it organization audit checklists and guidelines
TRANSCRIPT
IT Organization Audit Checklists and Guidelines[Information Technology Company Group]Last Revision Date
Prepared by : [Name]Title : [Title]
Audit Guidelines:IT Auditor should review the following function within organization
Policy statements and communications from senior management ensure the independence and authority of the IT function
Membership and functions of the IT planning/steering committee have been defined and responsibilities identified
IT planning/steering committee charter aligns the committee's goals with the organization’s objectives and long- and short-range plans, and the IT objectives and long- and short-range plans
Processes are in place to increase awareness, understanding and skill in identifying and resolving information management issues
Policies address the need for evaluation and modification of organizational structure to meet changing objectives and circumstances
Processes and performance indicators exist to determine the effectiveness and acceptance of the IT function
Senior management ensures roles and responsibilities are carried out Policies exist outlining roles and responsibilities for all personnel within the organization
with respect to information systems, internal control and security Regular campaigns exist to increase internal control and security awareness and
discipline Quality assurance function and policies exist Quality assurance function has sufficient independence from system development
personnel, and adequate staffing and expertise to perform its responsibilities Processes are in place within quality assurance to schedule resources and ensure
completion of quality assurance testing and sign-off before systems or system changes are implemented
Management has formally assigned to a security officer organization wide responsibility for formulation of internal control and security (both logical and physical) policies and procedures
Security officer's understanding of the office's roles and responsibilities is adequate and demonstrated as consistent with the organization’s information security policy
Organization’s security policy clearly defines responsibilities for information security that each information asset owner (e.g., users, management, and security administrators) is required to perform
Policies and procedures exist that cover data and system ownership for all major data sources and systems
Procedures exist to review and maintain changes in data and system ownership on a regular basis
Policies and procedures exist that describe supervisory practices to ensure that roles and responsibilities are properly exercised, and all personnel have sufficient authority and resources to perform their roles and responsibilities
Segregation of duties exists between the following pairs of units:
Systems development and maintenance Systems development and operations Systems development/maintenance and information security Operations and data control Operations and users Operations and information security
IT staffing and competence are maintained to ensure the ability to provide effective technology solutions
Policies and procedures exist for the evaluation and reevaluation of IT position (job) descriptions
Appropriate roles and responsibilities exist for key processes, including system development life cycle activities (requirements, design, development, testing), information security, acquisition and capacity planning
Appropriate and effective key performance indicators and/or critical success factors are used to measure results of the IT function in achieving organizational objectives
IT policies and procedures exist to control the activities of consultants and other contract personnel, and thereby ensure the protection of the organization’s assets
Procedures applicable to contracted IT services are adequate and consistent with organization acquisition policies
Processes exist to coordinate, communicate and document interests both inside and outside the IT function directorate
IT Asset Management Checklist for Security Assessment Audit Program
Audit Report
Checklist
Document
Download
IT Security
Below list of the information asset that should be acquired before performing security assessment:
DNS/NetBIOS name of the asset
This is the name of the system; typically the domain name system (DNS) name and the NetBIOS
name will be the same. This is one more way to map the system to the IP address and the Media
Access Control (MAC) address.
Operating system of the asset
Although obvious, this is important to the patch management process. If you don’t know what your
systems are running, it is difficult if not impossible to know what vulnerabilities to monitor for, and to
plan the patching stages.
Listening services on the asset
One of the oldest concepts in information security is the one of least privilege. Systems should not
have services listening on them that are not being used. Documenting what is listening on each
system and what is needed on each system is a critical step.
Physical location of the asset
This is the physical location and department of the asset. This is an obvious thing to document,
because from time to time, IT resources may have to physically access the system.
Owner of the asset
There are two data points for this category. You should know both who the typical user of the system
is, as well as whom in the organization is ultimately responsible for that asset on both an IT and a
management level.
Classification of the asset
This is the classification of the asset and the data contained on that asset. As we discussed, this is an
important step in the entire vulnerability management process.
Audit ProgramsSubscribers LoginAuditNet LinksAuditNet LibrarySarbanes-Oxley PageAuditNet NewsletterAsk the AuditorAuditNet Career CenterPartner DiscountsSearch the SiteOur SponsorsAdvertiseRegister!AuditNet Home
what
job title, keywords
where
city, state, zip
Audit Report Writing Guide
Essential Communication Books for Auditors
From the External Audit Directorate of the Audit and
Review Branch, Canadian PSC
This guide establishes some guidelines for the design, style
and content of the reports published by the External
Audit Directorate of the Audit and Review Branch, PSC, in
order to make them useful and easy to read.
Table of ContentsIntroduction
Audit Report Users Audit Purposes Communication Channels Readership
Motivation Outline
Design Background Visual Appeal Reading Efficiency Design Techniques Format Specifications Summary
Writing Style Definition Terminology Sentence Length Passive Voice Intensifiers Bullets Summary
Report Content Outline Structure Model Level of Detail Commentary
Wrap-up and Conclusion Wrap-up Conclusion
Bibliography Appendices
A - Quotations and Bibliography - A Practical Guide B - Elimination of Stereotypes
IntroductionThis guide establishes some guidelines for the design, style and content of the reports published by the External Audit Directorate of the Audit and Review Branch, PSC, in order to make them useful and easy to read.
Audit Report UsersAudit reports must meet the varying information needs of users: the clients, the auditee and their representatives. The clients are: the President of the Public Service Commission and the Secretary of the Treasury Board. The auditee is the Deputy Head of the department being audited.
The representatives are: managers and specialists responsible for personnel functions in the client organizations and departments.
Audit PurposesThe primary purpose of a personnel audit is to inform clients whether the department adheres to the conditions for exercising the authorities delegated under the Financial Administration Act, the Public Service Employment Act and personnel policies and procedures flowing from those acts.
Personnel audits also identify for clients the need to create or change policies and procedures, advise departmental representatives on better ways to administer the personnel functions and recognize and reinforce activities that correct shortfalls, exceed client standards and suggest and recommend corrective actions when personnel functions do not meet clients' standards.
In addition, audits have the ultimate goal of improving personnel management in the Public Service.
Communication ChannelsAudit teams use a number of channels to influence the quality of personnel management: informal suggestions to client representatives during the planning phase and to departmental staff during on-site reviews; formal briefings and discussions with responsible officers on the findings; briefing notes and operational unit reports to managers and specialists; a formal report to the clients, the auditee and their officers; a letter to the deputy head, summarizing the main topics of the report. This guide covers the formal audit report only.
ReadershipTo be effective, administrative documents should focus on the needs of a defined readership. In the case of audit reports, there are a variety of readers with quite different needs: executives with a general knowledge of personnel systems and terminology who are mainly interested in results in their areas of accountability the auditee's senior personnel officer who must respond to audit recommendations specialists concerned mostly with findings in their area of expertise. Audit report writers must therefore take into account the needs of these various readers and the information already provided through briefings and operational unit reports.
Note: Audit reports are not written for professional auditors.
MotivationWith the exception of consummate bureaucrats, most readers are going to read as little as possible. They are desensitized to printed material due to the sheer volume that crosses their desks each day. There is competition for their attention and time. In addition, there is evidence that the level of literacy is not all it could be, even in university graduates. Recognizing these barriers is the first step in developing effective audit reports.
This guide describes an approach that will encourage the target audience to read audit reports and take action to improve personnel management and resource use in the Public Service.
OutlineTo help make audit reports attention-getting, readable and credible, the following sections cover: report design, writing style, report content (title page, table of contents, summary, introduction, findings, appendices), wrap-up and bibliography.
Return to Table of Contents
DesignBackgroundIn the Introduction, we mentioned the intense competition for reader attention and time. Report writers can control three factors critical to gaining and keeping attention: design, writing style and content.
Design may be the key to attracting readers - particularly the reader who is not motivated. Once attention is captured, writing style and content should be able to maintain this attention.
Effective design increases visual appeal and reading efficiency.
Visual AppealAn audit report has visual appeal when it looks professional and easy to read. That means the reader should develop positive feelings about the report at first glance.
