Objective: General IT audit program that can be executed by financial auditors or an IT auditor working an integrated Operations/

IT: General Controls Review IT: Access Control B. Internal Control Review Centralized Location 10 Site Location 10 C. Detail Testing Centralized Location 10 20 30 Site Location 10 20 30 IT: Backup/Recovery B. Internal Control Review Centralized Location 10 20 Site Location 10 20 30 40 810 820 830 840 C. Detail Testing Centralized Location 10 20 Site Location 10 20 30 810 820 IT: Documentation A. Audit Prep Work Centralized Location 10 Site Location 10 IT: Environmental Controls B. Internal Control Review Site Location

810 820 830 C. Detail Testing Site Location 10 20 IT: Equipment Maintenance B. Internal Control Review Centralized Location 10 20 30 Site Location 10 20 30 40 810 C. Detail Testing Site Location 810 IT: Inventory B. Internal Control Review Centralized Location 10 20 Site Location 10 20 30 810 820 C. Detail Testing Site Location 810 IT: Network and IT Management B. Internal Control Review Centralized Location 10 20 30 Site Location 10 20 30 810 820 C. Detail Testing Site Location 810 820

840 850 IT: Operations B. Internal Control Review Centralized Location 10 20 30 40 Site Location 10 20 30 40 C. Detail Testing Site Location 810 820 IT: Physical Security B. Internal Control Review Centralized Location 10 Site Location 10 20 810 820 830 840 850 860 870 880 890 900 910 C. Detail Testing Site Location 810 820 830 840 IT: Service Agreements B. Internal Control Review Site Location 810 820 830 C. Detail Testing Site Location 810 820

830 840 IT: Telecommunications A. Audit Prep Work Site Location 810 B. Internal Control Review Centralized Location 10 Site Location 10 20 810 820 830 840 850 C. Detail Testing Site Location 810 820 IT: Virus Protection B. Internal Control Review Centralized Location 10 Site Location 10

IT audit program that can be executed by financial auditors or an IT auditor working an integrated Operations/Systems audit.

Internal Control Review Centralized Location Verify that IT and facility personnel are aware of the applicable policies. Site Location Verify that IT and facility personnel are aware of the applicable policies. Detail Testing Centralized Location Ensure that terminated users are promply removed. Obtain a current user account list for all systems and cross reference it wi Detail test the site's compliance with appropriate IT security Cross reference authorized dial-in user list with payroll. Site Location Ensure that terminated users are promply removed. Obtain a current user account list for all systems and cross reference it wi Detail test the site's compliance with appropriate IT security Cross reference authorized dial-in user list with payroll. up/Recovery Internal Control Review Centralized Location Determine: a) Whether the network has adequately documented backup and recovery procedures/plans/schedules for critical s Obtain an understanding of the network incident response plan. This plan should include procedures for documenting the serio Site Location Determine: a) Whether the network has adequately documented backup and recovery procedures/plans/schedules for critical s Obtain an understanding of the network incident response plan (not disaster recovery - see the ADDITIONAL INFORMATION s Verify: LAN is supported by an uninterruptible power supply (UPS). Verify: Has the UPS been tested in the last year (to test the batteries)? Verify that sites where communications disruptions are unacceptable can't have multiple communication lines that are physicall Obtain the LAN inventory listing of all files. Does the list agree with the information obtained when conducting an inventory of L For disaster-recovery purposes, have LAN applications been prioritized and scheduled for recovery based on importance to the Are LAN files backed up at appropriate intervals to ensure the need to re-enter data is minimized? Detail Testing Centralized Location Verify: LAN applications been properly prioritized and scheduled for recovery according to their sensitivity and importance for di To ensure that the backups are good and can be used to recover the system have the System Administrator: a) Restore a file Site Location Verify: a) Backup tapes are properly labeled and organized. b) Backup tapes are stored securely in a fire proof safe and not lef To ensure that the backups are good and can be used to recover the system have the System Administrator: a) Restore a file Verify: LAN applications been properly prioritized and scheduled for recovery according to their sensitivity and importance for di Select another sample of LAN application software: verify that the applications are supported by a written and authorized plan; Obtain a copy of the insurance policy that applies to the LAN facility. With the assistance of computer insurance specialists, de

Audit Prep Work Centralized Location Obtain the following documents for: * Backup and Recovery - Backup Schedule - Rotation Backup/Restore Log Backup/Resto Site Location Obtain the following documents for: * Backup and Recovery - Backup Schedule - Rotation Backup/Restore Log Backup/Resto onmental Controls Internal Control Review Site Location

Is the power supply to the LAN properly controlled to ensure that it remains within the manufacturer's specifications? Review placement of water and drainage pipes to ensure they are routed away from operations areas. Assess the potential for Review smoke detection and automatic fire extinguishing equipment to ensure that it is functional and that it provides adequate Detail Testing Site Location Examine the LAN server facility noting the following: a) The facility is kept free of dust, smoke, beverages, food, and etc. b) Exa Examine the LAN server facility room and note any equipment that is less than 1.5-3 feet off the floor. If the server facility room pment Maintenance Internal Control Review Centralized Location Is there a policy regarding updating and maintenance of the LAN facility? a) Is there scheduled preventative maintenance on the components, either by the LAN administrator or by the vendor under a m Interview the LAN administrator to ensure that he/she is knowledgeable about manufacturer's requirements and LAN computer Site Location Interview users of the LAN and ask: a) If they know how to report LAN problems. b) How often the LAN has been down in the l Is there a policy regarding updating and maintenance of the LAN facility? a) Is there scheduled preventative maintenance on the components, either by the LAN administrator or by the vendor under a m Interview the LAN administrator to ensure that he/she is knowledgeable about manufacturer's requirements and LAN computer If a maintenance contract exists for routine cleaning, verify that the vendor has honored the contract. Detail Testing Site Location Verify: a) LAN fileserver equipment is protected from the effects of static electricity. (e.g. antistatic rug, antistatic spray, and/or a

Internal Control Review Centralized Location Determine: Is there a complete inventory of the following: Hardware: Computers, File Servers, Printers, Modems, Switches, Ro Verify: a) Written procedures for keeping LAN inventory. b) Do the inventory procedures identify who (title) is responsible for ma Site Location Is unused equipment properly and securely stored? Determine: Is there a complete inventory of the following: Hardware: Computers, File Servers, Printers, Modems, Switches, Ro Verify: a) Written procedures for keeping LAN inventory. b) Do the inventory procedures identify who (title) is responsible for ma a) Is there a policy regarding disposal of obsolete or badly damaged LAN equipment? b) Does the policy require management a Are copies of the LAN software and hardware inventory reports stored at another secure location? Detail Testing Site Location a) On a sample basis, match the inventory report to actual LAN hardware devices. b) Is all of the LAN hardware present, prope ork and IT Management Internal Control Review Centralized Location Has management approved and documented policies and procedures for approval, purchase or development, and documentat Has management approved and documented policies and procedures for approval and purchase of LAN hardware? Determine how management ensures change control for the network. Determine whether there is any monitoring for possible u Site Location Has management approved and documented policies and procedures for approval, purchase or development, and documentat Has management approved and documented policies and procedures for approval and purchase of LAN hardware? Determine how management ensures change control for the network. Determine whether there is any monitoring for possible u Determine whether network traffic is encrypted or if not, whether encryption was considered. Determine how management ensures change control for the network. Determine whether there is any monitoring for possible u Detail Testing Site Location Obtain copies of the policies related to LAN development, maintenance and use. Do they include the items in the above contro On a sample basis, select LAN application files and programs. Do they comply with written naming conventions?

On a sample basis, review recent LAN software and hardware purchases. Does the documentation resulting from the purchas Review the SNMP and Web access for CISCO products.

Internal Control Review Centralized Location Does the LAN administrator have a backup person? Does the LAN administrator monitor the LAN response time, disk storage space, and LAN utilization? Is the LAN administrator assigned responsibility for troubleshooting of LAN problems? Is the LAN administrator experienced in and familiar with operation of the LAN facility? Site Location Does the LAN administrator have a backup person? Does the LAN administrator monitor the LAN response time, disk storage space, and LAN utilization? Is the LAN administrator assigned responsibility for troubleshooting of LAN problems? Is the LAN administrator experienced in and familiar with operation of the LAN facility? Detail Testing Site Location If available, obtain the LAN application operating schedule. Are key LAN-based financial and operational applications adequate Interview the LAN administrator to determine if this person is knowledgeable and properly trained. ical Security Internal Control Review Centralized Location Are the following access procedures in place: - Appropriate granting and discontinuance of authorizations? - Control over passk Site Location Are the following access procedures in place: - Appropriate granting and discontinuance of authorizations? - Control over passk Observe and inquire about the physical security of the Computer Systems room. Are alarm events logged and routinely reconciled to actual events? List any network monitoring packages used along with the manufacturer and version. Obtain a list of the authorized users. De Determine whether adequate segregation of duties exists between those responsible for the day to day network operations and Assure that access authorization procedures are used for all persons (employees, contract workers, security staff and visitors) Analyze the potential threat posed by fires in adjacent buildings and areas. Are alarms installed at all potential entry and exit points of sensitive areas? Determine that the physical components of the network are properly secured. This includes wiring closets, demarcation blocks Review access point control. Are entry/exit logs maintained? Does electronic and/or video surveillance equipment exist? Determine whether there are documented procedures to ensure that all changes made to the physical network are detected an Is the LAN file server housing locked or otherwise secured to prevent removal of boards, chips, and the computer system? Determine if the plant utilizes a "Certificate of Understanding" for all employees with access to Personal Computers as required Detail Testing Site Location Review the change management log and compare it to the current system to check for unauthorized changes. Obtain a wiring diagram of the physical network at the location. With the help of the local IS manager, tour the physical network Observe the LAN wiring closed and transmission wiring and verify that they are physically secured. Obtain a copy of the key logs for the fileserver room and the wiring closed. Match the key logs to actual keys that have been is ce Agreements Internal Control Review Site Location Is vendor reliability considered before purchasing LAN hardware and software? Is a service log maintained to document vendor support servicing? Do LAN hardware and software purchase contracts include statements regarding vendor support and licensing? Detail Testing Site Location On a sample basis, select LAN hardware and software contracts. Are vendor support requirements clearly defined? Are produ Obtain the service log and look for software or hardware that has been subject to numerous problems and vendor-assisted sup

