General department of internal audit

Audit checklist for IT general controls

Audit scope:
The review aims to assess the general IT controls to ensure that their design is in place and operating
effectively. The audit scope will cover the following domains:

A. Logical/physical access management

B. Computer operation
C. Change management
D. System development

Objectives:
To understand IT general controls and assess their effectiveness while identifying any weaknesses, the
IT auditor will conclude the evaluation through meetings with key IT personnel and a review of
supporting policies and procedures

The audit period is 01 January to December XXXX

Audit checklist

No Audit Question Yes No N/A Audit comments

A. Logical/Physical Access Management
1. Is there an IT policy or procedure in place?

2. Is there any access control policy?

3. Do controls exist for the user creation,

modification, and termination process?
4. Is there a user naming convention in place for
the system?
5. Is the user creation/modification request
through paper/system/email?
6. Does the user creation/modification request
form require approval from user
manager/supervisor/system owner/IT
manager?
7. Does the user access rights in system assign
based on approval access right or role matrix?
8. Who is responsible for user creation or
modification in the system?
9. Does every individual have their own user ID
and password?
10. Is the proxy user request used within the
 General department of internal audit

organization?
11. If applicable, is there a procedure for user
proxy requests?
12. Does the system automatically revert to the
proxy permission?
13. Is user termination from the system required
to include detailed user information and be
sent to IT personnel through a paper form,
system, or email?
14. Do the IT personnel notify management or
requestor that access has been removed from
system as requested?
15. Does the system allow to check the timeliness
of user last login into the system?
16. Is there an access rights matrix approval
document in place?
17. Does the access right matrix require approval
by the system owner/IT management?
18. Is the access right matrix periodically
reviewed? if yes how often (monthly/
quarterly/ annually)?
19. In the case of access right matrix
modification after review, is it required to
complete a request approval form before
making changes in system?
20. Does the manager of each department that
uses the system periodically review current
user access rights (including superuser,
administrative access, and/or generic IDs) to
ensure that access remains appropriate to job
responsibilities?
21. If IT personnel perform the user access
review, how do they confirm the
appropriateness of access rights? Is the
review based on the approved access rights
matrix?
22. Do IT personnel provide the user access
rights report, generated from the system or
manually, to the relevant management for
review?
23. If there is any modification of a user's access
within the system, is a request approval form
required before making the change?
 General department of internal audit

Super user/Administrator
24. What controls are in place for high-privilege
users (super-users/admin)? Are the user ID
and password sealed, under dual control, or
held only by IT personnel?
25. If the user IDs and passwords of high-
privilege users are kept in a sealed envelope,
is access to the envelope restricted to
authorized personnel?
26. In case, high privilege user ids and password
are dual password controlled, who is handling
those passwords Are they authorized
personnel?
27. Does the procedure to request high privilege
user ids and password ensure only authorized
officers are able login to the system?
28. Is the system able to record the audit trail or
high privilege user’s activity log?
29. Does the system enable an audit trail or
activity log for high-privilege users?
30. Does the authorised independent person
periodically perform a review of high
privilege user’s activity log?
31. Does the review cover all high privilege user
(super-user/admin user)?
32. Is all significant activity, such as system
security and financial-related transactions,
defined to facilitate the review?
33. Is there any procedure for identification,
investigation and resolution of exception or
variances from the expectations for high
privilege user activity?
Password security
34. Is there any approval policy for password
configuration?
35. Is the password configuration set to
individual passwords or centralized password
settings?
36. If centralized password settings are used, can
individual settings override the central
configuration?
37. Have the following password settings been
configured?
 General department of internal audit

Enforce password history (Describe)?

Maximum password age (Describe)?
Minimum password length (Describe)?
Password must meet complexity requirements
(Describe)?
Account lockout duration (Describe)?
Failed login attempts (Describe)?
B. Computer Operation
Back up/Restoration
38. Is there any approval procedure for
batch/backup monitoring and restoration
testing in place?
39. Are all critical or important data required to
support the business being backed-up If so,
how often?
40. If backups of critical systems, applications,
and data are being performed, are they stored
in a protected location (offsite) or onsite (if
applicable) Please provide details?
41. Is there a fireproof cabinet to store the data
backup (onsite & offsite) (If applicable)?
42. Is there a tape inventory If so, are all tapes
labelled as per defined policy and procedures
(If applicable)?
43. Does the data backup process configured as
automated schedule run by system or manual
data backup?
44. What backup software do you run Does the
software support full, incremental, and
differential backups?
45. Has the encryption method been used for data
backup?
46. How long is the backup retained before
deletion Is this period compliant with
approved policy?
47. Is there a backup monitoring process in place
to ensure backup is complete successfully?
48. Are backup status check list or automated
email notification in place as backup
monitoring evidence?
49. In case of an error during data backup, is
there a procedure in place to resolve the
issue?
 General department of internal audit

50. Is there a process in place to verify the

success of data restoration and usability of
data?
51. If any, what is the frequency of restoration
testing Is it compliant with approved policy?

