Flylib.com

Books Software

 
 
 

Category list


Similar pages

Knowledge Base


Buy on amazon.com >>
Davis C. Schiller M. Wheeler K.
    << Previous page
    Table of contents
    Next page >>

    Knowledge Base

    As mentioned throughout this chapter, the specifics of entity-level controls will vary from company to company. However, the best general sources of information on IT-specific entity-level controls can be found on the Information Systems Audit and Control Association (ISACA) website (http://www.isaca.org), where details on the control objectives for information and related technology (CoBIT) framework and guidelines for Sarbanes-Oxley IT compliance testing are available. In addition, general guidelines on entity-level controls (not specific to IT) and links to resources related to the popular Committee of Sponsoring Organizations (COSO) model of internal controls can be found on the website for the Institute of Internal Auditors (IIA) at http://www.theiia.org. Finally, your external auditors likely will have some published guidelines to share with you on this topic.



    Master Checklist

    Auditing Entity-Level Controls

    Checklist for Auditing Entity-Level Controls

    1. q Review the overall IT organization structure to ensure that it provides for clear assignment of authority and responsibility over IT operations and that it provides for adequate segregation of duties .

    2. q Review the IT strategic planning process to ensure that it aligns with business strategies. Evaluate the IT organization's processes for monitoring progress against the strategic plan.

    3. q Determine whether technology and application strategies and roadmaps exist, and evaluate processes for long-range technical planning.

    4. q Review performance indicators and measurements for IT. Ensure that processes and metrics are in place (and approved by key stakeholders) for measuring performance of day-to-day activities and for tracking performance against SLAs, budgets , and other operational requirements.

    5. q Review the IT organization's process for approving and prioritizing new projects. Determine whether this process is adequate for ensuring that system acquisition and development projects cannot commence without approval. Ensure that management and key stakeholders review project status, schedule, and budget periodically throughout the life of significant projects.

    6. q Evaluate standards for governing the execution of IT projects and for ensuring the quality of products developed or acquired by the IT organization. Determine how these standards are communicated and enforced.

    7. q Ensure that IT security policies exist and provide adequate requirements for the security of the environment. Determine how those policies are communicated and how compliance is monitored and enforced.

    8. q Review and evaluate risk-assessment processes in place for the IT organization.

    9. q Review and evaluate processes for ensuring that IT employees at the company have the skills and knowledge necessary for performing their jobs.

    10. q Review and evaluate policies and processes for assigning ownership of company data, classifying the data, protecting the data in accordance with their classification, and defining the data's life cycle.

    11. q Ensure that effective processes exist for complying with applicable laws and regulations that affect IT (e.g., HIPAA, Sarbanes-Oxley) and for maintaining awareness of changes in the regulatory environment.

    12. {% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

      q Review and evaluate processes for ensuring that end users of the IT environment have the ability to report problems, have appropriate involvement in IT decisions, and are satisfied with the services provided by IT.

    13. q Review and evaluate processes for managing third-party services, ensuring that their roles and responsibilities are clearly defined and monitoring their performance.

    14. q Review and evaluate processes for controlling nonemployee logical access.

    15. q Review and evaluate processes for ensuring that the company is in compliance with applicable software licenses.

    16. q Review and evaluate controls over remote access into the company's network (e.g., dial-up, VPN, dedicated external connections).

    17. q Ensure that hiring and termination procedures are clear and comprehensive.

    18. q Review and evaluate policies and procedures for controlling the procurement and movement of hardware.

    19. q Ensure that system configurations are controlled with change management to avoid unnecessary system outages.

    20. q Ensure that media transportation, storage, reuse, and disposal are addressed adequately by company-wide policies and procedures.

    21. q Verify that capacity monitoring and planning are addressed adequately by company policies and procedures.

    22. q Based on the structure of your company's IT organization and processes, identify and audit other entity-level IT processes.



    Buy on amazon.com >>
    Davis C. Schiller M. Wheeler K.
      << Previous page
      Table of contents
      Next page >>

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy