a Information Security
access review is investigated to policy>> or the policy in
determine if unauthorized users business/functional manager commensurate
with the entity’s IT delegation of authority, practice.
accessed the IT facilities.
every <<insert frequency>>, in accordance
with <<Company Information Security
4. Control operators modify policy>> or the policy in practice.
physical access in accordance with 2. For a selection of <<# of
the instruction from the samples>> requested
business/functional managers as a 3. For a requested physical access physical access modification
result of the physical access modification, that resulted from the physical to IT facilities, as a result of
review. access review, inspected <<supporting physical access reviews
evidence>> to determine whether during the period, inspected
inappropriate access was investigated and the the <<supporting
physical access modification was processed as evidence>>, to determine
requested. whether:
a. Unauthorized
users accessed IT
facilities; and
b. Physical access
was modified
based on the
instruction.
Page 21
INTERNAL USE ONLY

Program Change Audit Program Guide
Automate
Illustrative control Illustrative control attribute Illustrative TOE test
RAFITs Control # d or Illustrative D&I test procedure description
description description procedure description
Manual
2.1 PC - 2.1 PC-1 Automated IT Program Change Approval 1. <<Insert name>> system is 1. Inspected the Company’s <<Company Change Covered in D&I procedures
Changes to IT configured to automatically route Management policies and procedures/insert name>>
programs were The <<insert name>> system IT program change requests for describing of the Company's control to automatically
inappropriate is configured to automatically approval to an authorized user route IT program change requests for approval to an
(i.e., route program change commensurate with the entity’s IT authorized user commensurate with the entity’s IT
unapproved or requests to the appropriate delegation of authority. delegation of authority. Where policies are not
do not function <<insert name of group (i.e., documented, inquired of the Company's <<IT
as intended). system business owner management team/insert name>> regarding the
and/or IT owner)>> for policy in practice.
approval to implement the IT
program change into the 2. Inspected the <<insert name>> system
production environment. configuration to determine whether IT program
change requests are automatically routed to the
<<insert name of group, function, role, etc.>> in
accordance with <<Company Change Management
policies and procedures/insert name>> or policy in
practice.
3. Inspected system evidence within <<insert name>>

system and other supporting documentation to
determine whether access to approve requests is
limited to the <<insert name of group, person,
function>> commensurate with job responsibilities
and the entity’s IT delegation of authority.
4. Inspected one IT program change request for each

approval type (where approval may be dependent on
the type of change) to determine whether the
request was routed for approval based on the
<<insert name>> system configuration inspected
above.
Page 22
INTERNAL USE ONLY

Automate
Manual
2.1 PC - 2.1 PC-2 Manual IT Program Change Approval 1. The business/IT authorized 1. Inspected the <<Company Change Management 1. For a selection of <<# of
Changes to IT user commensurate with the policy/insert name>> describing the control for the samples>> changes to the IT
programs were Changes to IT system entity’s IT delegation of authority, final approval requirements before changes to the IT system program, inspected the
inappropriate programs are approved by the provides the final approval to system program are implemented into the production approval from the business/IT
(i.e., business/IT prior to implement the change to the IT environment. Where policies are not documented, within the <<change
unapproved or implementation into the system program in the <<insert inquired of the Company's <<IT management ticket/evidence>>, to determine
do not function production environment. name>> system production team/insert name>> regarding the policy in practice. whether the changes to the IT
as intended). environment. system program have been
2. For each type of IT system program change within approved by an authorized user
<<insert name>> system, inspected <<change commensurate with the entity’s
2. Control operator IT delegation of authority.
implements/migrates the change ticket/evidence>> to determine whether final
to the IT system program into the approval for implementation into the production
<<insert name>> production environment was obtained prior to implementation,
environment after final approval in accordance with the <<Company Change 2. For a selection of <<# of
was provided by the business/IT. Management policy/insert name>> or policy in samples>> changes to the IT
practice. system program, inspected the
date of final approval from the
3. Where management asserts that there have been business/IT, to determine
no IT program changes to the <<insert name>> whether the changes to the IT
system, inspected system evidence to determine system program have been
whether there have been no changes during the approved before changes were
period. implemented into the
production environment.
Page 23
INTERNAL USE ONLY

