Wednesday, November 14, 2012


Topic: IT Controls Audit Program


Here is an audit program you may use if you want to manage and improve your IT operations.

The objective of the checklists contained in this audit program is to support, enable and facilitate IT managers in establishing better the IT function and its components and auditors in evaluating the organizational, security and performance aspects of the IT function of the organization.

T Terms of Reference Checklist

1. Is the CIO/IT Manager reporting to the official / organizational responsibility centre of the IT unit?
2. Are the Terms of Reference detailed enough and tailored to the specific activities of each IT function/department and responsibility centre?
3. Are the Board members and/or executive management of the Company/Organization familiar with these terms of reference and have they been ratified at the appropriate executive / board level?
4. Are the IT department managers familiar with these terms of reference?
5. Are the IT department personnel familiar with these terms of reference?
6. Are the IT user managers familiar with these terms of reference?
7. Are the IT users familiar with these terms of reference?
8. Are these terms of reference aiding the IT managers and staff in discharging their duties?
9. Are these terms of reference known to the external stakeholders of IT (maintenance vendors, society interest groups, community groups, regulatory agencies, etc.)?
10. Is the IT function structured effectively to serve the Organization and its divisions / functions: as a separate division, or as a part of another division, or interfacing with an outsource entity, or shared service among several departments, or a combination of above, or a separate company with its own Board of Directors, and at the right organizational and responsibility level?

IT Performance Assessment Checklist

1. IT Performance Policy: Obtain a copy of the IT performance policy and review with IT management.
2. Assess validity of this policy and usage and up to what level (criteria, user satisfaction etc. ).
3. Operational Statistics: Obtain machine statistics for systems running in the data centre
4. Performance Reporting: Assess how IT management records operational statistics on equipment and systems availability and down -time and how these processing problems (and their resolution) are communicated to end-user and Top Management.
5. Carry out, if possible, a comparison cost analysis of this IT Dept. with other IT units of the Group.
6. Hardware Capacity Planning: Assess computer performance and capacity planning process, especially for computer hardware upgrades.
7. Review the IT Governance Framework.
Consider the following issues: The IT Governance framework should be established and communicated to all. Examine if the IT Governance framework is aligned with a standard model such as COBIT/ISACA, or the ITIL model.
8. Review Key Performance Indicators and their effectiveness for the particular IT function audited.
Consider the following IT performance measures:
Development / maintenance activity (Functions developed worth to users, No. of lines coded / tested / changed, Hours spent on maintenance (person, program)
Operational performance (Timely delivery of reports to users, Average response time, Average availability time, Volume of data stored, Mean time between failures, No. of lines printed, Volume of data maintained, No. of on-line transactions processed)
Financial performance (Adherence to budget, Expenditures on maintenance vs. new development, Expenditures on preventative maintenance, Ratio of administrative (staff)) costs to production (line) costs
Human resource management (Turn over ratios, Training per employee (amounts, hours), Average tenure within the company).

IT Security Assessment Checklist

Basic Management Issues

1. Determine who has responsibility for IT Security for the organization and assess whether it is the right level of management.
2. Ensure that procedures for the preparation, approval, and monitoring of IT strategic plans are implemented and these plans are in alignment with the strategic plan of the organization.
3. Examine the organizational security policy and compare it to the IT security policy to ensure that both of these serve the same purpose and needs.
4. Ensure that the IT security policy contains at least data classification and security penetration testing for all critical IT systems and services.
5. Assess the IT management reporting method to ensure that all IT issues are reported and monitored.
6. Assess the operation of the IT review mechanisms between end-users and IT, such as: Ι.Τ. Steering Committee, User Liaison Group, και Project Steering Committee, etc.
7. Review the resolution procedures for security problems and ensure that these resolve all reported security incidents satisfactorily.
8. Ensure that all security issues are made known via written reports and discussions to higher levels of management, including the board members.
9. Ensure that the evaluation of information security status is executed on the basis of: self-assessments, onsite audit reviews, penetration testing, onsite technical evaluations, ethics assessments, data quality testing, and best practice benchmarking.

Human Resource Management

1. Review the organizational charts and job descriptions to ensure that there is adequate segregation of duties in terms of security issues.
2. Review the training and education programs and budget to ensure that all personnel have been given the approved training on security related matters.
3. Assess the effectiveness of support provided by IT and other security mechanisms to the end-users on IT security issues.

IT Procurement Procedure

1. Review the IT procurement policy and procedures to ensure that all IT purchases are examined from the security perspective.
2. Review a good sample of IT purchase documentation to ensure that the formal IT policy and procedures are been implemented properly.
3. Review the major IT hardware and software contracts to ensure that the formal IT policy and procedures are been implemented properly.
4. Review the Computer Insurance policy of the organization to ensure that major risks of IT hardware and software systems are covered adequately.

Contingency Planning

1. Review the IT contingency plan and ensure that all critical IT systems are covered.
2. Ensure that this plan is reviewed and tested on a periodic basis.
3. Review the backup policy and procedures to ensure that these are adequately implemented and monitored by IT management.
4. Review the backup register to ensure that this is kept up to date.
5. Review both the onsite and offsite vault procedures.
I.T. Legislation Compliance
1. Determine which national and international laws and regulations pertaining to IT issues are relevant to the organization.
2. Ensure that proper licenses exist for all IT software and hardware purchased.
3. Test compliance with IT legislation, including data privacy and copyright issues.

Physical and Environmental Controls

1. Ensure that physical access controls are enforced in accordance with the corporate security policy and professional practices for the following: Wholly owned buildings, Shared buildings, Central computer room and server rooms, Personal computers and work stations, Peripheral equipment, such as: modems, routers, printers, etc., Magnetic and other digital media, and Technical manuals and documentation.
2. Ensure that management controls are enforced to protect buildings, personnel, equipment and media in accordance with the corporate security policy, vendor guidelines, and professional health and safety practices against the following: Fire, Flood, Power fluctuations, Static electricity, Storms, and Food and beverage accidents, etc..

System Development and Maintenance

1. Assess the system development and maintenance procedures to ensure that they are adequate in terms of security in all phases, such as: Analysis, design, construction, testing, implementation, and support.
2. Review the system development and maintenance procedures to ensure that all phases are signed off by the key end-users.
3. Review the programming standards to ensure that they handle the security issues related to interfacing with other operating system software and application systems.
4. Review the program library maintenance procedures to ensure that all programs are fully tested and their movement to production status approved before they are transferred to the production library.

Data Center Operations

1. Assess the adequacy of controls to ensure that the correct production files are used in all application systems running in the data center.
2. Review all logs to ensure that all events are recorded and monitored.
3. Assess the adequacy of backup and recovery procedures.
4. Assess the adequacy of external party maintenance and support procedures.

Software and data security

1. Ensure that general procedures and specific measures are implemented to protect against illegal access to the system, its utilities, the program libraries, the system and application software, the data files, etc.
2. Assess the adequacy of the general procedures and specific measures implemented to protect against illegal access to the system, its utilities, the program libraries, the application software, the data files, etc.
3. Ensure that passwords are used for each set of users and corresponding applications and for each class of actions (update, delete, read, remote access, etc.) and that these passwords are changed according to the corporate password policy.
4. Ensure that users cannot run their own programs to access production libraries and production data.
5. Ensure that IT personnel cannot access production data without specific authorization.

For more on IT controls, see my books:
IT Strategic & Operastional Controls,
available at Amazon and IT Governance



  1. Thanks for profitable information you write it very spotless. I am glad to hear from you.

    benchmarking process improvement

  2. Thank you for sharing. The goal of Maintenance Management Software is to stop the insanity that frustrates and bring detailed, useful information to those who must make a decision in a quick, intuitive manner.