IT audit server Security Checklist

Audit Checklist Management Information Systems ( IT Audit Checklist)

Complete IT Audit checklist for any types of organization.

When you will go for Information System audit means IT audit then you have to perform different tasks. Based on your skill you may perform a lot of taks, but you must have to keep track what tasks you have completed and which tasks are still left. Fot this reason you must have a checklist as a security professional. I have made a complete list here for the IT audit based on my skill and with the help if many professionals. So i hope this will help for the IT audit professionals while they will be in field of security and infrastructure check.

Download IT Audit Checklist word file for print


Audit Objective

Does the organization of data processing provide for adequate segregation of duties?


Audit Procedures

Review the company organization chart, and the data processing department organization chart.

1Is there a separate EDP department within the company?   
2Is there a steering committee where the duties and responsibilities for managing MIS are clearly defined?   
3Has the company developed an IT strategy linked with the long and medium term plans?   
4Is the EDP Department independent of the user department and in particular the accounting department?   
5Are there written job descriptions for all jobs within EDP department and these job descriptions are communicated to designated employees?   
6Are EDP personnel prohibited from having incompatible responsibilities or duties in user departments and vice versa?   
7Are there written specifications for all jobs in the EDP Department?   
8Are the following functions within the EDP Department performed by separate sections:   
 §    System design?   
 §    Application programming?   
 §    Computer operations?   
 §    Database administration?   
 §    Systems programming?   
 §    Data entry and control?   
9Are the data processing personnel prohibited from duties relating to:   
 §    Initiating transactions?   
 §    Recording of transactions?   
 §    Master file changes?   
 §    Correction of errors?   
10Are all processing pre-scheduled and authorized by appropriate personnel?   
11Are there procedures to evaluate and establish who has access to the data in the database?   
12Are the EDP personnel adequately trained?   
13Are systems analysts programmers denied access to the computer room and limited in their operation of the computer?   
14Are operators barred from making changes to programs and from creating or amending data before, during, or after processing?   
15Is the custody of assets restricted to personnel outside the EDP department?   
16Is strategic data processing plan developed by the company for the achievement of long-term business plan?   
17Are there any key personnel within IT department whose absence can leave the company within limited expertise?   
18Are there any key personnel who are being over-relied?   
19Is EDP audit being carried by internal audit or an external consultant to ensure compliance of policies and controls established by management?   


Audit Objective

Development and changes to programs are authorized, tested, and approved, prior to being placed in production.

 Program Maintenance Audit  – Procedures    
Review details of the program library structure, and note controls which allow only authorized individuals to access each library.   
Note the procedures used to amend programs.   
Obtain an understanding of any program library management software used.   
1Are there written standards for program maintenance?   
2Are these standards adhered to and enforced?   
3Are these standards reviewed regularly and approved?   
4Are there procedures to ensure that all programs required for maintenance are kept in a separate program test library?   
5Are programmers denied access to all libraries other than the test library?   
6Are changes to programs initiated by written request from user department and approved?   
7Are changes initiated by Data Processing Department communicated to users and approved by them?   
8Are there adequate controls over the transfer of programs from production into the programmer’s test library?   
9Are all systems developed or changes to existing system tested according to user approved test plans and standards?   
10Are tests performed for system acceptance and test data documented?   
11Are transfers from the development library to the production library carried out by persons independent of the programmers?   
12Do procedures ensure that no such transfer can take place without the change having been properly tested and approved?   
13Is a report of program transfers into production reviewed on a daily basis by a senior official to ensure only authorized transfers have been made?   
14Are all program changes properly documented?   
15Are all changed programs immediately backed up?   
16Is a copy of the previous version of the program retained (for use in the event of problems arising with the amended version)?   
17Are there standards for emergency changes to be made to application programs?   
18Are there adequate controls over program recompilation?   
19Are all major amendments notified to Internal audit for comment?   
20Are there adequate controls over authorization, implementation, approval and documentation of changes to operating systems?   
1Are there formalized standards for system development life cycle procedure?   
2Do they require authorization at the various stages of development – feasibility study, system specification, testing, parallel running, post implementation review, etc.?   
3Do the standards provide a framework for the
development of controlled applications?
4Are standards regularly reviewed and updated?   
5Do the adequate system documentation exist for:   
 §    Programmers to maintain and modify programs?   
 §    Users to satisfactorily operate the system?   
6Have the internal audit department been involved in the design stage to ensure adequate controls exist?   
7Testing of programs – see Program Maintenance.   
8Procedures for authorizing new applications to production – see Program Maintenance.   
9Are user and data processing personnel adequately trained to use the new applications?   
10Is system implementation properly planned and implemented by either parallel run or pilot run?   
11Are any differences and deficiencies during the implementation phase noted and properly resolved?   
12Are there adequate controls over the setting up of the standing data and opening balances?   
13Is a post implementation review carried out?   
14Are user manuals prepared for all new systems developed and revised for subsequent changes?   
15Is there a Quality Assurance Function to verify the integrity and acceptance of applications developed?   
1Are there procedures addressing controls over selection, testing and acceptance of packaged softwares?   
2Is adequate documentation maintained for all softwares purchased?   
3Are vendor warranties (if any) still in force?   
4Is the software purchased, held in escrow?   
5Are backup copies of user/operations manual kept off-site?   
Audit Objective

Is access to data files restricted to authorized users and programs?

Access to Data   
1Is there any formal written data security policy? Consider whether the policy addresses data ownership, confidentiality of information, and use of password.   
2Is the security policy communicated to individuals in the organization?   
3Is physical access to off-line data files controlled in:   
 §    Computer room?   
 §    On-site library?   
 §    Off-site library?   
4Does the company employ a full-time librarian who is independent of the operators and programmers?   
5Are libraries locked during the absence of the librarian?   
6Are requests for on-line access to off line files approved?   
7Are requests checked with the actual files issued and initialed by the librarian?   
8Are sensitive applications e.g. payroll, maintained on machines in physically restricted areas?   
9Are encryption techniques used to protect against unauthorized disclosure or undetected modification of sensitive data?   
10Are returns followed up and non returns investigated and adequately documented?   
1Does a scheduled system exist for the execution of programs?   
2Are non-scheduled jobs approved prior to being run?   
3Is the use of utility programs controlled (in particular those that can change executable code or data)?   
4Are program tests restricted to copies of live files?   
5Is access to computer room restricted to only authorized personnel?   
6Are internal and external labels used on files?   
7Are overrides of system checks by operators controlled?   
8Are exception reports for such overrides pointed and reviewed by appropriate personnel?   
9Are sufficient operating instructions exist covering procedures to be followed at operation?   
10If so, are these independently reviewed?   
11Is integrity checking programs run periodically for checking the accuracy and correctness of linkages between records?   
1Is there any proper password syntax in-force ie minimum 5 and maximum 8 characters and include alphanumeric characters?   
2Are there satisfactory procedures for reissuing passwords to users who have forgotten theirs?   
3Are procedures in place to ensure the compliance of removal of terminated employee passwords?   
4Are system access compatibilities properly changed with regard to personnel status change?   
5Are individual job responsibilities considered when granting users access privileges?   
6Is each user allocated a unique password and user account?   
7Are there procedures in place to ensure forced change of password after every 30 days?   
8Is application level security violations logged?   
9Do standards and procedures exist for follow up of security violations?   
10Do formal and documented procedures exist for use and monitoring of dial up access facility?   
11Is use made of passwords to restrict access to specific files?   
12Do terminals automatically log off after a set period of time?   
13Is there a limit of the number of invalid passwords before the terminal closes down?   
14Are there any administrative regulations limiting physical access to terminals?   
15Are invalid password attempts reported to user department managers?   
16Are restrictions placed on which applications terminals can access?   
17Are keys, locks, cards or other physical devises used to restrict access to only authorized user?   
Audit Objective

Do controls provide reasonable assurance that for each transaction type, input is authorized, complete and accurate, and that errors are promptly corrected?

1Are all transactions properly authorized before being processed by computers?   
2Are all batches of transactions authorized?   
3Do controls ensure unauthorized batches or transactions are prevented from being accepted ie they are detected?   
4Is significant standing data input verified against the master file?   
5Is maximum use made of edit checking e.g. check digits, range and feasibility checks, limit tests, etc.?   
6Are there procedures to ensure all vouchers have been processed e.g. batch totals, document counts, sequence reports, etc.?   
7Are there procedures established to ensure that transactions or batches are not lost, duplicated or improperly changed?   
8Are all errors reported for checking and correction?   
9Are errors returned to the user department for correction?   
10Do procedures ensure these are resubmitted for processing?   
11Is an error log maintained and reviewed to identify recurring errors?   
12Are persons responsible for data preparation and data entry independent of the output checking and balancing process?   
13Are persons responsible for data entry prevented from amending master file data?   