Automate
Manual
2.1 PC - 2.1 PC -3 Manual IT Program Change Testing 1. Control operator executes and 1. Inspected <<Company Change Management 1. For the sample chosen related
Changes to IT completes <<insert type of test, policy/insert name>> describing the control for to 2.1PC-1 or 2.1PC-2, inspected
programs were Changes to IT system i.e., system, user acceptance, testing IT system program changes and the required the supporting test results:
inappropriate programs are tested and and/or regression>> testing, and approvals to indicate that testing was successful. • to determine whether it is
(i.e., approved prior to documented test results have met Where policies are not documented, inquired of the documented and
unapproved or implementation into the the criteria set for "success". Company's <<IT management team/insert name>> • to determine whether the
do not function production environment. regarding the policy in practice. results indicate "success", as per
as intended). the established test plan.
2. Authorized stakeholder,
commensurate with the entity’s IT 2. For each type of IT system program change to
delegation of authority approve <<insert name>> system, inspected: 2. For the sample chosen
the test results prior to related to 2.1PC-1 or 2.1PC-2,
implementation to the production a) a <<insert type of test, e.g system, user inspected system evidence to
environment. acceptance, regression>> test plans/scripts based on determine whether authorized
the testing requirements for the type of change; stakeholders commensurate
with the entity’s IT delegation of
b) evidence of successful results based on each authority provided approval
<<insert type of test, i.e., system, user acceptance, after the test plan had been
and/or regression>> test plans/scripts, and; executed and prior to
implementation of the change to
the production environment.
c) evidence of approvals from <<insert business
and/or IT individuals/groups>> to determine the
change was approved prior to the change
implementation date.
2.2 PC - 2.2 PC-1 Automated IT Configuration Change 1. <<Insert name>> system is 1. Inspected the Company’s <<Company Change Covered in D&I procedures
Changes to IT Approval configured to automatically route Management policies and procedures/insert name>>
configurations IT configuration change requests describing of the Company's control to automatically
were The <<insert name>> system for approval to an authorized user route IT configuration change requests for approval
inappropriate is configured to automatically commensurate with the entity’s IT to an authorized user commensurate with the entity’s
(i.e., route IT configuration change delegation of authority. IT delegation of authority. Where policies are not
unapproved or requests to the appropriate documented, inquired of the Company's <<IT
do not function <<insert name of group (i.e., management team/insert name>> regarding the
as intended). system business owner policy in practice.
and/or IT owner)>> for
Page 24
INTERNAL USE ONLY

Automate
Manual
approval.
2. Inspected the <<insert name>> system
configuration to determine whether IT configuration
change requests are automatically routed to the
<<insert name of group, function, role, etc.>> in
accordance with <<Company Change Management
policies and procedures/insert name>> or policy in
practice.

determine whether access to approve requests is
limited to the <<insert name of group, person,
function>> commensurate with job responsibilities
and the entity’s IT delegation of authority.
4. Inspected one IT configuration change request for

each approval type (where approval may be
dependent on the type of change) to determine
whether the request was routed for approval based
on the <<insert name>> system configuration
inspected above.
Page 25
INTERNAL USE ONLY

