IT AUDIT Questionnaire (IT Audit)

7/27/2019 IT AUDIT Questionnaire (IT Audit)

1/10

.

Page 1 of 10

IT Audit in IAAD some suggestions

Most IT audits in the IAAD revolve around data analysis using IDEA (or whatever

software) and tend to end with it. Thus, rather then following the process of first

carrying out a compliance test and then proceeding with substantive tests to confirm

the results of compliance testing, out IT audits end with substantive procedures. There

is no effort to identify and evaluate the effectiveness of controls. There is no

compliance audit at all. IT audit is a system based audit and must result in an

assurance on the system.

Data analysis throws up many data inconsistencies and/or abnormalities. These are

put as audit findings without any investigations. These need to be investigated. It

could be a wrong audit observation (many cases) or an input mistake or a case of data

overwriting without authority (a security lapse) or wrong programme logic. If it is a

wrong logic, then there must be an identifiable pattern of these observations. That is

backward linkage to a finding of data analysis. Impact of these observations must alsobe evaluated.

The IT security needs to be looked into with more seriousness. Apart from access

controls, we must look for logs, authorizations, trails, back-end security etc. A good

and secure system must have means to identify each date entry/ modification to the

individual who made it.

In most cases, guidelines are prepared on bookish pattern of an IT audit. As these

guidelines bear no relation to the audittee being audited, the final result lacks quality.

Guidelines must be based on a careful study of the system being audited.

We must also bear in mind that the term, IT Audit is a misnomer. We do not audit

technology at all. Information Systems Audit (IS Audit) is a better term. The system

includes manual procedures and controls as well and as such these should also be

addressed through the guidelines.

Mapping of business rules, change management, the re-engineering aspect etc. are

other areas which can be looked into.

The present paper is an effort to put through a few points which will help in preparing

guidelines for an IT audit. These are, by no means, exhaustive. In some cases, none of

them may apply. These points are not supposed to take away the innovativeapproaches, which could be special to an auditor. Hopefully over a period of time,

more points will be added.

An IT Auditor must give an assurance on the reliability of the system. If the controls

are weak or non-existent and our audit results show that the data is unreliable or is not

safe and secure, this must be brought out clearly in the report. In such a scenario,

where the system is not reliable, we must not make any efforts to conclude any money

value loss etc. based on analysis of such unreliable data. Such audit efforts can be

reported as either the VFM aspect (if the investment is large or/and the time taken is

also large) or in terms of the adverse impact which such unreliable system will have

on the organization.

Questionnaire


2/10

.

Page 2 of 10

The System and its usefulness

Before a system is developed, attempt is to be made to get the user requirements. If

these requirements are not captured properly, the resultant system can never provide

enough user satisfaction. Also, a documented system is easy to understand and follow.Audit should aim at assessing users involvement in system development, availability

and usability of the system related documentation and the extent of user satisfaction.

1. Documentation

a. Does a proper and effective documentation exist?

The System Design Document (SDD), User Requirement Survey (URS) and

System requirement Survey (SRS) and the User Manual documents

b. Were these prepared (or got prepared)

c. Are these available?

d. Are there items (functions/processes), which had been provided for in thesedocuments (SDD, SRS and the URS), yet have not been implemented.

e. Prepare a list of all documentation available, studying the extent of reliance of

the auditee on the available documentation

f. Does the system documentation include a data flow diagram or/and flow

chart?

If yes, does the flow chart /data flow diagram represent the system correctly?

g. Are there unfulfilled user requirements?

h. What is the extent of customer satisfaction?

2. About completeness of the system

a. List all outputs (reports, etc.) which the system is capable of producing. This

can be compared with a list of outputs which are actually being produced.

b. Does the system produce all its output without any manual intervention?

c. How many of these outputs are actually being used? Are these reliable, or the

audittee depends on manually prepared reports.

d. If there are reports that have never been printed even once, may examine

further?

e. Are there any reports/output, which are needed but the system is unable to

produce them? If there are reports, which are not being produced, Audit must

distinguish between whether the system is not capable of producing the

desired report, or the system is capable, but the report is not being produced.

In determining the capability of the system in producing such reports, it should

be seen that the data required for producing such report is being captured/

available in the system.

f. How many reports are still being prepared manually? If so, is it when the

system has the capability to produce the reports? If yes, then why are the

reports still being generated manually?

g. Is the parallel system still functioning? If so, compare the manually prepared

reports and computer generated reports.

3. The Hardware


3/10

.

