it environment audit icq

IT ENVIRONMENT DOCUMENT

ENTITY NAME GOES HEREMarch 31, 20XX

IT ENVIRONMENT DOCUMENT

Purpose of Document

This is a PLANNING document that is intended to provide a high level overview of the general IT environment. It is important to note that the work documented is NOT sufficient, by itself, to conclude that IT controls are operating effectively.

Client liaison contact:

OAG entity PX contact:

OAG entity Team lead contact:

OAG IT Audit Specialist:

1. Information Resource Strategy and Planning

Client Contact(s):

#Points of Focus DocumentationObservations and References

1.1List the significant financial system(s) being used.

Application Name:Date Installed / UpgradedVersionOperating System Name & VersionDatabase Name & Version

1.2How is the IT budget determined and controlled?

1.3Have any reports been issued by internal audit or other parties on the IT environment or on specific financial applications (e.g., MITS?) If so, what were the main findings?

Future Direction and Initiatives:

1.4Are there significant IT activities outside the IT function?

1.5What is the future direction of IT within the organization (i.e. IT strategy)? Is there a documented and up to date IT strategic plan?

1.6What major IT initiatives are planned, within the next 12 months and in the long term?

Business/Client Needs:

1.7How does non-IT management assess whether the IT systems meet their information needs?

1.8What service level agreements (SLAs) does IT have in place with non-IT management?

1.9What process does the IT function have in place to measure users satisfaction? What are the results of latest survey?

1.10How does the IT function benchmark its operations with other organizations?

Organization Structure:

1.11What is the IT organization structure? Who does the Head of IT report to?

1.12How does management ensure the appropriate segregation of duties within the IT function (for example, database administrator, network administrator, application programmer, system administrator?)

1.13Is there an IT Steering Committee? If not, then how are priorities determined?

1.14Are roles and responsibilities for the IT functions clearly defined? If so, how?

1.15How does the organization ensure that IT staff maintain their skills?

2. Implementation and Maintenance: Application Systems / Software Systems / Database

Client Contact(s):


Change Management and Maintenance:

2.1How does management ensure that changes to the IT environment (e.g., database, network, operating system, hardware or applications) are managed appropriately?

Implementation and Maintenance: Application Systems / Software Systems / Database

2.2Is a formal systems development methodology used?

2.3What new financial systems have been implemented?

3. Business Continuity

Client Contact(s):


3.1Has the organization addressed business continuity planning and disaster recovery planning issues?

3.2Has management put in place a system to test these plans on a periodic basis? When was it last tested?

3.3Does management have a formal process regarding the backup of financial information (i.e. backup frequency, backup testing, retention period and storage location)?

4. Information Security

Client Contact(s):


4.1How does management ensure that Access to the IT environment (e.g., database, network, operating system, hardware or applications) are managed appropriately?

4.2Does the organization have a security policy?

4.3Who is responsible for administering the security policy?

4.4How is the policy communicated to employees and contractors and enforced?

4.5How does management ensure that users receive appropriate education and training on information security?

4.6When was the most recent Threat and Risk Assessment (TRA) done?

5. Information Systems Operation

Client Contact(s):


5.1How is information regarding any problems with systems communicated to non-IT management?

5.2Have there been any significant operational failures, security incidents or data corruption problems? Please describe.

5.3What are the key IT operational indicators reported to non-IT management (e.g., accessibility, reliability, performance, capacity?)

6. Relationship with Outsourced Vendors

Client Contact(s):


6.1Is use made of outsourced service providers? If so, identify what key components have been outsourced and provide Service Level Agreements.

6.2Who is responsible for monitoring service delivery of the outsourced service provider?

6.3Are there reports for Third Party Assurance provided by a vendor or host? (CICA Section 5970 or SAS70)

7. Network Support

Client Contact(s):


7.1Does the organization have a network diagram? When was it last updated?

7.2What process is in place to maintain the network diagram (e.g., owner, frequency?)

Template 1.3 4 of 9

it environment audit icq

Documents