Automate
Manual
2.2 PC - 2.2 PC-2 Manual IT Configuration Change 1. The business/IT authorized user 1. Inspected the <<Company Change Management 1. For a selection of <<# of
Changes to IT Approval commensurate with the entity’s IT policy/insert name>> describing the control for the samples>> <<insert name>>
configurations delegation of authority, provides final approval requirements before configuration system configuration changes,
were Changes to <<insert name>> the final approval to implement changes are made to the production environment of inspected the documentation of
inappropriate system configurations are the IT configuration change in the <<insert name>> system. Where policies are not approval from the business/IT
(i.e., approved by the business/IT <<insert name>> system documented, inquired of the Company's <<IT user within the <<configuration
unapproved or prior to implementation into production environment. management team/insert name>> regarding the change ticket/evidence>>, to
do not function the production environment. policy in practice. determine whether the changes
as intended). 2. Control operator implements to the system configuration have
the <<insert name>> system 2. For each type of IT configuration change within been approved by an authorized
configuration change into the <<insert name>> system, inspected <<change user commensurate with the
production environment after ticket/evidence>> to determine whether final entity’s IT delegation of
approval was provided by the approval for implementation into the production authority.
business/IT. environment was obtained prior to implementation,
in accordance with the <<Company Change 2. For a selection of <<# of
Management policy/insert name>> or the policy in samples>> <<insert name>>
practice. system configuration changes,
inspected the date of approval
from the business/IT within the
<<configuration change
ticket/evidence>>, to determine
whether the changes to the
system configuration have been
approved before configuration
changes were implemented into
Page 26
INTERNAL USE ONLY

Automate
Manual
2.2 PC - 2.2 PC-3 Manual IT Configuration Change 1. Control operator executes and 1. Inspected <<Company Change Management 1. For the sample chosen
Changes to IT Testing completes <<insert type of test, policy/insert name>> describing the control for related to 2.2 PC-1 or 2.2 PC-2,
configurations e.g system, user acceptance, testing IT system configurations and the required inspected the supporting test
were Changes to <<insert name>> regression>> testing, and approvals to indicate that testing was successful. results:
inappropriate system configurations are documented test results have met Where policies are not documented, inquired of the • to determine whether testing
(i.e., tested and approved prior to the criteria set for "success". Company's <<IT management team/insert name>> performed is documented and
unapproved or implementation into the regarding the policy in practice. • to determine whether the
do not function production environment. 2. Authorized stakeholder, results indicate "success", as per
as intended). commensurate with the entity’s IT 2. For each type of IT configuration change the established test plan.
delegation of authority approves implemented during the period, inspected:
the test results prior to a) a <<insert type of test, e.g system, user acceptance,
implementation to the production regression>> test plans/scripts based on the testing 2. For the sample chosen
environment. requirements for the type of change; related to 2.2 PC-1 or 2.2 PC-2,
b) evidence of successful results based on each inspected the <<configuration
<<insert type of test, e.g system, user acceptance, change ticket/evidence>>, to
regression>> test plans/scripts, and; determine whether authorized
c) evidence of approvals from <<insert business stakeholders commensurate
and/or IT individuals/groups>> to determine they with the entity’s IT delegation of
were documented and approved prior to the change authority, provided approval
implementation date. after the test plan has been
executed and prior to
implementation of the change to
2.1 PC - 2.2 PC-4 Manual Emergency Change Approval 1. Control operator appropriately 1. Inspected the <<Company Change Management 1. For a selection of <<# of
Changes to IT categorizes a change as an policy/insert name>> describing the control for samples>> emergency changes,
programs were Emergency changes are emergency change as per the emergency change and the supporting inspected <<emergency change
inappropriate tested and approved in <<Company Change Management documentation required for this type of change. ticket/evidence>> to determine
(i.e., accordance with the policy/insert name>>. Where policies are not documented, inquired of the whether the change was
unapproved or <<Company Change Company's <<IT management team/insert name>> appropriately classified as an
do not function Management policy/insert 2. The business/IT authorized user regarding the policy in practice. emergency change.
as intended). name>>. commensurate with the entity’s IT
delegation of authority, approves 2. For an emergency change within <<insert name>> 2. For a selection of <<# of
2.2 PC - the emergency change post- system, inspected <<emergency change samples>> emergency changes,
Page 27
INTERNAL USE ONLY

Automate
Manual
Changes to IT implementation. ticket/evidence>> to determine whether the inspected the
configurations emergency change: approval/authorization from the
were 3. Control owner performs testing a) was appropriately categorized as an emergency business/IT within the
inappropriate <<and/or>> post-implementation change as per the <<Company Change Management <<emergency change
(i.e., review for the emergency change. policy/insert name>> or policy in practice. ticket/evidence>>, to determine
unapproved or b) was authorized by the business/IT authorized user whether the emergency changes
do not function commensurate with the entity’s IT delegation of have been approved by a
as intended). authority and subsequently approved after business/IT authorized user
implementation into the production environment, commensurate with the entity’s
and; IT delegation of authority.
c) was successfully reviewed after the change
implementation date, to determine if the changes 3. For a selection of <<# of
implemented are functioning as intended. samples>> emergency changes,
inspected the <<emergency
change ticket/evidence>> to
determine whether testing
<<and/or>> a post-
implementation review was
performed after the emergency
change was implemented.
2.3 PC- Logical 2.3 PC -1 Automated Segregation of Duties – IT 1. <<Insert name>> system is 1. Inspected the <<Company Information Security Covered in D&I procedures
access to Program Change configured with <<roles, groups, and/or Change Management policies/insert name>>
implement Implementation users, permissions, privileges, describing the control to restrict privileged access to
changes to IT etc.>> to restrict privileged access make changes to IT programs to the <<insert name>>
system program Access to implement changes to implement IT program changes system and segregate them from the development
or to IT programs into the into the production environment. function. Where policies are not documented,
configurations production environment for inquired of the Company's <<IT management
into the the <<insert name>> system is 2. Permissions to make changes to team/insert name>> regarding the policy in practice.
production configured to restrict access IT programs to <<insert name>>
environment is to <<insert name of group, system are restricted to 2. Inquired of the Company's <<IT management
inappropriate person, function, etc>>, and authorized users commensurate team/insert name>> regarding the configured
(i.e., segregated from the with job responsibilities, permissions that grant users privileged access to
unauthorized or development function. specifically: <<roles, groups, make IT program changes to the <<insert name>>
not users, permissions, privileges, system.
commensurate etc.>>.
with job
3. Inspected system configuration within <<insert
Page 28
INTERNAL USE ONLY

Automate
Manual
responsibilities). 3. Permissions to make changes to name>> system to determine whether <<roles,
IT programs to <<insert name>> groups, users, permissions, privileges, etc.>> grant
system are not assigned to users the access to make changes to the IT programs based
who have access to develop IT on the system configurations inspected above.
program codes.
determine whether privileged access to make
changes to the IT programs is limited to the <<insert
name of group, person, function>> commensurate
with job responsibilities based on the system

determine whether developers have access to the
<<roles, groups, users, permissions, privileges, etc.>>
which grant the access to make changes to the IT
programs based on the system configurations
inspected above.
2.3 PC- Logical 2.3 PC-2 Automated Segregation of duties – IT 1. <<Insert name>> system is 1. Inspected the <<Company Information Security Covered in D&I procedures
access to Configuration Change configured with <<roles, groups, and/or Change Management policies/insert name>>
implement Implementation users, permissions, privileges, describing the control to restrict privileged access to
changes to IT etc.>> to restrict privileged access make IT configuration changes to the <<insert
system program Access to implement IT to implement IT configuration name>> system and segregate them from the
or configuration changes into changes into the production development function. Where policies are not
configurations the production environment environment. documented, inquired of the Company's <<IT
into the for the <<insert name>> management team/insert name>> regarding the
production system is configured to 2. Permissions to make IT policy in practice.
environment is restrict access to <<insert configuration changes to <<insert
inappropriate name of group, person, name>> system are restricted to 2. Inquired of the Company's <<IT management
(i.e., function, etc>>, and authorized users commensurate team/insert name>> regarding the configured
unauthorized or segregated from the with job responsibilities, permissions that grant users privileged access to
not development function. specifically: <<roles, groups, make IT configuration changes to the <<insert
commensurate
Page 29
INTERNAL USE ONLY