Page 3 of 10

Auditing the Hardware would include the normal expenditure audit and can be

extended to proper inventory control as well as upkeep of the h/w. Improper

maintenance of h/w can result in lack of availability of data/information,

which is one of the seven attributes of data.

a. Look for inventory of assets and examine at the usage, availability, costs,

maintenance practices, AMC costs etc

b. Any approximation to the entire cost of Hardware! How have the h/w

specifications been determined?

c. Is a system of formal reporting of hardware malfunctioning in place?

d. How many instances (say, in last 12 months) of hardware malfunctioning

resulting in temporary disruption to process?

e. What is the frequency of systems slowing down due to hardware mal

functioning? How is the reason for the malfunction attributed to h/w

malfunction?

f. Are such malfunctions documented and reported to the vendor in time?g. Indicate the average (also the longest) duration that the system was down?

h. Any comments on AMC

4. The Software

Auditing the software may involve the following

a. How was it got developed (in-house, outsourced, mixed)? Any comments vis a

vis these choices?

b. Is there a prescribed procedure to document system related deficiencies for

future updates?c. Are logs kept of any software malfunctions? Are such details available?

d. Cost of development

e. What about maintenance of software?

5. The Human ware

a. Has any work study and time and motion study been carried out determining

the time required for particular quantity of work relating to data entry?

b. Has the implementation of system resulted in saving of manpower?

c. Has there been proper and effective training? May examine if training is being

organized separately for the system managers, the Data Entry Operators, and

for the IS Security team

d. On an average how frequently each staff member of the office is provided

training

e. Is there a procedure to document difficulties being faced by individuals while

working on the system so that these can be addressed later?

6. Data - reliability

Data must be reliable, authentic, correct and complete. It must have proper

authorization. IT auditor must observe the process of data input. Input startswith the preparation of an input document, which may take place anywhere.


4/10

.

Page 4 of 10

E.g., in the process of preparing computerized electoral roles the input

document is the enumeration sheet prepared at the home of an individual.

Observing and understanding the entire process may also reveal control

weakness, if any. Supervision as a control to ensure data correctness is an

ineffective control in most cases. However, we never had any comment onsuch issues.

An input control is to be differentiated from a Validation check. A validation

check, at best, can assist an input control; by itself, it cannot guarantee

correctness of input. Validation is part of system design. It has to be conceived

and implemented in the system. Input control can be a part of the

computerized system or it can be a manual procedure etc.

It will be a good idea to list all inputs that go in the system and examine each

of these from compliance audit view point. See, whether adequate input

controls have been provided for and are being enforced properly.

The issue is if correctness of input cannot be guaranteed, the entire system is

useless.

A. The Master data

The master data is of permanent nature as against a transaction data. It should

not require frequent updating. In case, the master data is on more then one

server, it must be consistent.

1. How frequently the master data is examined for its accuracy?2. Is the master data accurate and authentic?3. How often the master data is modified?4. While modifying the master data, is a log kept of the reasons for change,

who authorized the changes, who made the changes etc.?

5. Are all changes documented with dates etc.?6. On modification, is the original data still available in any archive or is it

deleted?

7. Are there blank fields in the Master data base as it exists today?8. In case there are more then one server, does the same master data exist on

all servers?

9. Any comments on input of master data! Was it one time input?10.In cases, where a system has been up dated, the legacy data creates

problems. See, how the data was transported for comments, if any and all

the input controls for the new system has been applied on the data and the

data is cleaned of the unwanted/irrelevant data.

B. The Input Process

Start with listing all input sources for the system.

For each input, try getting the following information


5/10

.

Page 5 of 10

1. Who prepares the input document? Can the accuracy of this inputdocument be certified/ assured?

2. Is there duplicity of input?3. Is the accuracy certified before the input is made?4.

Is documentation available to verify at a later date that the input documentwas prepared accurately? Are there instances when an input document has

undergone changes after it has been input in the system?

5. Is there a prescribed procedure to modify input, if required?6. Are there some relevant and available input documents/ sources or

information which are not being captured?

7. Are the input documents in tune with the system (or vice versa) that hasbeen developed from the point of view of capturing all details of

events/transactions and also from the point of view of ease of use?

C. Validation Checks

Properly designed validation checks (VC) assists input controls in ensuring

accuracy of data. IT auditor may make an attempt to list fields available in the

input document and indicate whether a validation check was provided for in

the SDD and/or it exists in the system for this field or not. The effectiveness of

a validation check may have to be assessed.

D. Input Controls

1. Start with listing Input Controls as provided for in the SDD2. Identify and list input controls, which exist in the system3. Check if supervision as an input control is being carried out and is

effective.

