SNo Control Area Question/Control Description Response (Yes/No/Not Applicable) Comments/Details (for elaboration or notes)

1 Logical Access Controls Is there an IT access control policy in place?

2 Logical Access Controls How are user accounts created, modified, and terminated?
3 Logical Access Controls Is the process of creating, modifying, and terminating user accounts based on an approval process?
4 Logical Access Controls Are access rights assigned based on a role or responsibility matrix?
5 Logical Access Controls Is there periodic user access review for critical systems?
6 Logical Access Controls Are high-privilege accounts (e.g., admin accounts) monitored and reviewed regularly?
7 Logical Access Controls Does each user have a unique user ID and password?
8 Logical Access Controls What is your password policy?
9 Logical Access Controls Are password complexity settings enforced (e.g., length, special characters)?
10 Logical Access Controls Is there an account lockout policy for failed login attempts?
11 Logical Access Controls Are inactive user accounts deactivated or deleted promptly?
12 Backup and Disaster Recovery Are critical systems and data regularly backed up?
13 Backup and Disaster Recovery Are backups stored offsite/onsite or in a protected location?
14 Backup and Disaster Recovery Is there a documented disaster recovery plan (DRP)?
15 Backup and Disaster Recovery Are restoration tests conducted periodically to verify data usability?
16 Backup and Disaster Recovery Are backup failures monitored and resolved promptly?
17 Backup and Disaster Recovery Are backup tapes or drives labeled and tracked according to policy?
18 Change Management Is there a formal change management policy in place?
19 Change Management Are all system changes reviewed and approved before implementation?
20 Change Management Are changes tested in a separate environment before being applied to production?
21 Change Management Is there a process for emergency change requests?
22 Change Management Are updates and patches managed and tested before implementation
23 Change Management Is there documentation of testing and approval for system updates and patches?
24 Data Integrity and System Integration Are there controls to ensure accurate data transfer between systems?
25 Data Integrity and System Integration Are financial reports generated from systems reviewed for accuracy ?
26 Data Integrity and System Integration Which systems generate financial data used in reports?
27 Data Integrity and System Integration Are manual adjustments to financial data documented and approved?
28 Data Integrity and System Integration How is the integrity of financial data ensured?
29 Data Integrity and System Integration Is there an audit trail for quickbook,procore etc. for critical transactions?
30 Physical and Environmental Security Is server room access restricted to authorized personnel only?
31 Physical and Environmental Security Is there CCTV monitoring for server room entry points?
32 Physical and Environmental Security Are fire suppression systems installed in critical areas?
33 Physical and Environmental Security Are environmental controls (e.g., temperature, humidity) monitored in server rooms?
34 Physical and Environmental Security Are periodic reviews of physical access conducted?
35 IT Governance and Policies Is there an IT governance framework in place (e.g., COBIT, COSO,ISO 27001,SOC2)?
36 IT Governance and Policies Who is responsible for approving IT investments and policies?
37 IT Governance and Policies Are IT policies and procedures documented and communicated to staff?
38 IT Governance and Policies Are IT policies reviewed and updated regularly?
39 Cybersecurity Is antivirus software installed and updated on all critical systems?
40 Cybersecurity Are intrusion detection or prevention systems (IDS/IPS) in place?
41 Cybersecurity Are employees trained on cybersecurity risks and phishing attempts?
42 Cybersecurity How does the company approach cybersecurity and data protection?
43 Cybersecurity Is there a documented incident response plan for security breaches?
44 Monitoring and Audits Are system logs reviewed for unusual or unauthorized activities?
45 Monitoring and Audits Is there a regular review of exception reports or log's for financial data?
46 Monitoring and Audits Are SOC reports obtained and reviewed for cloud-based services?
47 IT Systems Overview Is IT managed internally, outsourced, or a hybrid model?
48 IT Systems Overview Who are the key IT personnel and their roles?
49 IT Systems Overview How is IT support structured (e.g., helpdesk, system administrators)?
50 IT Systems Overview Which systems integrate with each other?
51 IT Systems Overview How is financial data transferred between systems?
52 IT Systems Overview Are there any manual processes in data transfer?
53 IT Systems Overview Are there any known issues or limitations with these systems?
54 IT Systems Overview Who makes decisions about IT investments and changes?
55 IT Risks and Controls What are the primary IT risks identified by management?
56 IT Risks and Controls Which systems directly impact financial reporting?
57 IT Risks and Controls Is there any vendor management?
58 IT Risks and Controls Which systems directly impact financial reporting, with a focus on QuickBooks and any integrated systems?
59 IT Risks and Controls What key controls are in place to mitigate these risks?
60 Asset Register Software Inventory
61 Asset Register Hardware Inventory
62 Access Management Are user access rights for QuickBooks and other financial systems reviewed regularly to ensure proper segregation of duties?
63 Backup and Disaster Recovery Are data backup and recovery procedures documented and tested regularly?
64 Backup and Disaster Recovery Are data backup and recovery procedures documented and tested regularly?
65 Change Management Are updates and patches managed and tested before implementation ?
66 Change Management Is documentation of testing and approval for system updates and patches necessary?

Prepared by: Reviewed by: Approved by:

Date: Date: Date: