As mentioned throughout this chapter, the specifics of entity-level controls will vary from company to company. However, the best general sources of information on IT-specific entity-level controls can be found on the
Information Systems Audit and Control Association
(ISACA) website (http://www.isaca.org), where details on the
control objectives for information and
Checklist for Auditing Entity-Level Controls
Review the overall IT organization structure to ensure that it provides for clear assignment of authority and responsibility over IT operations and that it provides for adequate
q Review the IT strategic planning process to ensure that it aligns with business strategies. Evaluate the IT organization's processes for monitoring progress against the strategic plan.
Determine whether technology and application strategies and
Review performance indicators and measurements for IT. Ensure that processes and metrics are in place (and approved by key stakeholders) for measuring performance of day-to-day activities and for tracking performance against SLAs,
q Review the IT organization's process for approving and prioritizing new projects. Determine whether this process is adequate for ensuring that system acquisition and development projects cannot commence without approval. Ensure that management and key stakeholders review project status, schedule, and budget periodically throughout the life of significant projects.
Evaluate standards for
Ensure that IT security policies exist and provide adequate requirements for the security of the environment. Determine how those policies are communicated and how compliance is
q Review and evaluate risk-assessment processes in place for the IT organization.
Review and evaluate processes for ensuring that IT
q Review and evaluate policies and processes for assigning ownership of company data, classifying the data, protecting the data in accordance with their classification, and defining the data's life cycle.
Ensure that effective processes exist for
q Review and evaluate processes for ensuring that end users of the IT environment have the ability to report problems, have appropriate involvement in IT decisions, and are satisfied with the services provided by IT.
q Review and evaluate processes for managing third-party services, ensuring that their roles and responsibilities are clearly defined and monitoring their performance.
q Review and evaluate processes for controlling nonemployee logical access.
q Review and evaluate processes for ensuring that the company is in compliance with applicable software licenses.
q Review and evaluate controls over remote access into the company's network (e.g., dial-up, VPN, dedicated external connections).
q Ensure that hiring and termination procedures are clear and comprehensive.
q Review and evaluate policies and procedures for controlling the procurement and movement of hardware.
q Ensure that system configurations are controlled with change management to avoid unnecessary system outages.
q Ensure that media transportation, storage, reuse, and disposal are addressed adequately by company-wide policies and procedures.
q Verify that capacity monitoring and planning are addressed adequately by company policies and procedures.
q Based on the structure of your company's IT organization and processes, identify and audit other entity-level IT processes.