Automate
Manual
with job users, permissions, privileges, name>> system.
responsibilities). etc.>>.
3. Inspected system configuration within <<insert
3. Permissions to make IT name>> system to determine whether <<roles,
configuration changes to <<insert groups, users, permissions, privileges, etc.>> grant
name>> system are not assigned the access to make IT configuration changes.
to users who have access to
develop IT program codes. 4. Inspected system evidence within <<insert name>>
determine whether privileged access to make IT
configuration changes is limited to the <<insert name
of group, person, function>> commensurate with job
responsibilities based on the system configurations
inspected above.

determine whether developers have access to the
<<roles, groups, users, permissions, privileges, etc.>>
which grant the access to make changes to the IT
configuration based on the system configurations
inspected above.
Program Developments Audit Program Guide
Page 30
INTERNAL USE ONLY

Illustrative control Illustrative control attribute Illustrative D&I test procedure Illustrative TOE test
RAFITs Control # Automated or Manual
description description description procedure description
3.1 PD - IT 3.1 PD-1 Automated IT System 1. <<Insert name>> system is 1. Inspected the Company’s <<IT Covered in D&I procedures
system Acquisition/Development configured to automatically System Acquisition and
developments Approval route IT system Development policies and
(new acquisition/development procedures/insert name>>
components or The <<insert name>> system is requests for approval to an describing of the Company's control
significant configured to automatically route authorized user commensurate to automatically route IT system
changes) are IT system acquisition/development with the entity’s IT delegation acquisition/development requests
unapproved or requests to the appropriate of authority. for approval to an authorized user
do not function <<insert name of group (i.e., commensurate with the entity’s IT
as intended. system business owner and/or IT delegation of authority. Where
owner)>> for approval to policies are not documented,
implement the IT system inquired of the Company's <<IT
acquisition/development into the management team/insert name>>
production environment. regarding the policy in practice.
2. Inspected the <<insert name>>

system configuration to determine
whether IT system
acquisition/development requests
are automatically routed to the
<<insert name of group, function,
role, etc.>> in accordance with
<<Company Program Acquisition
and Development policies and
procedures/insert name>> or policy
in practice.

supporting documentation to
determine whether access to
approve requests is limited to the
<<insert name of group, person,
function>> commensurate with job
responsibilities and the entity’s IT
delegation of authority.
Page 31
INTERNAL USE ONLY

4. Inspected one IT system

acquisition/development request for
each approval type (where approval
may be dependent on the type of IT
system acquisition/development) to
determine whether the request was
routed for approval based on the
<<insert name>> system
3.1 PD - IT 3.1 PD-2 Manual IT System 1. The business/IT authorized 1. Inspected the <<Company IT 1. For a selection of <<# of
system Acquisition/Development user commensurate with the System Acquisition and samples>> IT system
developments Approval entity’s IT delegation of Development policy/insert name>> acquisition/development,
(new authority, provides the final describing the control for the final inspected the
components or IT system approval to implement the IT approval requirements before IT documentation of
significant acquisition/developments are system system acquisition/development are approval from the
changes) are approved by the business/IT prior acquisition/development in the implemented into the production business/IT user within the
unapproved or to implementation into the <<insert name>> system environment. Where policies are not <<change
do not function production environment. production environment. documented, inquired of the ticket/evidence>>, to
as intended. Company's <<IT management determine whether the IT
team/insert name>> regarding the system
2. Control operator implements policy in practice. acquisition/development
the IT system have been approved by an
acquisition/development into authorized user
the <<insert name>> production 2. For each type of IT system
acquisition/development within commensurate with the
environment after final entity’s IT delegation of
approval was provided by the <<insert name>> system, inspected
<<change ticket/evidence>> to authority.
business/IT.
determine whether final approval
for implementation into the
production environment was 2. For a selection of <<# of
obtained prior to implementation, in samples>> IT system
accordance with the <<Company IT acquisition/development,
System Acquisition and inspected the date of final
Development policy/insert name>> approval from the
Page 32
INTERNAL USE ONLY

