Professional Documents
Culture Documents
Business processes are often facilitated by computer information systems. Obtain an understanding
of the:
Level of dependence the client has on computer information systems (include a list of the
client’s computer information systems);
Computer information systems’ personnel structure and skills
Security of computer information systems; Access Controls, Backups, Disaster Recovery.
Reliability of computer information systems; Data Integrity, Processing, and Reporting
Controls.
Degree and rate of change in computer information systems;
Dependence on external computer processing; Use of Service, Organization understanding
and evaluation thereof.
The entity totally depends on CIS, Sidat Hyder Financials is the main software used by the entity
for recording and processing its day to day transactions. The entity has placed very strict controls
over its CIS which include passwords, access to authorized personnel only etc. The company also
has an effective data backup plan. According to our assessment no issues were identified regarding
data integrity, processing and reporting controls. The entity does not depend on external computer
processing.
Yes No
IT Strategy
1.1 Is there a formal documented plan for IT
covering systems to be developed or
enhanced over the next 1 - 3 years?
1.2 Is there an IT Steering Committee?
Consider
Other, less formal, means of
establishing and communicating IT strategy
User management representation
IT Policies and Procedures
1.3 Are there formal and comprehensive IT
Policies and Procedures relating to Information
Security, User Access Management, Program
Change Management, Backup Management,
Password Management etc?
Consider
Approval at board level
Objectives
Scope and coverage
Responsibility for monitoring or update
Distribution to staff
5.2 Packages
Is the business dependent on externally
supplied and maintained application
Systems?
Consider:
Maintenance agreement with the supplier
Changes and upgrades checked and
tested before installation
Source code provided
Measures to prevent unauthorised access to the
software
If the software is owned by the supplier, is
there an escrow agreement?
5.3 Are users appropriately involved in the
systems development process?
Consider
Specification of requirements
Contribution to priority setting
User sign offs
User acceptance testing
Training
Formal approval before implementation
Development of user manuals etc.
5.4 Are development staff restricted from
implementing new program versions into the
production environment?
5.5 Is comprehensive systems and program
documentation produced?
Consider
Compliance with standards
System documentation
Operating instructions
User documentation
5.6 Are there program change control
procedures?
Consider
Yes No
Comments / WP Ref.
Back Up Procedures
6.1 Are back up copies of data files and
programs taken regularly? (Note the back up
cycle)
Consider
Data at end of day, week, month, year
Whether back up taken after changes in the
application
6.2 Are back up copies held in a secure
location remote from the computer site?
Consider
Data files
Programs
Systems software
Systems documentation
Operating procedures
User procedures
Disaster Recovery Plan
6.3 Are back up versions taken offsite regularly?
6.4 Have the back up and restoration procedures
been tested?
Consider
Time taken to restore
Completeness and accuracy of data restored
Disaster Recovery Planning
6.5 Have the business's critical systems, without
which the entity’s operations and business could
be affected, have been identified?
Consider
How long could the business operate
effectively without their critical computer
systems?
eg. hours, < 7 days, etc.
6.6 Has a disaster recovery plan been developed,
documented and tested?
Consider
Regular review and update of the
plan (Note when it was last updated)
Periodic testing
OVERALL CONCLUSION
Summarize the internal control weaknesses identified during our review which have an impact on the
control objectives, for consideration when planning reliance on CIS controls.
The company is currently using ready-made software (SidatHyder Financials). It is reliable software and
according to our enquiries and procedures performed, there were no major weaknesses identified in
company’s IT controls. Hence we can rely on entity’s IT controls in performing our audit.