Home / Knowledge : Accounting & Finance, Auditing & Internal Control

Internal Audit: IT Audit Checklist for Risk Assessment

Internal Audit: IT Audit Checklist for Risk Assessment

First revision: Oct.9, 2024

Last change: Oct.9, 2024

Searched, Gathered, Rearranged, Translated, and Compiled by Apirak Kanchanakongkha.

page 1

IT Audit Checklist for Risk Assessment

This checklist gives a descriptive list of questions regarding various aspects of IT systems to form a view of the risk levels. The Auditor may revise these checklists based on an understanding of the organization and the application to be audited.

No.	Description of IT System Risk Assessment	Response
No.	Description of IT System Risk Assessment	Yes	No
A	Management and Organization
1	Is there a risk-based IT audit plan based on the business needs of the organization?
2	Are there well-defined roles and responsibilities for the steering committee?
3	Does the organization (IT department) have clear-cut and well-defined goal and aims?
4	Is there a procedure of reporting to top management and review in vogue?
5	Are there well-defined job descriptions in the IT Department and separation of duties?
6	Are there appropriate policies and procedures concerning the Retention of Electronic Records?
7	Where the organization uses third parties to process data, does it have appropriate procedures to address associated risks?
8	Are there procedures to update strategic IT plans?
B	Personnel Policy
1	Are there criteria used for recruiting ands selecting personel?
2	Does the training need analysis conducted at periodical intervals?
3	Does the training programmes periodiucally held to update knowledge?
4	Is the organization's security clearance process adequate?
5	Are employees evaluated based on a standard set of competency profiles for the position, and are evaluations held periodically?
6	Are responsibilities and duties clearly identified?
7	Are backup staff available in case of absenteeism?
8	Is there a rotation of staff policy in critical areas where uninterrupted functioning is essential?
C	Security
1	Is there a strategic security plan that provides centralized direction and control over information system security?
2	Is there a centralized security organization responsibility for ensuring only appropriate access to system resources?
3	Is there a data classification scheme in place?

1.
2.

page 2

No.	Description of IT System Risk Assessment	Response
No.	Description of IT System Risk Assessment	Yes	No
4	Is there a user security profile system in place to determine access on a need-to-know basis?
5	Is there an employee indoctrination/training system that includes security awareness, ownership responsibility, and virus protection requirements?
6	Are cryptographic modules and essential maintenance procedures administered centrally and used for all external access and transmission activity?
7	Have preventative and detective control measures been established by management concerning computer viruses?
8	Is change control over security software formal and consistent with normal system development and maintenance standards?
9	What password policy exists?
10	Is access to the voice mail service and the PBX system controlled with the same physical and logical controls as computer systems?
11	Is access to security data such as security management, sensitive transaction data, password, and crytographic keys limited to a need-to-know basis?
D	Physical & Logical Access
1	Is the facility access limited to the least number of people?
2	Are the 'key" and an "ongoing card reader" management procedures and practices adequate, update, and reviewed on a least-access-needed basis?
3	Are access and authorization policies on entering/leaving escor, registration, temporary required passes, and surveillance cameras appropriate to all and susceptible areas adequate?
4	Is there a timely and continuous review of access profiles, including managerial review?
5
6
7
8
9
10
11
12

1.
2.

.

[367/469 Location 4483/7109]

back

info@huexonline.com

Visit : 4740450