The talent and effort that have obviously gone into the report's appearance send strong signals to readers. It tells them the subject is important. It also tells them the readership is important enough to warrant a quality product. There is a big difference between a memo and the annual report of the Commission. Audit reports should be closer in appearance to the annual report.
Reading EfficiencyAn audit report should not appear long, dull or tedious. The proposed design is interesting, featuring plenty of white space and easy-on-the-eyes lettering. The design encourages the potential audience to read.
Efficient reports use design techniques to make it easy to find a particular piece of information and increase reading speed, comprehension and retention.
Design TechniquesThe following techniques have been selected to enhance the visual appeal and reading efficiency of audit reports:
type size and style are easy to read line length is limited to 4.5 inches for eye travel that is not tiring blocks of text are limited to 8 lines or so to prevent skipping and to provide frequent rest points the amount of white space is not only more comforting to the eyes but also provides the reader with room for notes the location of page numbers, headings and subheadings helps readers to search for specific information; the standard format quickly becomes familiar and is easy to scan in addition to providing information, the header and footer lines "frame" the text complete topics are placed on one page wherever possible the text is laser-printed off desktop publishing software capital letters are not used for emphasis or to highlight key words and phrases because they slow up the reader the text is unjustified with flush left and ragged right margins, to encourage smooth eye flow there are no broken words at the end of lines there are no broken sentences at the end of pages there are no single lines on the top or the bottom of a page.
Format SpecificationsFormat is the shape, size and arrangement of text on the page. For ease of use, the format described here is available through the Directorate computer system.
This guide identifies the following elements of format:
Fonts: body: Times Roman 12.5pt (serif); recommendations and compliments: bold; headers and footers: not bold - headers: Helvetica 14pt (sans serif) - footers: Helvetica 9pt (sans serif). "Styles" exist for headers and footers.
Margins: top and bottom margins: 0.5" and 0.4"; left and right margins: 1.25" with the binding set at 0.25". This results in an inside margin of 1.5" and an outside margin of 1.0".
Spacing: single space between lines; 2 space ahead of bullets; double spacing between topics.
Tabs: Tabs are set at: 2.8", 3.0" and 3.2".
Printing: The Branch will produce a camera-ready copy of the audit report. The report will then be printed back-to-back, and bound.
Summary - DesignThis section describes design techniques that will help audit teams produce efficient audit reports. The following two sections deal with writing style and content - the keys to effective reports.
"Have something to say, and say it as clearly as you can. That is the only secret of style." (Matthew Arnold)
"To me, style is the outside of content, and content is the inside of style, like the outside and the inside of the human body: both go together, they can't be separated." (Jean-Luc Godard)
"Too much of a good thing is worse than none at all." (English Proverb)
Return to Table of Contents
Writing StyleDefinitionFor audit report purposes, style is defined as the way content is written. Generally, style consists of tone, vocabulary, syntax and grammar.
Good style presupposes a writer who knows the subject well, and also: who the readers will be, what is important to the readers and what the readers need to do after reading the material.
PurposeThis guide is not intended to train auditors in the basics of style. That can be accomplished through courses and on-the-job coaching. What this guide can do is provide auditors with a standard for editing their own reports, sort of an audit guide to writing style.
GuidelinesThe following guidelines are not presented in order of importance. For those readers interested in pursuing the subject in greater depth, the bibliography lists a number of excellent references.
TerminologyAudit reports must transmit information with precision - precision that starts with consistent terminology. When reviewing reports, look for inconsistencies such as the following examples of interchangeable terms: personnel administration, human resources management and personnel management; objective, purpose and goal; staffing and resourcing; personnel disciplines, functions, activities, areas, aspects and practices.
Inconsistent terminology demonstrates an unprofessional approach in business writing. It may cause readers to interrupt their reading rhythm to interpret the changed term and misunderstand the message.
The results are particularly noticeable in managers with only a general knowledge of personnel functions and terminology.
Sentence LengthAnother style element that can blur the precision and clarity of text is long sentences. Some grammarians recommend a limit of 15 to 18 words in business writing. In editing reports, one should look closely at sentences with more than 20 words. There may be room for
improvement. The following example from the second paragraph of a section on Sub-delegation of Staffing Authority demonstrates the clarity of shorter sentences.