or policy in practice. business/IT within the

<<change
ticket/evidence>>, to
determine whether the IT
system
acquisition/development
have been approved
before the
acquisition/developments
were implemented into
the production
environment.
3.1 PD - IT 3.1 PD -3 Manual IT System 1. Control operator executes 1. Inspected <<Company IT System 1. For the sample chosen
system Acquisition/Development Testing and completes <<insert type of Acquisition/Development related to 3.1PD-1 or 2,
developments test, i.e., system, user policy/insert name>> describing the inspected the supporting
(new IT system acceptance, and/or control for testing IT system test results:
components or acquisitions/developments to regression>> testing, and acquisition/development and the • to determine whether it
significant <<insert name>> system are documented test results have required approvals to indicate that is documented and
changes) are tested and approved prior to met the criteria set for testing was successful. Where • to determine whether
unapproved or implementation into the "success". policies are not documented, the results indicate
do not function production environment. inquired of the Company's <<IT "success", as per the
as intended. management team/insert name>> established test plan.
2. Authorized stakeholder, regarding the policy in practice.
commensurate with the entity’s
IT delegation of authority 2. For the sample chosen
approves the test results prior 2. For each type of IT system related to 3.1PD-1 or 2,
to implementation to the acquisition/development, inspected: inspected system
production environment. evidence to determine
a) a <<insert type of test, e.g system, whether authorized
user acceptance, regression>> test stakeholders
plans/scripts based on the testing commensurate with the
requirements for the type of entity’s IT delegation of
acquisition/development; authority provided
approval after the test
b) evidence of successful results plan had been executed
based on each <<insert type of test, and prior to
implementation of the
Page 33
INTERNAL USE ONLY

i.e., system, user acceptance, and/or acquisition/development

regression>> test plans/scripts, and; to the production
environment.
c) evidence of approvals from
<<insert business and/or IT
individuals/groups>> to determine
the IT system
acquisition/development was
approved prior to the
3.2 PD - 3.2 PD -1 Manual IT System 1. Control operator executes 1. Inspected <<Company’s SDLC 1. For a selection of <<# of
Incomplete, Acquisition/Development Data <<insert type of policy/insert name>> describing the samples>> data elements
redundant, Conversion/Migration Testing conversion/migration process, control for testing data <<converted/migrated>>
obsolete or e.g., reconciliation activities >>, conversion/migration relevant to IT (e.g. balances, charts of
inaccurate data and documents <<insert type of system acquisition/development. accounts, etc.), inspected
<<Conversion or migration of
is migrated to conversion/migration process, Where policies are not documented, a) evidence of “complete”
data>> from the legacy IT system
the production e.g., balancing and inquired of the Company's <<IT results of <<insert type of
to the <<newly acquired or
environment of reconciliation activities>> management team/insert name>> conversion/migration
developed IT system>> are
acquired, newly results that have met the regarding the policy in practice. process, e.g.,
approved as complete and
developed or criteria set for "complete" in reconciliation activities>>
accurate in accordance with the
existing IT accordance with documented 2. For each <<newly acquired or in accordance with
relevant criteria set in accordance
systems <<Company SDLC policy/insert developed IT system>> selected a documented <<Company
with documented <<Company
name>> or the policy in <<converted/migrated data>> SDLC policy/insert name>>
SDLC policy/insert name>> or the
practice. element and inspected: or the policy in practice;
policy in practice.
a) evidence of “complete” results of and
<<insert type of b) evidence of “accurate”
2. Control operator executes results of <<insert type of
<<insert type of conversion/migration process, e.g.,
reconciliation activities>> conversion/migration
conversion/migration process, process, e.g.,
e.g., balancing and accordance with documented
<<Company SDLC policy/insert reconciliation activities>>
reconciliation activities>>, and in accordance with
documents <<insert type of name>> or the policy in practice;
b) evidence of “accurate” results of documented <<Company
conversion/migration process, SDLC policy/insert name>>
e.g., reconciliation activities>> <<insert type of
conversion/migration process, e.g., or the policy in practice
results that have met the
criteria set for “accurate” in reconciliation activities>>
accordance with documented
Page 34
INTERNAL USE ONLY

accordance with documented <<Company SDLC policy/insert 2. For a selection of <<# of

<<Company SDLC policy/insert name>> or the policy in practice; samples>> data elements
name>> or the policy in and <<converted/migrated>>
practice. c) evidence of approval from (e.g. balances, charts of
<<insert business and/or IT accounts, etc.), inspected
3. Authorized stakeholder, individuals/groups>> to determine system evidence to
commensurate with the entity’s the <<data conversion/migration>> determine whether
IT delegation of authority relevant to the <<IT system authorized stakeholders
approve the <<conversion or acquisition/development>> was commensurate with the
migration of data>> results approved prior to the entity’s IT delegation of
prior to implementation to the implementation date. authority provided
production environment. approval for data
<<conversion/migration>>
to the production
environment prior to the
Computer Operations Audit Program Guide
Page 35
INTERNAL USE ONLY

4.1 CO - System 4.1 CO-1 Automated Job/Process/Program Execution 1. Jobs, processes, and 1. Inspected the <<Company's IT Covered in D&I procedures
jobs, processes, programs are automatically Operations Policy/insert name>>
and/or <<Insert name>> systems jobs, executed based on an describing the control related to
programs do processes, and programs (e.g. established schedule and how system jobs, processes, and
not function as backup jobs) are executed frequency. programs are executed according to
intended, according to an established an established schedule and
resulting in schedule and frequency. 2. Alerts are configured to frequency and how the system is
incomplete, identify unsuccessful jobs, configured to send automated alerts
inaccurate, processes and programs when processing errors or
untimely or (including backup failures). unsuccessful scheduled jobs occur.
unauthorized Where policies are not documented,
processing of inquired of the Company's <<IT
data. management team/insert name>>
regarding the policies in practice.
2. For one of each type of <<insert

name>> system job, process, and
program, inspected system evidence
to determine whether the system is
configured to execute in accordance
with an established schedule and
frequency in accordance with the
<<Company's IT Operations
Policy/insert name>> or policies in
practice.

name>> system job, process,
and program, inspected the
configurations to determine
whether the alerts are generated to
identify unsuccessful processing
(including backup failures) in
accordance with the <<Company's IT
Operations Policy/insert name>> or
policies in practice.
Page 36
INTERNAL USE ONLY

4.1 CO - System 4.1 CO-2 Manual Processing Error Monitoring 1. Monitoring of processing 1. Inspected the <<Company's IT 1. For a selection of <<# of
jobs, processes, failures <<insert frequency>> is Operations Policy/insert name>> samples>> processing
and/or Every <<insert frequency>> in accordance with documented describing the control for monitoring failures during the period,
programs do <<functional managers>> monitor <<Company Information processing failures and timelines for inspected the <<incident
not function as processing errors to determine Security policy>> or the policy in resolving processing failures. Where tickets>> to determine
intended, whether failures in system jobs, practice. policies are not documented, whether the processing
resulting in processes, and programs (e.g. inquired of the Company's <<IT failure was documented,
incomplete, backup jobs) are resolved. 2. Processing failures are management team/insert name>> assigned a severity
inaccurate, documented, assigned a regarding the policies in practice. category, and resolved in
untimely or severity category, and resolved accordance with the
unauthorized in accordance with the <<Company's incident
processing of 2. Observed the <<functional management policy/insert
<<Company's incident manager>> monitor for processing
data. management policy/insert name>> or the policy in
failures. practice.
name>> or the policy in
practice.
name>> system job, process, and
program with a failure, inspected
the <<incident ticket>> to determine
whether the incident was
documented, categorized, and
resolved in accordance with the
<<Company's incident management
policy/insert name>> or policy in
practice.
4.2 CO- Logical 4.2 CO-1 Automated Privileged Access – Job, processes, 1. <<insert name >> system is 1. Inspected the <<Company Covered in D&I procedures
access to make and program modification configured with <<roles, groups, Information Security policy and/or
changes to users, permissions, privileges, the IT Operations Policy/insert
system jobs, Access to update system jobs, etc.>> to restrict privileged name>> describing the control for
processes, processes, and programs (e.g. access to update system jobs, restriction of privileged access to
and/or backup jobs) in <<insert name>> processes, and programs (e.g. update system jobs, processes, and
programs is system is configured to restrict backup jobs). programs (e.g. backup jobs). Where
unauthorized or access to <<insert name of group, policies are not documented,
not person, function, etc.>> 2. Privileged access to update inquired of the Company's <<IT
commensurate commensurate with job system jobs, processes, and management team/insert name>>
Page 37
INTERNAL USE ONLY