4. Is there any prescribed percentage of input documents to be supervised bya senior officer?

5. Is there a procedure to document and ensure at a later stage that suchsupervisory checks were carried out?

6. Is there a prescribed procedure to ensure that error correction proceduresbased on the result of supervisory checks are carried out?

7. Are the results of supervision and the resultant corrections documented sothat these can be verified at a later date?

8. Is there an attempt to carry out an analysis of input mistakes available,which can act as a management tool?

E. Double Check

1. Is a double check of data being input is carried out to ensure itscorrectness?

2. If yes, to what extent and whether this is being complied with in actualpractice? Also are the results documented?

F. Control Totals as an input control

1. What all control totals exist in the system, if any?


6/10

.

Page 6 of 10

2. For each of the control totals, try to investigate the nature of this controltotal

3. Did this control total exist in the manual system as well?4. Who posts the control total, at what time (before the data entry or after) or

is it system generated?5. Are there occasions when the control total differs from the total of amountposted?

6. How, in such cases, is the total reconciled?G. Any other form of input control and ensuring accountability?

1. Look for macro level indicators for data accuracy or lack of it, e.g. un-reliable reports.

2. How are the data entry mistakes rectified? Is another input sheet prepared?3. Are such modifications documented?4. When previously recorded input is corrected, does the system retainprevious values (for archiving purposes) as well as the current value?5. Does a log exist indicating who had input the data and who made

corrections?

6. Are the input corrections documented and properly authorized?H. General

1. Are common input mistakes kept note of and circulated to all staff?2. If someone intentionally wants to feed incorrect input, can it be prevented/

detected?

3. Does someone certify that all input has been fed completely and correctly?4. Authorization of Input and completeness of input5. Is the procedure for authorizing input and input corrections fully

documented?

6. What are the controls to ensure completeness of input?7. Data Safety and Reliability

Data must be safe and secure at all times, all changes / modifications to data

(including master data) must be documented and properly authorized. In a

good system, it should be possible to link a particular entry (initial or

modification) to the person who made that entry. This requires keeping of

proper logs and existence of a system of review of these logs. These provide a

good and effective audit trail.

The physical access and logical access controls, authorizations to use the

system (complete or partial) or lack of it, hardware security (ports, access to

ports to outsiders etc.), net security, LAN security etc. could be the concern

areas.

Security becomes more important in a client-server environment and for

distributed systems. Many times, back-end security is compromised, thusmaking the system totally unreliable.


7/10

.

Page 7 of 10

A. IS Security

1. Has an officer been given overall responsibility of the IS security?2. Are the users made aware of the IS Security requirements on a frequent

basis?3. Is there a system of recording and reporting security incidents?4. What all audit trails are available in the system?5. If it is a client-server environment, are back-end adjustments possible?6. How many persons are authorized to carry out back-end adjustments?7. Is the process of back-end adjustments fully documented and are logs

available?

8. Has the office classified data based on its criticality?9. Is there a data custodian, who ensures data integrity at all times?10.Are audit trails available along each path to ensure location of deviant

activity?

11.Is the system susceptible to backend adjustments i.e., accessing databaseor programme not through the application?12.Is yes, does adequate supervisory control exist over backend adjustments?13.List transactions that are done backend14.Are logs maintained of individual activities?15.Can the system uniquely identify each event, transaction or activity on the

system to a particular individual?

16.Are passwords periodically changed?17.Does the IS security manager or similar appropriate officer periodically

issue circulars, guidance etc for good IS practices?

18.Are the users also using internet through the same system?19.Are the network security controls e.g. routers, firewalls etc in place?20.Does review of exceptions take place periodically? Is there a formal

process available to follow up the exceptions?

21.Are only needed drives active? Is there a control on the use of the diskdrives and copying of the contents from the computer?

B. Change Control Procedures

1. Is there adequate change control procedure in place to ensure that thesoftware is not modified unauthorisedly?

2. In case of modifications, are these recorded and properly approved?3. How is the need for such modifications assessed?4. In distributed systems, is the same version running on all machines?

C. Virus Protection

1. Is a security drill prescribed and is in use to ensure that the system isprotected from virus etc. from the net?

2. Is there a formal and documented method for reporting security incidentsand their escalation?

D. Storage Controls


8/10

.

Page 8 of 10

Integrity of data stored

1. How many persons are authorized to modify the stored data at a later date?2. Is there a log kept and is available to assess the extent and frequency of

changes/modification carried out in the recorded data?3. Is an input sheet or any document prepared and authorized by someonebefore any modification is carried out?