One sentence: "The roles, responsibilities and accountability mechanisms of managers and staffing officers are clearly defined in the departmental training course on sub-delegation which was given to all managers about to receive sub-delegated staffing authority." (33 words)
Two sentences: "All managers who were to receive sub-delegated authority attended the departmental staffing course. The course defines the roles, responsibilities and accountability of managers and staffing officers." (13 words in each)
Literary writers can use longer sentences without worrying about clarity. But they do not have to write audit reports!
Passive VoiceNo shortfall in style produces dull, tiresome reading faster than the passive voice. The short example that follows demonstrates the difference between passive and active sentences.
Passive: "Based on the information available, no irregularity of operation was found."Active: "The audit team found no evidence of irregularity in the available information."Better Still: "The audit team found no irregularity."When reviewing reports, look for a subject - verb - object (agent - action - object) sequence. If it is not there, consider a rewrite.
IntensifiersIntensifiers are words like: clearly, special, key, well, reasonable, significant and very. Their use should be limited because they frequently lack precision, reflect personal values and fill space for no real purpose.
Intensifiers raise questions such as "significant compared to what?" and "clearly according to whose criteria?"
BulletsReport writers can use bullets as punctuation in front of points to break up dense text and shorten sentences, focus attention, save words and improve logic and flow.
The use of bullets is highly recommended when findings are lists of standards, samples, activities, facts and results.
ExampleWithout Bullets: "The Department possesses control mechanisms such as a clearly identified responsibility centre, consultative committees for target groups and an Affirmative Action Steering Committee. These mechanisms which include action plans and reporting systems adequately ensure the effectiveness of employment equity programs."
With bullets: "The Department has mechanisms to ensure effective employment equity programs, including: an identified responsibility centre action plans and reporting systems consultative committees for target groups an Affirmative Action Steering Committee."
This guide takes every opportunity to demonstrate the use of bullets. The nature of audit reports makes the technique particularly useful in enhancing clarity and readability.
Summary - Writing StyleWriting style has many other elements not included in this guide: tone, word economy, and rhythm are just a few. However, the elements covered here have one thing in common. They can be evaluated against readily observable criteria. Branch audit reports should be reviewed
for the use of consistent terminology, crisp sentences, the active voice, appropriate intensifiers and bullets.
Return to Table of Contents
Report ContentOutlineThe sections on Design and Writing Style described ways audit reports can gain and hold attention and promote efficient reading.
To a large degree, a report's content is responsible for its effectiveness. In addition to logic, two elements enhance effectiveness, consistent structure and level of detail.
StructurePersonnel audit reports include the following sections: title page, table of contents, summary (including the recommendations), introduction, findings and appendices.
Cover and Title PageAudit reports use a standard cover, with a window showing: the title: "Staffing Audit" or "Personnel Management Audit", the department's name and the report's date of issue (month and year). These items are repeated at the bottom of each page. The title page also indicates the names of the audit team members.
Table of ContentsThe table lists the sections and sub-sections with page numbers as follows: summary and recommendations, introduction, findings (by audit field) amd appendices (as required).
SummaryThe summary gives a quick overview of the state of the department at the time of the audit in light of the main issues covered by the report. It does not normally exceed three pages, including the recommendations.
Where a basic personnel function is not included in the audit, a note of explanation should be included.
Sub-headings should be limited to paragraphs of approximately eight lines.
Recommendations should be listed under a lead statement such as: (example) "We recommend that the Deputy Minister: amend...; establish...; implement..."
Recommendations should be stand-alone statements that can be read out of context and still make sense - particularly to a non-personnel executive or manager. Example: "We recommend that the Deputy Minister" put in place a mechanism for monitoring staffing activities and take appropriate corrective action.
IntroductionSince readers will read the summary, the introduction should not repeat details. It should include the following elements:
Context: This sub-section briefly describes conditions in the audit entity during the period under review; for instance: the entity's role, size and organization especially with regard to human resource management; significant pressures on personnel management during the
period under review - events such as the following should be noted: organizational changes - personnel disruptions - changes in roles and programs; results of internal audits or follow-up to our previous audits, if applicable.