with job responsibilities.. programs (e.g. backup jobs) in regarding the policy in practice.
responsibilities. <<insert name >> system is
restricted to <<insert name of 2. Inquired of the Company's <<IT
group, person, function>>, management team/insert name>>
commensurate with job regarding the configured <<roles,
responsibilities, specifically groups, users, permissions,
<<roles, groups, users, privileges, etc.>> to restrict
permissions, privileges, etc.>>. privileged access to update system
jobs, processes, and programs (e.g.
backup jobs) within <<insert name>>
system.
3. Inspected system evidence to

determine whether <<roles, groups,
users, permissions, privileges, etc.>>
restricted privileged access to
update system jobs, processes, and
programs (e.g. backup jobs) based
on the system configuration
inspected above.

supporting documentation to
determine whether privileged access
to update system jobs, processes,
and programs (e.g. backup jobs) is
limited to the <<insert name of
group, person, function>>
commensurate with job
responsibilities, specifically: <<roles,
groups, users, permissions,
privileges, etc.>>.
Page 38
INTERNAL USE ONLY

4.3 CO - 4.3 CO-1 Manual Back-up Recovery Testing 1. Control operators test the 1. Inspected the <<Company's IT 1. For a selection of <<# of
Financial data ability to recover and restore Operations Policy/insert name>> samples>>, inspected
backups are not Back-ups of programs and data are from backups <<insert describing the control to determine system evidence of a
able to be tested for recovery and restoration frequency>> and that recovery the backup and recovery testing backup recovery and
recovered in a every <<insert frequency>>. was successful. frequency. Where policies are not restoration test completed
timely manner. documented, inquired of the to determine if the testing
Company's <<IT management frequency was in
team/insert name>> regarding the accordance with the
policy in practice. <<Company's IT
Operations Policy/insert
2. For one completed backup name>> or policies in
recovery and restoration test, practice and that recovery
inspected evidence of the was successful.
completed test to determine
whether the recovery was
successful.
Page 39
INTERNAL USE ONLY


General IT Controls Audit Program Guide v2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

General IT Controls Audit Program Guide v2023

Uploaded by

Copyright:

Available Formats

For Internal Use Only

General IT Controls Audit Program Guide (APG)

4. Inspected the password configurations for <<insert name>> system to

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

e. Account lockout threshold: Account lockout enforces account locking

f. Account lockout duration: Lockout duration is set at <<xx>> minutes.>>

5. Inspected system evidence to determine whether the initial passwords

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

3. Inspected system evidence within <<insert name>> system

4. Inspected a temporary privileged access request for

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

inappropriate (i.e., appropriate approver configured to automatically route

3. Inspected system evidence within <<insert name>> system

4. Inspected the <<insert name>> system configuration to

5. Inspected system evidence within <<insert name>> system

6. Inspected one user request for each approval type (where

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

3. Control operator determines that responsibilities and in accordance with <<Company

3. For a selection of <<# of

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

3. Inspected one temporary privileged access request, to determine

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

3. Inspected one for each status type -

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

2.3 PC- Logical

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

3. Inspected system evidence to

4. Inspected system evidence within

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

3. Inspected one user request for each IT

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

3. Inspected one for each status type -

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY

© 2023 Copyright owned by one or more of the KPMG International entities.

INTERNAL USE ONLY