4. Is there a prescribed procedure for such modifications?5. Has someone been appointed as the custodian of data and has been given

the overall responsibility of ensuring integrity of stored data?

6. Has the data and the resulting information been classified as sensitive,confidential, important etc. with a view to determine the security levels

required by each group of data?

7. Was an IS security audit ever carried out?8. Is a hot copy of the database taken daily and the transaction files

maintained to rebuilt the database up to the current point in case of loss ofdata

9. Is the back up kept in a location outside the office?10.Are backups periodically tested?11.Is the database tested periodically for consistency?12.Is record of testing database and backups maintained?13.Is a master copy of the software maintained securely with designated

official?

14.Is the compiled version of software compared with that of master copy sothat the same version is running?

15.Is the access control matrix periodically reviewed to keep it up to date?16.Is the storage medium used to maintain live data and backup periodically

tested for defects?

17.Are access rights to system based on formally approved Access Controlmatrix?

18.Are damaged storage devices (medium), e.g. hard disk destroyedappropriately?

19.Are backups sent for safe custody?E. Logs

1. Please list all logs which are being kept by the system?2. Are all these logs printed and reviewed by any authorized person and

necessary action initiated?

3. Is this process properly documented?F. Transmission controls

1. Is there a network administrator, authorized to give away rights to varioususers?

2. Are different users classified and given usage rights accordingly?3. Is there a document available indicating such classification?


9/10

.

Page 9 of 10

G. Processing Controls

Auditing process control may require use of test data or the parallel simulation

techniques. However, the following may be looked into even if these

techniques are not used.

1. Is there some process controls built in system enabling exception reporting(e.g. any abnormal transaction, any inconsistent entry, any repeated

irregularity etc?)

2. Are various rules etc. correctly mapped in the system?3. While processing the data, does the system compare results with some

benchmarking (some sort of validation of results), like budget papers etc.?

4. Concurrency controls: Are proper controls in place to ensure that only oneuser at a time can modify the database?

5. In case of abrupt disruption while processing data, does the system goesback to the State it was before the processing of current transaction wastaken up to ensure atomicity of the transaction?

6. Are run to run control totals maintained to ensure completeness ofprocessing?

7. Do designated supervisory controls exist to verify and confirm that theprocessing is complete?

8. Was specifically generated test data ever run on the system to cover eachof the processing logic paths?

9. If yes, has the testing through test data resulted in adverse observations?10.Has the processing been tested through parallel run?11.If yes, have the results of the parallel run at the final round of testing gave

completely satisfactory results?12.Are the normal processing time metrics (parameters) defined or usually

understood?

13.If yes, is the actual performance over the period of time matching with thenormal targeted performance as regards systems response time etc?

14.Is audit trail built in to ensure that processing and the changes to varioustables can be traced with certainty?

15.Is there a record (manual or electronic) indicating the processing errorsthat would have cropped in while live processing?

16.If yes, are such exceptions appropriately handled?17.Is manual reconciliation of the results of the processing done occasionally

to ensure that the system is functioning as envisaged?

18.Have the integrity constraints like relational integrity and referentialintegrity in the database appropriately tested and found satisfactory? This

will be enabled by data inconsistencies through data analysis.

8. Output controls

1. Are procedures in place to ensure that only authorized persons cangenerate the reports from system

2. Is the system capable of generating output that can be emailed ortransferred otherwise through the internet?3. Is the output distributed only to authorized persons?


10/10

.

Page 10 of 10

9. Feedback

1. Is there a mechanism to elicit formal feedback from users making dataentry and also from other users and customers?2. Look for major achievements as well as major weaknesses or limitations

3. Pl indicate any unique practices/work methods that have been generated4. Is there any need for up gradation of software?5. Are there any limitations of hardware, personnel or processes in system?6. Is the training provided and competence levels of system officials are

commensurate with the work they perform?

7. Identify and investigate serious risks to security of data, hardware andsoftware of system package?

8. Look at the grievance/ complaint registers to ascertain the effectiveness ofthe grievance/ complaint redressal mechanism. This should be looked at

from the point of view of the users(DEO/ Manager etc in the organisation)and the ultimate beneficiaries (customer/citizen) of the system.

10. Other parameters

Obtain and study the data structure for possible comments issues like

normalization etc.

System design can also be studied

Can the system be replicated on a stand alone computer enabling running of

test-data etc.?

Documents

IT AUDIT Questionnaire (IT Audit)