Audit Objective

The controls provide reasonable assurance that transactions are properly processed by the computer and output (hard copy or other) is complete and accurate, and that calculated items have been accurately computed:

1Where output from one system is input to another, are run to run totals, or similar checks, used to ensure no data is lost or corrupted?   
2Are there adequate controls over forms that have monetary value?   
3Is maximum use made of programmed checks on limits, ranges reasonableness, etc. and items that are detected reported for investigation?   
4Where calculations can be ‘forced’ i.e. bypass a programmed check, are such items reported for investigation?   
5Where errors in processing are detected, is there a formal procedure for reporting and investigation?   
6Is reconciliation between input, output and brought forward figures carried out and differences investigated?   
7Are suspense accounts checked and cleared on a timely basis?   
8Are key exception reports reviewed and acted upon on a timely basis?   
1Is there any formal written anti-virus policy?   
2Is the policy effectively communicated to individuals in the organization?   
3Is there a list of approved software and suppliers?   
4Is only authorized software installed on microcomputers?   
5Is there a master library of such software?   
6Are directories periodically reviewed for suspicious files?   
7Are files on the system regularly checked for size changes?   
8Is anti-virus software installed on all microcomputers/laptops?   
9Is anti-virus software regularly updated for new virus definitions?   
10Are suspicious files quarantined and deleted from the terminal’s hard drive and network drive on regular basis?   
11Are diskettes formatted before re-use?   
12Have procedures been developed to restrict or oversee the transfer of data between machines?   
13Is staff prohibited from sharing machines (laptops/desktops)?   
14Is software reloaded from the master diskettes after machine maintenance?   
15Has all staff been advised of the virus prevention procedures?   
16Are downloads from internet controlled by locking the hard-drive and routing it through network drive to prevent the virus (if any) from spreading?   
1Is there any proper policy regarding the use of internet by the employees?   
2Does the policy identify the specific assets that the firewall is intended to protect and the objectives of that protection?   
3Does the policy support the legitimate use and flow of data and information?   
4Is information passing through firewall is properly monitored?   
5Determine whether management approval of the policy has been sought and granted and the date of the most recent review of the policy by the management?   
6Is the policy properly communicated to the users and awareness is maintained?   
7Have the company employed a Firewall Administrator?   
8Is firewall configured as per security policy?   
9Is URL screening being performed by Firewall?   
10Is anti-virus inspection enabled?   
11Are packets screened for the presence of prohibited words? If so, determine how the list of words is administered and maintained.   
12Are access logs regularly reviewed and any action is taken on questionable entries?   
 Physical Protection   
L.IFire Hazard   
1Check the safety against fire in the following ways:   
 §   Building materials fire resistant?   
 §   Wall and floor coverings non-combustible?   
 §   Separation from hazardous areas (e.g. fire doors)?   
 §   Separation from combustible materials (e.g. paper, fuel)?   
 §   Smoking restriction?   
 §   Fire resistant safes (for tapes, disks and documentation)?   
2Check the appropriate arrangements of fire detection devices:   
 §   Smoke/ Heat-rise detectors?   
 §   Detectors located on ceiling and under floor?   
 §   Detectors located in all key EDP areas?   
 §   Linked to fire alarm system?   
3Check the appropriate arrangements for fire fighting:   
 §   Halon gas system (for key EDP areas)   
 §   Automatic sprinkler system   
 §   Portable CO2, extinguishers (electrical fires)   
 §   Ease of access for fire services   
4Check appropriate arrangements in case of fire emergency:   
 §   Fire instructions clearly posted   
 §   Fire alarm buttons clearly visible   
 §   Emergency power-off procedures posted   
 §   Evacuation plan, with assignment of roles and responsibilities   
5Check if there is training to avoid fire emergecny:   
 §   Regular fire drill and training   
 §   Regular inspection/testing of all computing equipment   
 Monitoring of temperature and humidity in EDP area   
 §   Heat, fire and access protection of sensitive air-conditioning parts (eg. cooling tower)   
 §   Air intakes located to avoid undesirable pollution   
 §   Back-up air conditioning equipment   
L.IIIPower Supply   
 §   Reliable local power supply   
 §   Separate computer power supply   
 §   Line voltage monitored   
 §   Power supply regulated (For voltage fluctuation)   
 §   Uninterrupted power supply (eg. Battery system) available   
 §   Alternative power supply (eg. Generator) Emergency lighting system   
L.IVCommunications Network   
 §   Physical protection of communications lines modems, multiplexors and processors   
 §   Location of communication equipment separate from main EDP equipment   
 §   Back-up and dial-up lines for direct lines   
L.VMachine (Servers) Room Layout   
 §   Printers, plotters located in separate area   
 §   Printout preparation (eg. bursting) located in separate area   
 §   Tape/Disk library in separate area Machine room kept tidy   
 §   Practical location of security devices   
 §   Emergency power off switches   
 §   Alarms   
 §   Extinguishers   
 §   Environment monitoring equipment   