From the sample of LAN hardware and software contracts, determine if the vendor is reliable. Such information can be obtaine Obtain a copy of the negotiated service level agreement from the IS department noting specific performance requirements. Co communications Audit Prep Work Site Location Determine whether Corporate IS is involved in any major telecommunications changes or planning. Internal Control Review Centralized Location Determine: a) The network topology provides at least 2 connections to the company network (required for MFG/Pro US plants). Site Location Determine if the site has any direct internet connections. This may be done by asking the LAN Admin if they are running a firew Determine: a) The network topology provides at least 2 connections to the company network (required for MFG/Pro US plants). Document the access control security features in place including call-back and authentication. Determine whether the controls Verify that vendor connections from remote locations for diagnostics and maintenance are initiated by the site and not by the ve Determine whether dial-in phone numbers are kept confidential and only distributed on a need-to-know basis. These numbers If toll-free numbers are used, determine whether the carrier is used to limit the use, based upon the time of day and calling part Obtain an understanding of the procedures for obtaining an analog telephone line. Ensure that the installers have written autho Detail Testing Site Location Obtain a list of all authorized dial-in ports and modems as well as the phone number for these lines and compare it to a list of th Test any unauthorized analog lines for unauthorized modems by dialing the number and waiting for the computer recognition to

Internal Control Review Centralized Location a) Determine the level of virus protection established on servers and workstations b) and the monitoring of infection being done Site Location a) Determine the level of virus protection established on servers and workstations b) and the monitoring of infection being done

WP Reference Time Estimate Initials Dates

and cross reference it with current payroll or human resource data. Any users not found in the payroll or human resource files.

and cross reference it with current payroll or human resource data. Any users not found in the payroll or human resource files.

ns/schedules for critical sites. b) If procedures exists, determine whether they have been tested and what the results of those tests were for documenting the seriousness of the incident as well as escalation procedures based upon the time or resources required to fix it.

ns/schedules for critical sites. b) If procedures exists, determine whether they have been tested and what the results of those tests were. TIONAL INFORMATION section of this step for clarification). This plan should include procedures for documenting the seriousness of the in

on lines that are physically separated and ideally connect through separate switches. nducting an inventory of LAN software during the data integrity portion of the audit? ased on importance to the operation? You should also determine if the recovery sequence is proper so that key applications can be restored

vity and importance for disaster recovery purposes. strator: a) Restore a file or files from the backup media. ( Restore a file to a different location and then check the file )

fire proof safe and not left in the open. c) Backup tapes are secured off-site. strator: a) Restore a file or files from the backup media. ( Restore a file to a different location and then check the file OR create a file on M vity and importance for disaster recovery purposes. tten and authorized plan; verify that the applications are prioritized by their level of sensitivity and importance; insurance specialists, determine the adequacy of the LAN facility insurance coverage.

estore Log Backup/Restore Policies and Procedures Network Incident Response Plan *Equipment Maintenance - Equipment Downtime Log

estore Log Backup/Restore Policies and Procedures Network Incident Response Plan *Equipment Maintenance - Equipment Downtime Log

specifications? . Assess the potential for storage tanks to flood electronic equipment and the susceptibility to external flooding. that it provides adequate protection. (i.e. ensure that fire extinguishing equipment is not a sprinkler placed over each server.)

ges, food, and etc. b) Examine the trash for any evidence as well. c) Note the humidity, air conditioning, and fire suppression systems. If the server facility room is on a computer floor - note the height of the floor.

or by the vendor under a maintenance contract? b) Do these procedures meet the manufacturer's recommendations? ments and LAN computer equipment in general.

N has been down in the last six months. c) Does the LAN downtime log and procedures adequately reflect the information provided by the u

or by the vendor under a maintenance contract? b) Do these procedures meet the manufacturer's recommendations? ments and LAN computer equipment in general.

, antistatic spray, and/or antistatic wrist bands)

s, Modems, Switches, Routers, Hubs, etc. Software: all software for each PC is logged with licenses and serial numbers. title) is responsible for maintaining the inventory report? c) Do the inventory procedures require regular updating of the inventory report?

s, Modems, Switches, Routers, Hubs, etc. Software: all software for each PC is logged with licenses and serial numbers. title) is responsible for maintaining the inventory report? c) Do the inventory procedures require regular updating of the inventory report? icy require management approval of disposal of the equipment? c) Obtain a copy and determine if it has been reviewed and approved by ma

hardware present, properly identified/tagged, and located in the proper place?

lopment, and documentation of LAN applications and systems software? AN hardware? y monitoring for possible unauthorized connections.

lopment, and documentation of LAN applications and systems software? AN hardware? y monitoring for possible unauthorized connections.

y monitoring for possible unauthorized connections.

items in the above control questions? have they been reviewed in the last year and updated for changes in technology and business conditi

esulting from the purchases comply with written procedures and policies? Note: Coordinate with the Financial Auditor who has been delegat

nal applications adequately addressed with regard to frequency of processing?

ons? - Control over passkeys? - Do post-emergency reentry procedures exist? - Do controls over entry by time of day exist? - Are there spec

ons? - Control over passkeys, keys? - Do post-emergency reentry procedures exist? - Do controls over entry by time of day exist? - Are ther

the authorized users. Determine that any unauthorized network monitoring software is strictly prohibited and that access to authorized softw y network operations and those responsible for the network monitoring software and access controls. ecurity staff and visitors) requiring access to sensitive areas. (Are photo ID cards or electronic key cards required for entry?)

sets, demarcation blocks, patch panels, cabling, terminals and LAN stations, as well as the communications processors. e equipment exist? network are detected and authorized. he computer system? al Computers as required by Policy. This document should be distributed by the LAN Administrators at the plant to all personnel

, tour the physical network and ensure that the wiring diagram is up to date.

al keys that have been issued. Are all keys held and assigned to the appropriate people (e.g., LAN administrator and support staff)?

early defined? Are product licensing restrictions clearly identified? and vendor-assisted support. Can management and the users support or justify the activity?

nformation can be obtained from trade periodicals, financial reporting services (e.g. Standard & Poor's), trade associations, and MIS manage mance requirements. Compare the agreement with the performance reports to ensure that IS is meeting the agreement

d for MFG/Pro US plants). b) The network topology provides 2 connections to the CUSTOMER in a JIT environment.

if they are running a firewall. Also, ask if the plant is hosting any web applications or web servers,which may be an indication of an external d for MFG/Pro US plants). b) The network topology provides 2 connections to the CUSTOMER in a JIT environment. mine whether the controls are adequate given the level of access granted. the site and not by the vendor. Ensure that vendor accounts are disabled when not in use and that the passwords are changed on a regular w basis. These numbers should not be published in newsletters on in internal or external directories. me of day and calling party location is used. Determine whether call activity reports are reviewed for potential unauthorized access. stallers have written authorization and that any line to be connected to a modem has been authorized by IS.

nd compare it to a list of the phone numbers of analog lines coming into the site. e computer recognition tones.

ng of infection being done by IS administration. c) Virus Application should be updated on a monthly basis.

ng of infection being done by IS administration. c) Virus Application should be updated on a monthly basis.

uman resource files.

uman resource files.

he results of those tests were sources required to fix it.

he results of those tests were. menting the seriousness of the incide

key applications can be restored.

ck the file OR create a file on M

nance - Equipment Downtime Log - at least 6 months worth

nance - Equipment Downtime Log - at least 6 months worth

over each server.)

d fire suppression systems.

he information provided by the users?

erial numbers. ating of the inventory report?

erial numbers. ating of the inventory report? en reviewed and approved by management

technology and business conditions?

ial Auditor who has been delegated to do fixed assets review.

me of day exist? - Are there specific exclusions to policy?

y by time of day exist? - Are there specific exclusions to policy?

d that access to authorized software is approved by IT management.

quired for entry?)

s processors.

e plant to all personnel

strator and support staff)?

e associations, and MIS management. e agreement

ay be an indication of an external connection.

swords are changed on a regular basis.

al unauthorized access.