52. Who is responsible for verifying the

restoration testing data Are they the
appropriately authorized persons who can
ensure the availability of the data?
Batch processing monitoring
53. Is any job scheduling software being used?

54. If job scheduling software is used, are these

files protected from unauthorised changes?
55. When is the batch job schedule
frequency/time Are those jobs properly
monitored to ensure the
completeness/accuracy?
56. Is there any procedure for resolving the issue
if the batch job fails to ensure the accuracy
and completeness after resolving fails?
Real-time monitoring
57. Are real-time tasks or interfaces properly
monitored to ensure the completeness and
accuracy of data transfer?
58. If there are errors in real-time processing, is
there a procedure in place to track and resolve
them, and is there a process to ensure
accuracy and completeness after resolution?
Data centre/server room environmental
Server room access (if applicable)
59. Who is permitted access to the server room Is
access to server room restricted to authorized
personnel only?
60. Under what circumstances may others be
permitted access?
Is the access approved by authorized
individual(s)?
Is an audit trail of all access to server room
maintained?
61. Is a card-key system in place If so, how is it
 General department of internal audit

maintained?
62. Are periodic reviews conducted to ensure that
access to data centre is restricted to
authorized individuals only If yes, what is the
frequency of the same?
63. Is access of terminated / transferred
employees revoked?
64. Is it mandatory for employees, vendors,
contractors, visitors, and service providers to
always display their ID cards?
65. Are there any key locks to all server racks
within server room?
66. If any, who responsible to hold the key Are
they authorised responsible staff?
Server room environmental
67. Do all perimeter entry points (including
emergency exit) have CCTV coverage If yes,
are CCTV cameras equipped with Night
Vision feature?
68. Are administrative offices physically
separated from other areas of data centre?
69. Is Very early warning smoke detection
System installed in all critical areas of server
room?
70. Are emergency numbers displayed at each
floor and all working areas?
71. Are user instructions for usage clearly marked
on each fire extinguisher (Check on Sample
basis)
72. Are fire extinguishers placed hanging on wall
with proper signage Are fire extinguishers
easily approachable?
73. Is fire suppression system installed in
automatic mode If no, are all criteria
mentioned in control description available?
74. Are temperature measurements taken at
several locations inside the server room If
yes, what is the frequency of same (Review
the temperature measurement records for
sample period)?
75. Are uninterrupted power supply (UPS) and
cooling systems installed in the server room?
Disaster recovery plan
 General department of internal audit

76. Is the current Business Impact assessment

(BIA) in place If so, when was it last
updated?
77. Do you have Disaster Recovery Plan (DRP)?

78. Is a communication plan included?

79. Are incident and recovery procedures and

policies (both automated and manual)
properly documented?
80. Does the DRP require an alternate site for
recovery?
81. Does the DRP specify the level of service
(which the business owner has agreed to be
acceptable) to be provided while in recovery
mode?
82. Does the DRP identify the hardware and
software that are critical to recovering the
essential business functions?
83. Does the DRP identify the necessary support
equipment (forms, spare parts, office
equipment, etc.) required to recover critical
business functions?
84. Do they have (uninterrupted power supply)
UPS for critical systems and/or business area
workstations?
85. Do they have a backup generator? If so, how
long can it run, supporting critical systems,
technical staff, and business area
workstations?
86. Do they have a hot/cold/warm site vendor on
contract If so, does the vendor have
(uninterrupted power supply) UPS and
generator back-up?
87. Is a current copy of the DRP maintained off-
site?
88. Is there an audit trail of the changes made to
the Disaster Recovery Plan?
89. Do all users of the DRP always have ready
access to a current copy and/or copies?
90. Do all employees responsible for the
execution of the DRP receive training?
91. Is all critical or important data required to
support the business being backed up? If so,
 General department of internal audit

how often? If not, please list the business

areas/applications that are covered and those
that are not covered.
92. Is there a training, testing/exercise (TT&E)
plan included?
93. Does the TT&E plan list exercise type,
sequence, and frequency of occurrence?
94. How often is the DRP exercise conducted?

