IT DUE DILIGENCE QUESTIONNAIRE
Description Yes No
IT Management
Is there an IT strategic plan?
Is there a mechanism by which the business community articulates expected
events (transactions, new locations, etc.) to IT so that IT can adequately plan?
Are IT policies and procedures developed, approved and centrally posted for key
IT processes?
Are the policies and procedures updated at least annually?
Are metrics used to monitor system performance and output?
Is there an acceptable use policy regarding company IT assets that all personnel
are required to acknowledge?
Are external programs, such as PCI or regulatory requirements, appropriately
understood and is compliance adequately monitored?
Personnel
Does the IT function appear to be adequately staffed?
Is there a mechanism to monitor the productivity of IT personnel?
Are personnel required to attend certain training or obtain certain qualifications?
What is the average length of service for IT personnel?
Are contractors used?
Are there policies that expressly prohibit the use of company programs or data
for purposes other than work?
Contractors
Are contractors required to comply with the same policies and procedures as
employees, such as the requirement to sign non-disclosure agreements?
Are the contractors’ length of stay monitored so that they comply with IRS
regulations?
Is contractor access to company intellectual property, including in-house
developed programs or company data, appropriately restricted?
Are roles and responsibilities of contractors appropriately defined and
communicated?
1
� Description Yes No
Is any intellectual property developed by contractors, such as web or other
applications, appropriately protected through legal means?
Network
Is there a topology of the network hardware?
How many points of external entry into the network exist?
Is each point of entry protected by a firewall?
Is firewall activity monitored?
Are there wireless devices on the network?
Is wireless traffic encrypted?
Is there a VPN or other remote access to the network?
Is remote access monitored?
Is a tool used that monitors for rogue devices that are attached to the network?
Operating Systems
How many operating systems are there?
Is each operating system currently supported by its manufacturer?
Is each operating system up to date with patches provided by the manufacturer?
Are there any users with unsupported operating systems on their laptops or
workstations that transmit data into the network?
Is there a formal process, including documentation, by which users are
provisioned with access to the operating systems(s)?
Is there timely communication from human resources that results in the
decommissioning of accounts upon termination?
Applications – Developed
Is a system development life cycle model (e.g., waterfall, rapid application
development, spiral, AGILE, etc.) utilized?
Is evidence, such as test results and approvals, maintained for future reference?
Is there a PMO or committee that monitors the progress of each project?
Is the source code protected by copyright?
Is the source code placed in escrow?
Has an inventory been performed of applications and databases that support
2
� Description Yes No
business processes that are in scope for Sarbanes-Oxley?
Is there a formal process, including documentation, by which users are
provisioned with access to the application?
Is there timely communication from human resources that results in the timely
decommissioning of accounts upon termination?
Is security, including segregation of duties, considered during the development
cycle?
Are interfaces between systems subjected to a system development life cycle
(SDLC) process that includes retention of test results and approvals?
Are there separate development/quality assurance (QA) and production
environments?
Do developers have any access to the production environment?
If so, is it only granted for emergency fixes and then removed?
Is there a mechanism to track the labor involved during the development cycle so
that those costs can be capitalized?
Are the provisions of SOP 98-1, Accounting for the Costs of Computer Software
Developed or Obtained for Internal Use, understood by the programmers so that
non-qualifying costs are not capitalized?
Is there an ongoing process to manage segregation of duties conflicts?
Applications – Shrinkwrap
Are company-wide licenses utilized and monitored for shrinkwrap software
programs?
Is the company up to date on all vendor released patches?
Is there a formal process, including documentation, by which users are
provisioned with access to the application(s)?
Is there timely communication from human resources that results in the
decommissioning of accounts upon termination?
Is there an ongoing process to manage segregation of duties conflicts?
Change Management
Are changes to programs or systems standardized, documented and subject to
formal change management procedures?
Is there a formal process to handle emergency requests?
Are all changes, other than infrastructure changes, initiated by the business?
3
� Description Yes No
Data
Is there a data dictionary or an inventory of data identified as critical?
Is it clear who is responsible for data integrity?
Is access to databases restricted to 1-2 personnel?
Is database activity logged and monitored?
What types of databases are used?
Is sensitive data (e.g., credit card numbers, SSNs, etc.) encrypted or masked in
the database(s)?
Is there a data warehouse?
Is ownership of the data in and access to the data warehouse appropriately
defined and controlled?
Is all data removed from laptops or workstations prior to their disposal?
Has the flow of key financial reporting or other key data been mapped so that all
programs are identified?
Disaster Recovery
Is there a formal disaster recovery plan (DRP)?
Where is the alternate site?
Has the DRP been tested?
Has a business impact assessment been performed that considers the impact of
systems failure on the financial reporting process?
Are databases backed up nightly?
Are backup media stored off-site?
Are tests to restore data from backup media conducted periodically?
Are applications backed up after any change is introduced?
Do remote users back up their laptops at least weekly?
Is there an uninterrupted power supply for the data center?
Is there a non-liquid fire suppression system for the data center?
Operations
Does IT management monitor the performance and capacity levels of the
systems and network?
4
� Description Yes No
Is there a formal problem management (help desk) process?
What is the average length of time to close a problem ticket?
How many problem tickets are there that have been open for more than 3 days?
Third-Party Services
Are third parties used for any IT services?
Are there contracts that clearly articulate the responsibilities of the third parties?
Are there performance metrics that third parties are required to adhere to?
Is there a mechanism to validate the effectiveness of key internal controls at third
parties, such as a right to audit clause in the contract or an SAS 70 letter?
Are third parties properly qualified through an assessment of their capabilities to
deliver required services, and is there a review of their financial viability?
Laptops/Workstations
Is there an inventory of laptops and workstations?
Is the inventory validated by means of a physical count periodically?
Is the physical count reconciled to the general ledger?
Does every laptop and workstation have anti-virus protection?
Does every laptop and workstation have a personal firewall?
Are the laptops/workstations leased or owned?
Is only authorized software permitted for use by employees on company IT
assets?
Security
Are access rights at the application and operating system level periodically
reviewed and confirmed?
Is there an intrusion detection system?
Are external vulnerability scans performed periodically?
Is access to IT assets (e.g., data center assets) appropriately restricted and
controlled?
Spreadsheets
Is there an inventory of high-risk, high-importance processes (e.g., spreadsheets
that are relevant to financial reporting)?
5
� Description Yes No
Has the logic in each spreadsheet been verified by somebody other than the
creator of the spreadsheet?
Is access to key spreadsheets restricted via a shared drive or password?
Are all of these spreadsheets backed up periodically?