Purpose: This sub-section is a short description of what functions and special programs were audited and the clients' authorities.
Scope: The scope lists the period under review, the issues covered in each function and program, the locations visited and the on-site dates.
Methodology: This section briefly describes sampling, data collection techniques and the basis for auditors' opinions. It also identifies any weaknesses in the methodology to allow the client and auditee to make informed decisions as a result of the report.
Findings: Findings constitute the main part of an audit report. They result from the examination of each audit issue in the context of established objectives and clients' expectations. The model illustrates how the various elements of findings are to be presented.
Appendices: Appendices can be used when they are essential for understanding the report. They usually include comprehensive statistics, quotes from publications, documents, etc. and references.
MODEL
Level of DetailThe depth of coverage for issues should normally reflect the significance of the findings.
Situations representing a high degree of risk or indicating shortcomings that are serious enough to justify a recommendation should be treated extensively.
Specific initiatives that the auditors wish to mention as examples should be described in detail, while issues where the department meets the expectations and there is nothing specific to mention should be dealt with briefly.
CommentaryWhere a recommendation and a compliment are made under the same issue, they should be in separate paragraphs. Otherwise, they may confuse the reader and reduce the impact of one or the other.
Statistics need to be used consistently throughout the report. Sample size and error rate mean more when they are given in context. The size of the population, the number of transactions and the period of time provide that context.
Percentages should not be used when referring to small samples (less than one hundred).
Graphics should be used when they add to the understanding of the text.
Return to Table of Contents
Wrap-up and ConclusionWrap-upThis guide supports the External Audit Directorate approach to developing consistent audit reports. It includes the following elements:
a definition of report users report purposes a discussion on the readership a design that attracts readers and increases their reading efficiency a writing style with: consistent terminology, crisp sentences, the active voice, few intensifiers and a point system using bullets as punctuation presenting essential content under standardized headings and sub-headings.
ConclusionThe Audit Report Writing Guide deals with the very basic aspects of report writing. It cannot replace the skill, experience and initiative of audit teams. However, it does provide the basis for consistent and professional reports that meet the needs of both clients and auditees. In addition, an effective audit report will encourage managers to improve the use of human resources in the Public Service.
Return to Table of Contents
Bibliography
Audit Branch, PSC. The Audit Branch Manual.
Secretary of State. The Canadian Style, Dundern Press.
Office of the Auditor General. A Writer's Handbook.Office of the Auditor General. An Approach to Comprehensive Audit.Canadian Comprehensive Auditing Foundation. Comprehensive Auditing - Concepts, Components and Characteristics. Canadian Comprehensive Auditing Foundation. Conducting Operational Reviews: A Generic Approach.Strunk, W. & White, E.B. The Elements of Style. The MacMillan Co.Williams, Joseph M. Ten Lessons in Style and Grace. Scott, Foresman and Company. Lanham, Richard A. Revising Business Prose, Charles Scribner's Sons. Freelance Editors' Association of Canada. Editing Canadian English, Douglas McIntyre. Jonassen, D.H. (Ed.). The Technology of Text - Volumes 1 & 2, Educational Technology Publications. Duffy, T.M. and Waller, R. (eds.). Designing Usable Texts, Academic Press. The Project Resource Group, Functional Writing is Writing that Works, PRG, 1992.
Note: The bibliography at the end of the French version lists a number of other valuable reference books.
Return to Table of Contents
APPENDIX A - Quotations and Bibliography - A Practical GuidePurposeThe purpose of this guide is to provide auditors with some useful information on how to present quotations and bibliographical references in reports.
QuotationsA quotation is a fragment of text, or "a word or a passage reproduced from a book, a
statement" (Webster's New World Dictionary), that is included in a new text and identified by quotation marks.
The source of the quotation can be provided briefly, in parentheses, as in the previous paragraph, or more completely, in a footnote.
Reference - FootnoteThe five main elements of a footnote are: Reference Number: an arabic numeral, placed immediately after the cited text, in superscript
Author's Name: first name and/or initial(s) and surname, followed by a comma
Document Title: written in full, and underlined or in bold
Facts of Publication: publisher, place and year of publication (in parentheses)
Text Location: specific location of the text source: usually the page, paragraph or section number.