95. Has the team determined that the Disaster

Recovery Plan and exercises meet all
requirements to provide reasonable assurance
that the plan will work in the event of a
disaster?
96. Has the corrective action plan been completed
and closed?
97. Are there DRP maintenance procedures and
schedules in place? How often are they
performed?
98. Is the summary of changes made to plan since
last submission been documented?
C. Change Management
99. Are approval policy or procedures in place
for all change management?
100. Is there any procedure to handle emergency
change request?
101. Are policies and procedures properly
communicated to relevant staff?
102. Do they have a periodic review of the change
management policy or procedure to ensure
that the procedures are aligned and up to date
with current business?
103. Is the change request process appropriately in
place?
Paper based request form/System request?
Request and approve by authorised person?
104. Does the control exist of testing performed
(e.g., unit, integration, regression, and user
acceptance testing) based on the nature of the
change?
Appropriate person performs system testing
and sign-off results?
Appropriate person performs (user acceptance
 General department of internal audit

testing) UAT and sign-off UAT results?

105. Does the control exist over migration to
production process?
Is Authorised person approval for migration
to production in place?
Segregation of environment
testing/production?
Segregation of duty between developer and
migrator should be not the same person?
106. Is version control management in place?

107. Is the most recent version that has been tested

and approved apply to production?
108. How are exceptions during testing or change
promotion managed, and what criteria
approve go-live? Is there control over
problem management to resolve exceptions?
D. System Development (new implementation/enhancement)
109. Is there a (Software Development Life Cycle)
SDLC policies and procedures document in
place to define the SDLC process?
110. Do the business requirement and system
specification properly define and document?
111. Who has the authority to approve system
specifications for proposed new applications
in the following?
Business/User department (s)?
System development function?
Quality assurance function?
112. Is the approval above properly documented?

113. Does the project team have the requisite

business and technology skills, including
knowledge of internal controls to ensure
proper controls have been defined?
114. Is business approval obtained before moving
to the construction phase of the project?
115. Is the system an in-house development or it
has been purchased from vendor?
116. Are system diagrams, designs, and
interfaces/integrations properly developed
and documented?
117. Is developed system testing properly
 General department of internal audit

performed and signed off by authorised

responsible person?
Unit testing – the testing of individual
program or module?
Interface or integration testing – the testing
connection of two or more components that
pass information from one area to another?
118. Has the below system testing been performed
and documented?
Recovery testing: Checking the system’s
ability to recover after a failure?
Security testing: Ensuring that the modified
or new system does not introduce any
security vulnerabilities that might
compromise other systems?
Load testing: Testing with large quantities of
data to evaluate its performance during peak
hours?
Volume testing: Testing with an incremental
volume of records to determine the maximum
number of records (data) the application can
process?
Stress testing: Testing with an incremental
number of concurrent users/services to
determine the maximum number of
concurrent users/services the application can
handle?
119. Has the below final acceptance testing been
performed?
Quality assurance testing (QAT) – focusing
on technical testing?
User acceptance testing (UAT) – to ensure
system is production-ready and satisfies all
documented requirements?
120. Are the above testing results properly
documented and signed off by authorised
persons?
121. Are defects or issues encountered during
development and testing properly logged and
followed up for resolution?
122. Is there a sign-off document from authorized
management for system go-live approval?
123. Is the data conversion/migration methodology
 General department of internal audit

plan properly documented and approved by

authorised personnel?
124. Are there any procedures to ensure the
completeness and accuracy of data from
legacy system to new system?
125. Is there any data integrity check between
legacy and new system?
126. Is there a final sign-off document to confirm
the results of data conversion/migration to the
new system?
127. Is there a fallback (rollback) plan in place if
the conversion is not successful?
128. Is the post-implementation review in place to
ensure that there is no issue after system
goes-live?

129. Has the training programs for the various

affected parties been performed?

130. Are the training materials (e.g., training

materials, user manuals, procedure manuals,
online help, help desk written procedures,
etc.) in place?

131. Have the attendance records been signed and

documented to confirm that all relevant users
have been trained?

Prepared by: Reviewed by: Approved by:

Date: Date: Date: