Audit Program-General

Process: ITGC
Process Note

Backup & Recovery

IT Asset and Inventory

Licenses Available & Required

Preventive Maintenance

User Creation & Access Controls

Network & Bandwidth Allocation

IT Management

Dewan P.N. Chopra and Co.

Chartered Accountants
Audit Program-General
Process: ITGC
Sub Process-User Creation & Access Controls

S. Control Audit Documents Nature of Sample

Risk Template
No. Activity Procedures Required Control Size
IT Department structure not The department structure should be clearly Check, Review and evalute the role, Organisational Chart and Authority -
defined defined. The role, authority and responsibility capabilities of the personnel in their Responsibility Matrix. If available, a
should be stated and known to the personnel. positions. copy of the IT organisation chart
Only authorised individuals to have administrator and/or HR Reports (active
access employees, new hires, Terminations
from beginning of the audit period Preventive
to present)

User created without Approval of Department Head in which new user Review of available documents w.r.t User access approval copies.
approval of concerned is appointed should be taken before new user approvals. Password policy documents.
Department Head creation. A standard password policy has been
defined and critical applications and supporting
platforms are configured according to the Preventive
corporate standard.

Unauthorised access to Management periodically reviews user access Ensure that all users have Access level approvals documents.
resources, data or programs rights to critical systems including administrator, information access rights in Access to Programs and Data.
may result in fraud. Theft, super user and other privileged account access at accordance with their business
loss of data and/or all levels of the system (application, database and requirements and coordinate with
unauthorised transaction in operating system). business units that manage their Detective
financial systems. own access rights within business
processes.

New user/hire ID, access level Approval of Department Head in which new user Ensure that all new users have Approval documents and Authority
and details not properly set is appointed should be taken before new user information access rights in - Responsibility Matrix.
up. creation. Maker - Checker system should be in accordance with their business
place. requirements and coordinate with
business units that manage their Preventive
own access rights within business
processes.

User not deleted for Left User should be required to complete Full & Final Review of Left Employee data & Left Employee Details
Employees activities including handover of User IDs & Mail reconciliation with User/Mail ID User ID & Mail ID details Preventive
IDs data

* Includes reports, supporting documents etc.

# We have to identify on what basis we will/have selected the sample size for checking of any control.
## If any template is required then it has also to be included in the same.
Audit Program-General
Process: ITGC
Sub Process-IT Asset Master

S. Control Audit Documents Nature of Sample

Risk Template
No. Activity Procedures Required Control Size
Non-Maintenance of Asset Master should be comprehensively Checking w.r.t availability of Asset Master
complete exhaustive details maintained to track items along with relevant relevant information regarding IT List of users
1 of IT Asset Master specifications & locations parts & accessories available with Preventive
users

Non-availability of IT Asset at 6-monthly physical verification of assets available Sample checking of assets w.r.t Asset Master
2 locations specified in Asset with users their locations List of users Preventive
Master

Duplicity in Service Tag Each system has a different service tag number. Checking of Asset master w.r.t Asset Master
Number of systems allocated Such service tag number is mentioned against the availability of service tag number List of users
3 to different users name of user to whom system is allocated against each user Preventive

Non-Maintenance of Control Sheet should be maintained to track Checking of IT Inventory sheet Details of IT inventory
complete exhaustive details availability of items with IT department along available with department for
4 of IT inventory with relevant specifications duplication & multiplication of Preventive
inventory items

Non-reconciliation of IT Regular reconcilliation of data with physical Physical verification of IT inventory Details of IT inventory
Inventory physically available inventory available with department on sample basis Details of physically verified
5 with Inventory details inventory Preventive

Non-availability of required IT Projections should be prepared based on life of IT Checking of user requests for User Requests data
inventory. accessories & appropriate backup for inventories replacement of IT accessories User Complaints data
should be available Checking of frequent complaints
6 w.r.t a specific component Detective

In-appropriate hardware is Level/capability of Desktop and/or Laptop to be Check for complaints from user of Policy of grading and issue of
issued to user. Obsolete issued as per the post, level and requirements of getting a computer system Desktops and Laptops for users.
systems being issued user. Useful life defined for each system inadequate for his/her purposes Document regarding useful life of
7 and requirements. List of discarded computers. Preventive
computers.

* Includes reports, supporting documents etc.

# We have to identify on what basis we will/have selected the sample size for checking of any control.
## If any template is required then it has also to be included in the same.
Audit Program-General
Process: ITGC
Sub Process-Backup & Recovery
* # ##
S. Control Audit Documents Nature of Sample
Risk Template
No. Activity Procedures Required Control Size
Back up & Recovery policy Backup and restore are taking as per the Back up Obtain and inspect the “Backup and Backup and Recovery Policy/ Preventive
not structured. No dedicated and Restore Policy. Important data should be Recovery Policy” to determine if the Documentation. Access to Archiving
Programme for archiving data archived to PDF/A standards policy clearly defines procedures in programme
to PDF/A standards place for restoring and testing
1 backups for critical systems.
Archiving programme being used or
not.

User Data Backup not taken Weekly backup of user data using Automatic Checking of availability w.r.t access Screenshot having Last Modified Preventive Last Modified date of
Backup Software on Backup Drive ('X': Drive) to 'X': Drive Date of the Data found file/folder older than 1
Regular checking & scrutiny of data backup of all Checking of Data Backup of Listing of employees whose backup month should be
2 users on 'X': Drive. employees on sample basis in manually taken included in sample

Mail Backup (.pst/.ost) not Monthly backup of mail data by uploading Checking of availability w.r.t access Screenshot having Last Modified Preventive Last Modified date of
taken backup mail file to 'X': Drive on server of selected to 'X': Drive Date of the Data found file/folder older than 1
employees whose mail data is important Checking of Mail Backup of Listing of employees whose mail month should be
3 Regular checking & scrutiny of mail backup of all employees on sample basis backup is required included in sample
specified users on 'X': Drive.

Backup of Other Plants not Monthly backup of user data on an encrypted Checking of backup data of other Screenshot having Last Modified Preventive Last Modified date of
available External Drive plants available at HO Date of the Data found file/folder older than 1
Transfer of Backup Data to HO on predetermined Details of users working at other month should be
4 intervals. plants included in sample

Copy of previous backup not Copy of Last Backup should be kept at a different Checking of last backup data & Screenshot having Last Modified Preventive Previous 2 or 3 backups
available location reconciliation of it with the dates Date of the Data found should be checked
In case of shortage of storage space, concept of available for backup Details of previous backups taken
5 incremental backup should be applied to take by the department
backup of changed files only

Non-accessibility of backup in Backup drive should be accessible to all in case of Checking of authentication provided Details of users who are provided Preventive Random selection of
case of loss of data loss of Data to users access to backup drive users
6 User should have the right to create, modify,
update & restore its data backup

Non-availability of Disaster Systems/Communications backup and recovery Checking of defined procedures for Disaster recovery plan Preventive Complete checking of
recovery site procedures should be appropriately integrated in recovery in case of disastrous Details of disaster recovery site the defined procedure
7 the Disaster recovery plan situations

* Includes reports, supporting documents etc.