BibliographyA bibliography is a list, usually in alphabetical order, of documents consulted or suggested for consultation, or of sources that have influenced or helped the author. It is usually placed in a separate section at the end of the document.
Basic ElementsA bibliographical reference contains four basic elements:
Author's Name: contrary to the reference footnote, the surname is written first, then the first name or initial; if there is more than one author, the additional names are written in the regular order, as in the second example below
Title: written in full, with no abbreviation; can be put in bold characters
Facts of Publication: publisher, place and year of publication, as in the footnote, but without parentheses
Collation: length of the work, expressed as the number of pages or volumes.
EXAMPLE
Bibliography
Mornissey, George L., Effective Business and Technical Presentations, Addison-Wesley Publishing Co., Reading, Massachussetts, 1968, 143 p. Rosenblatt, Bernard S., Richard T. Cheatham, James T. Watt, Communication in Business, Prentice-Hall Inc., Englewood Cliffs, N.J., 1977, 370 p. When a document is published on behalf of a government, the country (province or state) and the responsible entity are cited as author. It may also be useful to add some information such as the edition number, the name of the legal depositary or the standard book number.
EXAMPLE
Bibliography
Canada. Secretary of State. Translation Bureau. Public Administration and Management Vocabulary. Terminology Bulletin #194. Minister of Supply and Services of Canada 1990. 775 p. ISBN 0-660-55655-3. United Nations. Bibliographical Style Manual. New York: United Nations Publications, 1963. 58 p. Dag Hammarskjold Library.
Return to Table of Contents
APPENDIX B - Elimination of StereotypesGuidelinesGuidelines concerning the representative depiction of minority groups and the elimination of sexual stereotyping.
Reference: Corporate Management Manual (CMM), PSC, Chap. 4: Communications Management.
BackgroundIn August 1992, the PSC officially approved guidelines to ensure the equitable portrayal of women, men and minorities in communications.
This appendix concerns the application of these guidelines to our reports and other documents.
ObservationsNo problems were identified in audit reports regarding the equitable depiction of minority groups. In tables as well as in text, we should continue to avoid the use of terms that may be considered offensive or discriminatory, such as "Blacks", "handicapped", etc.
In French, the equitable depiction of women and men is a rather complex issue, mainly due to gender differentiation that applies to nouns, pronouns, adjectives, etc. The main challenge is finding the proper balance between the equitable representation of women and language clarity, conciseness and elegance. (See the French version of this appendix for more details.)
In English, it is usually easy to avoid sexist grammatical forms. In many cases, using the plural or passive form will be sufficient to avoid the difficulties of subjects (he, she) or possessives (his, her). The guidelines focus mainly on eliminating certain language forms that have a sexist connotation, such as "man-year, policewoman, Mr. and Mrs. Paul X..."
Following are a few basic rules and suggestions.
Basic Rules
The guidelines must not be seen as a cumbersome and unnecessary constraint, but as a guide.
Writing must remain clear and precise; with a little effort and attention, it is possible to create non-sexist documents that are neither too wordy nor too heavy.
When referring to men and women, the principles of equality apply.
Suggestions(See CMM Guidelines, pages 23-26 for details.)
Use gender-neutral occupation and position titles: "representative", "police officer" rather than "spokesman", "policewoman".
Avoid using the word "man" to refer to people in general ("the man in the street", "man-year") or the masculine form (he, his, him) to represent both women and men.
Treat persons of both sexes equally, by varying the position of references to males and
females, by using equal forms of salutation in correspondence, and by avoiding unnecessary distinctions between sexes.
AdviceRefer to this Appendix and to the Guidelines when you are about to start writing or reviewing a report or other important document.
Return to Table of Contents E
Copyright 2005 AuditNet. All rights reserved.
All materials contained on this site are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, broadcast, performed nor used to prepare derivative works, without the prior written permission of AuditNet. You may not alter or remove any trademark, copyright, logo or other notice from copies of the content.
For further information, see section 1 of the Terms and Conditions and section 2 of the Subscriber Access Agreement.
Contact Us