IT GENERAL CONTROLS AUDIT WORK

PROGRAM

1 Source: www.knowledgeleader.com
 Table of Contents
IT GENERAL CONTROLS AUDIT WORK PROGRAM: DESIGN ASSESSMENT...................................................3
IT GENERAL CONTROLS AUDIT WORK PROGRAM: COMPUTER OPERATIONS.............................................9
IT GENERAL CONTROLS AUDIT WORK PROGRAM: PROGRAM DEVELOPMENT..........................................11
IT GENERAL CONTROLS AUDIT WORK PROGRAM: SAMPLE 4.......................................................................13

2 Source: www.knowledgeleader.com
 IT GENERAL CONTROLS AUDIT WORK PROGRAM:
DESIGN ASSESSMENT

Key Contacts:

Fieldwork Dates:

Internal Audit Team:

OBJECTIVES
The purpose of this work program is to evaluate the design of the IT general controls (ITGC) environment that
supports (Company), including the infrastructure, applications, policies and procedures. ITGCs will be identified
through meetings with key IT personnel and reviews of supporting policies and procedures. The design of
(Company)’s ITGCs will be evaluated by comparing current-state practices with leading IT practices (e.g., COBIT,
ITGI, etc.). Additionally, a limited sample of transactions will be selected to ensure operating effectiveness where
ITGCs appear and are designed effectively. Control gaps will be identified where current-state practices deviate
from leading IT practices and/or associated (Company) policies and procedures, and recommendations will be
provided for observations noted.

IN-SCOPE APPLICATIONS
Management identified the following applications as the most critical to business operations; therefore, in-scope
for this assessment:
• TBD
• TBD
• TBD

CONTENTS
• Manage security.
− Ensure systems security.
− Manage the configuration.
• Manage change.
• Manage operations.
− Data
− Interfaces
− Incidents
− Business Continuity/Disaster Recovery
− Third-Party Service Providers

3 Source: www.knowledgeleader.com
 Control Activity Work Steps Test Results

Manage Security

Ensure Systems Security

Controls provide reasonable assurance that in-scope applications and subsystems are appropriately secured to
prevent unauthorized use, disclosure, modification, damage or loss of data.

An information security policy • Obtain a copy of the information

exists and has been approved by security policy.
senior management.
• Confirm that the policy addresses
user authentication, password
complexity and system security.
• Confirm that the policy has been
reviewed and approved by senior
management.

Access to in-scope applications • Confirm that access to the in-

requires a unique user ID and scope applications requires the
password assigned to each user. use of a password.
• Confirm that desktops are
required to use passwords.

Default application accounts are • Confirm that default accounts (if

secured/disabled, or their any) are not used for interactive
passwords are changed. login.
• Confirm that the usage of default
accounts (if any) is limited to one
individual.

Users are authenticated to in- • Obtain a screenshot of the

scope application(s) through password and authentication
passwords or other authentication settings of the in-scope
mechanisms. Password controls application(s).
are implemented following leading
• Confirm that password and
practices (e.g., password
authentication controls follow
complexity, minimum length,
leading practices.
password history, etc.).

IT operating procedures exist to • Obtain the policies or procedures

govern the addition and that govern the addition and
modification of user access to in- modification of user accounts.
scope application(s). Specifically,
• Obtain a sample access request
access is granted based on
form (or similar) for a newly added
business needs and segregation
or modified user.
of duties and requires appropriate
management approval. • Confirm that the user access
provisioning policies and/or
procedures were followed for the
sample user with new or modified
access.
• Confirm that the sample access
request form was appropriately

4 Source: www.knowledgeleader.com
 Control Activity Work Steps Test Results

approved, and access was

granted based on business
needs.

Employee access to in-scope • Obtain the policy or procedures

application(s) and supporting that govern the termination of user
systems is revoked promptly upon accounts.
the notification of employment
• Select a sample employee
termination.
terminated during the fiscal year.
• Confirm that the user access
termination policies and/or
procedures were followed.
• Confirm that the sample
terminated employee does not
have access to any in-scope
applications and supporting
servers.

A review of user access to in- • Obtain a sample copy of a recent

scope application(s) is periodically user access review.
conducted to confirm that access
• Confirm that the sample user-
rights are appropriate based on
access review includes all in-
job roles and responsibilities.
scope applications/systems.
• Confirm that the access review
was reviewed and approved by an
appropriate member of
management.

IT security administration monitor • Confirm whether logging is in

and log security activity for in- place for key servers.
scope application(s) and
• Confirm that a process is in place
supporting systems and identified
to regularly review logs of
security violations are reported to
administrator activity.
senior management.

Administrative access to in-scope • Obtain a system-generated list of

application(s) is strictly limited to all users with administrative
the IT associates responsible for access to the in-scope
security administration. application(s).
• Confirm that administrative
access to in-scope applications is
based on business needs and that
duties are appropriately
segregated.

Physical access to the servers • Confirm that the physical location

and network infrastructure devices of the servers and network
that support the in-scope infrastructure devices that support
application(s) is limited to the in-scope application(s) is
authorized personnel and requires secure and limited to authorized
appropriate identification and personnel.

5 Source: www.knowledgeleader.com
 Control Activity Work Steps Test Results

authentication.

Manage the Configuration

Controls provide reasonable assurance that IT components, as they relate to security and processing, are well
protected, prevent any unauthorized changes, and assist in the verification and recording of the current
configuration.

In-scope application(s) and • Determine if servers have been

supporting systems are properly configured to prevent
configured to provision access, unauthorized access (e.g., users
based on the individual's cannot access the database
demonstrated need to view, add, directly and users cannot access
change or delete data. system files/folders).

In-scope application(s) and • Obtain any relevant patch

supporting systems are regularly management policy and review it.
updated with approved software
• Confirm that policies are regularly
patches.
followed and reviewed.

Procedures across the • Confirm that anti-virus software

organization exist to protect has been installed on all in-scope
information systems and application servers (if Windows
technology from computer servers are used).
viruses.

Manage Change

Manage Changes
Controls provide reasonable assurance that system changes of in-scope applications are authorized and
appropriately tested before being moved to production.

Systems development lifecycle • Obtain a copy of the SDLC

(SDLC)/change management methodology and/or change
policies and procedures are in management procedures.
place and consider the
• Verify whether SDLC/change
development and acquisition of
management policies and
new applications and changes to
procedures have been published
existing applications.
and are available for review by
relevant stakeholders.

Requests for changes to in-scope • Select a sample of changes and

application(s), including data confirm that the sample change
changes, are standardized, followed the change management
logged, approved, documented procedures and processes.
and subject to formal change Specifically, verify that each
management procedures. sample change was documented,
approved and tested before the
promotion into production.

Access to migrate program • Confirm that access is restricted

changes into production for in- to authorized individuals and
scope application(s) is restricted

6 Source: www.knowledgeleader.com
 Control Activity Work Steps Test Results

to authorized individuals. based on business needs.

Manage Operations

Manage Data
Controls provide reasonable assurance that data recorded, processed and reported remains complete,
accurate and valid throughout the update and storage process.

Management has implemented a • Obtain a copy of the backup

strategy for cyclical backup of in- policy.
scope application(s) and data.
• Select a sample of backup
schedules and confirm that they
are configured to comply with the
policy.
• Confirm that failed backups are
investigated, escalated and
resolved.

Backup media is stored in a • Confirm that backup tapes are

secure location (e.g., fireproof stored in a secure location.
safe and off-site location).
• Confirm that the retention period
for backup tapes is sufficient to
allow for recovery in the event of a
disaster.

Backup media of in-scope • Obtain supporting evidence that

application(s) is tested periodically backup media of in-scope
for successful recovery. application(s) is tested for
successful recovery.
• Confirm that failed backup
restores are investigated,
escalated and resolved.

Manage Interfaces
Controls provide reasonable assurance that data in transmission to and from applications and databases
remains complete, accurate and valid.

An interface map or other • Obtain an interface map or other

document contains a library of all system documentation showing
interfaces. Periodic reconciliations interfaces, which exist within the
of in-scope application interfaces environment.
are in place.
• Confirm that the map accurately
shows all interfaces and was
recently updated.

Interfaces are monitored to • Determine the mechanism for

confirm that all data is accepted monitoring in-scope application
and processed and that expected interfaces and confirm that
results are received. interface errors and issues are
appropriately detected,

7 Source: www.knowledgeleader.com
 Control Activity Work Steps Test Results

communicated, corrected and

resolved.

Contingency plans are in place for • Confirm that contingency plans

situations of interface are in place for situations of
inoperability. interface inoperability for all in-
scope application interfaces.

Manage Incidents
Incidents are recorded on time to enable tracking and root cause analysis.

Incidents are tracked and • Obtain a copy of the incident

recorded in a problem management policies and/or
management system. The status procedures.
of incidents is regularly updated
• Confirm that incidents are
and reviewed.
recorded in a problem
management system.
• Confirm that incidents are
prioritized based on severity.

An escalation procedure exists, • Obtain a copy of the incident

allowing for alerting higher levels management policies and/or
of service management when procedures.
critical or unresolved incidents
• Confirm that an escalation
occur.
procedure exists, allowing for
routing incidents to appropriate
individuals based on needs.

Business Continuity/Disaster Recovery

A business continuity/disaster recovery program is in place and is aligned with the business needs.

Formal business • Obtain a copy of the business

continuity/disaster recovery continuity/disaster recovery
procedures exist and consider all procedures and confirm that the
in-scope application(s). procedures consider all in-scope
applications and supporting
systems.

Third-Party Service Providers

Controls provide reasonable assurance that third-party services are secure, accurate and available; support
processing integrity; and are defined appropriately in performance contracts.

Third-party service provider • Identify any third-party providers

performance is periodically of key IT services.
evaluated (could be through a
• Determine what mechanisms are
review of a SAS 70 report or
in place to confirm that third-party
equivalent), and any issues are
services are secure, accurate and
escalated and addressed as
available; support processing
necessary.
integrity; and are defined
appropriately in performance

8 Source: www.knowledgeleader.com
 Control Activity Work Steps Test Results

contracts.

9 Source: www.knowledgeleader.com
 IT GENERAL CONTROLS AUDIT WORK PROGRAM:
COMPUTER OPERATIONS

PROJECT TEAM (LIST MEMBERS)

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES
The purpose of this work program is to outline the IT general controls that should be tested, review the results of
management’s testing and document the procedures to test each control. This specific review focuses on
computer operations.

Document what procedures to perform to conclude the operating effectiveness of the controls identified, including
a specific description of the nature, timing and extent of procedures to perform. For all controls that are tested at
an interim date, list the procedures performed to roll forward the interim testing to period-end.

Time Project Work Steps Initial Index

Audit Procedures

Determine if management has implemented appropriate backup and recovery

procedures so that necessary data, transactions and programs for financial
reporting can be recovered.

Determine if effective procedures exist and are followed to periodically test the
effectiveness of the restoration process and the quality of backup media
relevant to systems and applications used during financial reporting
processes.

Determine if appropriate controls are in place over the backup media for
systems and applications used during financial reporting processes. This
should include a review to determine if only authorized people have access to
the tapes and tape storage.

Determine that management has defined and implemented problem

management procedures to record, analyze and resolve incidents, problems
and errors on time for systems and applications used during financial reporting
processes.

Determine that management has implemented procedures to ensure

accuracy, completeness and timely processing of system jobs, including batch

10 Source: www.knowledgeleader.com
 Time Project Work Steps Initial Index

jobs and interfaces, for relevant financial reporting applications or data.

Document the results of management’s testing and describe any deficiencies

noted by management.

Management’s Assessment

The purpose is to support our overall assessment of management’s evaluation

process and document internal audit’s evaluation of management’s tests of
operating effectiveness for the related audit objective. Specifically, address the
following key considerations:

• Were procedures sufficient to assess design and operating effectiveness?

− Consider the nature, timing and extent of management's procedures.
• Were findings supported based on the testing performed?
• Were exceptions/deficiencies adequately documented and followed up?

Conclude on the operating effectiveness of the controls over this audit

objective and document any deficiencies noted. Weaknesses in pervasive
controls cause the auditor to alter the nature, timing or extent of potentially
irrelevant tests of operating effectiveness.

Document the impact of any deficiencies on the planned testing of other

controls.

11 Source: www.knowledgeleader.com
 IT GENERAL CONTROLS AUDIT WORK PROGRAM:
PROGRAM DEVELOPMENT

PROJECT TEAM (LIST MEMBERS)

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES
The purpose of this work program is to outline the IT general controls organizations must test, review the results
of management’s testing and document the procedures to test each control. This specific review focuses on
program development.

Document what procedures to perform to conclude the operating effectiveness of the controls identified, including
a specific description of the nature, timing and extent of procedures to perform. For all controls that are tested at
an interim date, list the procedures performed to roll forward the interim testing to period-end.