L.VIAccess Control   
 Entrance Routes (EDP areas):   
 §   No unnecessary entrances to the computer room   
 §   Non-essential doors always shut and locked to the outside (eg, Fire exits)   
 §   Air vent and daylight access location   
 §   Protected and controlled use of all open doors   
1Access restricted to selected employees   
2Prior approval required for all other employees   
3Entrance door controlled by:   
 §   Screening by a guard   
 §   Locks/combinations   
 §   Electronic badge/key   
 §   Other – biological identification devices   
4Positive identification of all employees (eg. identification card)   
5Verification of all items taken into and out of the computer room   
6Access controlled on 24 hours basis including weekends (eg, automatic control mechanism)   
7Locks, combinations, badge codes changed periodically   
M.IVisitor Control   
1Positive identification always required   
2Badges issued, controlled and returned on departure   
3All visits logged in and out   
4Visitors accompanied and observed at all times   
M.IITerminal Security   
1All terminals located in secure areas   
2Alarm system used to control microcomputers from being disconnected or moved from its location.   
3Sensitive applications eg payroll, maintained on machines in physically restricted area.   
4Terminal keys/locks used   
5Passwords changed regularly   
6Identification labels been placed on each terminal.   
M.IIIGeneral Security   
1Waste regularly removed from EDP area and sensitive data shredded.   
2Window and door alarm system.   
3Closed circuit television monitoring ie CCTV cameras.   
1New employees recruited according to job description and job specification.   
2Employee identity cards issued.   
3Performance evaluation and regular counseling.   
4Continuing education program.   
5Training in security, privacy and recovery procedures.   
6All functions covered by cross training.   
7Critical jobs rotated periodically (e.g. operators, program maintenance).   
8Clean desk policy enforced.   
9Fidelity insurance for key personnel.   
10Contract service personnel vetted (e.g. cleaners)   
1Does adequate insurance exist to cover:   
 §   Equipment?   
 §   Software and documentation?   
 §   Storage media?   
 §   Replacement/ re-creation cost?   
 §   Loss of data/assets (eg. Accounts receivable)?   
 §   Business loss or interruption (business critical systems)?   
2Is adequate consideration given to cover additional cost of working and consequential losses?   
P.IEquipment (computer and ancillary)   
1Regular preventive maintenance   
2Reliable manufacturer service Arrangements for back-up installation Formal written agreement   
3Compatibility regularly checked   
4Sufficient computer time available at back-up   
5Testing at back-up regularly performed   
P.IIOutside Suppliers (non continuance/ disaster)   
(eg, suppliers of equipment, computer time, software)   
1Alternative sources of supply/ maintenance/ service available   
2Adequate and secure documentation/ back-up of data and programs   
3Are backup copies of system documentation kept in a secure location?   
P.IIIOff-site Storage:   
1Secure separate location   
2Adequate physical protection. Log maintained of off-site materials   
3Off- site Inventory regularly reviewed   
4File transportation under adequate physical protection   
5Back-up files periodically tested   
P.IVData Files   
1File criticality and retention procedure regularly reviewed   
1At least three generations of important tape files retained   
2Copies of all updating transactions for above retained   
3At least one generation and all necessary updating transactions in off-site storage   
1Checkpoint/restart procedures provided for   
2Audit trail (log file) of transactions updating on-line files (data base) maintained   
3Regular tape dumps of all disc files stored off-site   
4Audit trail (log file) regularly dumped and stored off-site   
1Copies of following maintained at off-site storage: Production application programs   
 §    Major programs under development   
 §    System and program documentation   
 §    Operating procedures   
 §    Operation and system software   
 §    All copies regularly updated   
 §    Back-up copies regularly tested   
1Back-up procedure manual   
2Priority assignments for all applications   
3Procedures for restoring data files and software Procedures for back-up installation   
1Is a comprehensive contingency plan developed, documented and periodically tested to ensure continuity in data processing services?   
2Does the contingency plan provide for recovery and extended processing of critical applications in the event of catastrophic disaster?   
3Has any Business Impact Analysis carried out by the company?   
4Are all recovery plans approved and tested to ensure their adequacy in the event of disaster?   
5Communicated to all management and personnel concerned   
6Critical processing priorities identified (eg. Significant accounting applications)   
7Are disaster recovery teams established to support disaster recovery plan?   
8Are responsibilities of individuals within disaster recovery team defined and time allocated for completion of their task?   
9Operations procedures for use of equipment and software back-up   
10Has the company developed and implemented
adequate plan maintenance procedures?
11Are priorities set for the development of critical systems?   
12Does a hardware maintenance contract exist with a reputable supplier?   
13Does the recovery plan ensure, in the event of failure:   
 §    No loss of data received but not processed   
 §    No reprocessing of data already processed   
 §    Files not corrupted by partially completed processing   
14Are recovery plans regularly tested?