Checklist for Auditing Entity-Level Controls
qReview the overall IT organization structure to ensure that it provides for clear assignment of authority and responsibility over IT operations and that it provides for adequate segregation of duties.
qReview the IT strategic planning process to ensure that it aligns with business strategies. Evaluate the IT organization's processes for monitoring progress against the strategic plan.
qDetermine whether technology and application strategies and roadmaps exist, and evaluate processes for long-range technical planning.
qReview performance indicators and measurements for IT. Ensure that processes and metrics are in place (and approved by key stakeholders) for measuring performance of day-to-day activities and for tracking performance against SLAs, budgets, and other operational requirements.
qReview the IT organization's process for approving and prioritizing new projects. Determine whether this process is adequate for ensuring that system acquisition and development projects cannot commence without approval. Ensure that management and key stakeholders review project status, schedule, and budget periodically throughout the life of significant projects.
qEvaluate standards for governing the execution of IT projects and for ensuring the quality of products developed or acquired by the IT organization. Determine how these standards are communicated and enforced.
qEnsure that IT security policies exist and provide adequate requirements for the security of the environment. Determine how those policies are communicated and how compliance is monitored and enforced.
qReview and evaluate risk-assessment processes in place for the IT organization.
qReview and evaluate processes for ensuring that IT employees at the company have the skills and knowledge necessary for performing their jobs.
qReview and evaluate policies and processes for assigning ownership of company data, classifying the data, protecting the data in accordance with their classification, and defining the data's life cycle.
qEnsure that effective processes exist for complying with applicable laws and regulations that affect IT (e.g., HIPAA, Sarbanes-Oxley) and for maintaining awareness of changes in the regulatory environment.
qReview and evaluate processes for ensuring that end users of the IT environment have the ability to report problems, have appropriate involvement in IT decisions, and are satisfied with the services provided by IT.
qReview and evaluate processes for managing third-party services, ensuring that their roles and responsibilities are clearly defined and monitoring their performance.
qReview and evaluate processes for controlling nonemployee logical access.
qReview and evaluate processes for ensuring that the company is in compliance with applicable software licenses.
qReview and evaluate controls over remote access into the company's network (e.g., dial-up, VPN, dedicated external connections).
qEnsure that hiring and termination procedures are clear and comprehensive.
qReview and evaluate policies and procedures for controlling the procurement and movement of hardware.
qEnsure that system configurations are controlled with change management to avoid unnecessary system outages.
qEnsure that media transportation, storage, reuse, and disposal are addressed adequately by company-wide policies and procedures.
qVerify that capacity monitoring and planning are addressed adequately by company policies and procedures.
qBased on the structure of your company's IT organization and processes, identify and audit other entity-level IT processes.