Scribd
Upload
2 views

IT Internal Control Checklist

The document is an IT internal control checklist designed to assess the effectiveness of IT governance, security management, program change management, physical access controls, environmental controls, IT service continuity, and logical access control within an organization. It includes a series of questions to evaluate compliance and identify potential risks, along with sections for documenting evidence and comments. The conclusion indicates that the internal control over IT in the authority is adequate.

Uploaded by

Mohamed Juma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

IT Internal Control Checklist

The document is an IT internal control checklist designed to assess the effectiveness of IT governance, security management, program change management, physical access controls, environmental controls, IT service continuity, and logical access control within an organization. It includes a series of questions to evaluate compliance and identify potential risks, along with sections for documenting evidence and comments. The conclusion indicates that the internal control over IT in the authority is adequate.

Uploaded by

Mohamed Juma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

IT INTERNAL CONTROL CHECKLIST

Auditee: Reviewed by: Name Rank Date


Period end: Level 1
Prepared by: Level 2
Rank: Level 3
Date: Date:

The following table can be used to document the application systems of the auditee.

Does the system interface with the


Description and purpose of the Modules / subsystems of financial system? Give brief description
Application name
application application used of the nature and frequency of the
interface.

For identified application systems, complete the following questions.

Focus area Answer Examples of evidence What could go w Reference to Comments


Yes / No to be obtained / rong if control have not been evidence
verified implemented? obtained
Information Technology
governance
1. Does the organization have an
IT strategic committee?
2. Does the organization have an
IT strategic plan that supports
business requirements and
ensures that IT spending
remains within the approved
IT strategic plan?
Focus area Answer Examples of evidence What could go w Reference to Comments
Yes / No to be obtained / rong if control have not been evidence
verified implemented? obtained
3. Does the organization have an
active IT steering committee?

4. Are there defined roles and


responsibilities for each IT
function / role-player.
5. Is a training program to build
IT capacity in place?
6. Does the entity make use of
service providers? if so, are
there service level
agreements in place for all
vendors to whom IT services
has been outsourced.
Security management
7. Is there a formally approved
IT security policy to ensure
data confidentiality, integrity
and availability?
8. Does the organization have
installed anti-virus programs
on all computers which is
updated regularly?
9. Is there a process in place to
ensure up-to-date security on
all systems software (patch
management process)
Program change management
10. Are there formally
documented and approved
processes to manage upgrades
made to all financial /
performance information
systems?
Focus area Answer Examples of evidence What could go w Reference to Comments
Yes / No to be obtained / rong if control have not been evidence
verified implemented? obtained
11. When an upgrade is made to
the systems, is formal change
request documentation
completed indicating the
change to be made and the
reasons for all changes to the
financial systems?
12. Do programmers have access
to the test and live
environments? If packaged
systems, does the vendor have
access to the production
environment?

Physical access controls


13. Are there policies in place
which cover physical access to
IT environments?
14. Is physical access to sensitive
areas (such as computer room,
operations, storage rooms,
network rooms etc.)
controlled?
15. Is physical access properly
controlled after hours?

Environmental controls
16. Are there policies and
procedures in place to cover
environmental controls?
17. Are the following
environmental controls in
place:
 Fire suppression
systems
 Fire extinguishers
Focus area Answer Examples of evidence What could go w Reference to Comments
Yes / No to be obtained / rong if control have not been evidence
verified implemented? obtained
 UPS, generators,
 Air conditioning
systems (especially in
computer room)
 Humidity,
temperature control
systems
18. Is there a formal, documented
and tested emergency
procedure in place?
IT service continuity
19. Does the entity have a
disaster recovery plan?
20. Are copies of the IT continuity
plan and disaster recovery
plan kept off-site
21. Has a backup and retention
strategy been implemented?
22. Are backups performed,
verified and checked for
successful completion?
23. Are backups stored in a secure
offsite storage facility?
Logical Access control
24. Is there a formally
documented and approved
user management standards
and procedures in the
organization?
25. Are processes in place to
review user access rights on
the system and if the rights
are in line with their
responsibilities
26. Does every user have a unique
user name
Focus area Answer Examples of evidence What could go w Reference to Comments
Yes / No to be obtained / rong if control have not been evidence
verified implemented? obtained
27.

Conclusion

The following problems / risk areas have been identified in this working paper
The internal control over IT in the authority is adequate.

You might also like