Time Project Work Steps Initial Index

Audit Procedures

Determine that management has controls in place to ensure that new program and
infrastructure developments and acquisitions have been approved by an
appropriate level of both IT and business management.

Determine that management has controls in place to ensure that an adequate

program development methodology is in place and is followed for the development
or acquisition of systems/applications used during financial reporting processes.
When new systems are implemented or modified, controls are added, modified or
redesigned so that applicable control objectives are achieved.

Determine that controls exist to ensure that there is adequate testing for the
development or acquisition of systems/applications used during financial reporting
processes and that testing is signed off by both users at an appropriate level of IT
and business management.

Determine that management has controls in place to ensure that appropriate

system, user and control documentation is developed for new systems and
applications used during financial reporting processes.

Determine that there are controls in place to ensure that data migrated to the new
application or system used during financial reporting processes retains its integrity.

12 Source: www.knowledgeleader.com
 Time Project Work Steps Initial Index

Determine that management has controls in place to ensure that users are trained
on new systems/applications used during financial reporting processes under an
appropriately defined training plan.

Determine that a post-implementation review is performed to ensure that new

financial reporting systems/applications are operating properly.

Document the results of management’s testing and a description of any deficiency

noted by management.

Conclusion on Operating Effectiveness of Internal Controls

To support our overall assessment of management’s evaluation process,

document internal audit’s evaluation of management’s tests of operating
effectiveness for the related audit objective. Specifically, address the following key
considerations:
• Were procedures sufficient to assess design and operating effectiveness?
− Consider the nature, timing and extent of management’s procedures.
• Were findings supported based on the testing performed?
• Were exceptions/deficiencies adequately documented and followed up?

Conclude on the operating effectiveness of the controls over this audit objective
and document any deficiencies noted. Weaknesses in pervasive controls cause the
auditor to alter the nature, timing or extent of potentially irrelevant tests of operating
effectiveness.

Document the impact of any deficiencies on the planned testing of operating

effectiveness of other controls.

13 Source: www.knowledgeleader.com
 IT GENERAL CONTROLS AUDIT WORK PROGRAM:
SAMPLE 4

PROJECT TEAM (LIST MEMBERS)

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES
The purpose of this work program – focused on access to programs and data – is to outline the IT general
controls to be tested, review the results of management’s testing and document the procedures to test each
control.

Document the procedures to be performed to conclude the operating effectiveness of the controls identified,
including a specific description of the nature, timing and extent of procedures to be performed. For all controls that
are tested at an interim date, list the procedures performed to roll forward the interim testing to period-end.

Time Project Work Step Initial Index

Audit Procedures

Determine that information security is managed to guide consistent

implementation of security practices and that users are aware of the
organization's position with regard to information security, as it pertains to
financial reporting data.

Determine that logical and physical access to IT computing resources is

appropriately restricted by the implementation of identification, authentication and
authorization mechanisms to reduce the risk of unauthorized/inappropriate
access to the organization’s relevant financial reporting applications or data.

Determine that procedures have been established so that user accounts are
added, modified and deleted in a timely manner to reduce the risk of
unauthorized/inappropriate access to the organization's relevant financial
reporting applications or data.

Determine that an effective control process is in place to periodically review the

appropriateness of access rights in order to reduce the risk of
unauthorized/inappropriate access to the organization’s relevant financial
reporting applications or data.

Determine that controls used to provide appropriate segregation of duties within

14 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

key processes exist and are followed.

Document the procedures to be performed to conclude the operating

effectiveness of the controls identified, including a specific description of the
nature, timing and extent of procedures to be performed. Consider the application
of relevant PCAOB auditing standards and AICPA audit and accounting guides.

Conclusion on Operating Effectiveness of Internal Controls

Support the overall assessment of management’s evaluation process and

document internal audit’s evaluation of management’s tests of operating
effectiveness for the related audit objective. Specifically, address the following
key considerations:
• Were procedures sufficient to assess design and operating effectiveness?
− Consider the nature, timing and extent of management’s procedures.
• Were findings supported based on the testing performed?
• Were exceptions/deficiencies adequately documented and followed up?

Conclude on the operating effectiveness of the controls over this audit objective
and document any deficiencies noted. Weaknesses in pervasive controls should
cause the internal auditor to alter the nature, timing or extent of tests of operating
effectiveness that otherwise would have been performed.

Document the impact of any deficiencies on the planned testing of operating

effectiveness of other controls.

15 Source: www.knowledgeleader.com