# We have to identify on what basis we will/have selected the sample size for checking of any control.
## If any template is required then it has also to be included in the same.
Audit Program-General
Process: ITGC
Sub Process-Preventive Maintenance

S. Control Audit Documents Nature of Sample

Risk Template
No. Activity Procedures Required Control Size
Absence of Schedule for Preventive maintenance should be done at Checking of availability w.r.t Schedule of Preventive
preventive maintenance predetermined intervals to increase efficiency & schedule for preventive Maintenance
effectiveness of system maintenance. Review of deviations Preventive maintenance Checklist
1 from planned schedule Preventive

Absence of checklist w.r.t Conduct of preventive maintenance according to Review of checklist w.r.t all general Schedule of Preventive
which PM is carried out the checklist maintained maintenance practices. Maintenance
2 Review of procedure for filling of Preventive maintenance Checklist Preventive
checklist

Software not being updated SMA (Software Maintainence Agreement) should Are the softwares being updated Copy of SMA and schedule / dates
and upgraded which might be for updating and/or upgrading as per the and upgraded as required? Are of Updation and Upgradation.
cause compatibility issues. No policy of the Software vendor. there roll back features in case of
SMA. incompatibilities with other
3 programmes being used by the Preventive
company.

* Includes reports, supporting documents etc.

# We have to identify on what basis we will/have selected the sample size for checking of any control.
## If any template is required then it has also to be included in the same.
Audit Program-General
Process: ITGC
Sub Process-Licenses Available & Required

S. Control Audit Documents Nature of Sample

Risk Template
No. Activity Procedures Required Control Size
Absence of required licenses / License w.r.t following should be available: Review of availability of required License List All users and systems.
required number of licenses > Operating Systems licenses List of licenses installed on every Full company.
> Application Software Review of licenses installed on system
1 > Server License every system Detective
> User Developed Software Review of future requirement w.r.t
current usage

Corporate / subscription Licensing subscription should be renewed before Check the renewal of the licensing / Licensing Agreement. List of users / Preventive
licensing not being renewed grace period. As per requirements no of users / subscription as per terms & seats.
which may lead to colapse of seats may be reduced or increased conditions agreed upon
2 IT infrastructure

* Includes reports, supporting documents etc.

# We have to identify on what basis we will/have selected the sample size for checking of any control.
## If any template is required then it has also to be included in the same.
Audit Program-General
Process: ITGC
Sub Process-Network & Bandwidth Allocation
* # ##

S. Control Audit Documents Nature of Sample

Risk Template
No. Activity Procedures Required Control Size
Non-availability of required Standard data usage limit should be defined for Checking of historical data w.r.t Bandwidth allocation data
bandwidth each employee & should be provided bandwidth individual user usage & its User Usage Data
1 accordingly comparison with current bandwidth Preventive
allocated

Non-availability of structured Structured network should be in place to give IT Review of structured network Network structure data
2 network department control over speed & bandwidth to applied all over the company Preventive
be provided to each user.

Firewall not configured Firewall configuration and Rules set to be To check for Intrusions, Hacking and Firewall configuration and rules set.
allowing intrusion evaluated every 3 months and revised if required. viruses reports. Steps taken to Anti-Virus update settings(latest
mitigate and erdicate. Take screen and updated)
3 shot of Firewall and Anti-Virus Detective
configuration and settings.

* Includes reports, supporting documents etc.

# We have to identify on what basis we will/have selected the sample size for checking of any control.
## If any template is required then it has also to be included in the same.
Audit Program-General
Process: ITGC
Sub Process-IT Management

* # ##
S. Control Audit Documents Nature of Sample
Risk Template
No. Activity Procedures Required Control Size
Physical & Environment Computer Room should have Access control that Check that access to computer List of Safety equipment and
control are weak. (Physical records who entered and when and authorised. room is only to authorised features.
Security) There is an UPS, fire extinguishers, smoke personnel. All safety infrastructure List of authorised personnel allowed
detectors, storage racks, proper infrastructure for like Fire extinguishers etc. and other entry into computer room.
cabling and electricity points. infrastructures are in place and
1 being maintained. Make spot check Preventive
that Food & Drinks are not allowed
in Computer room.

Changes in Hardware and / or Procedure and Policies should provide reasonable Verify that all changes have been Change Procedure documentation
Software not documented. assurance that changes to IT systems are allowed and taken only after and Authority - Responsibility
authorised and implemented only after following procedures as documented has matrix.
2 documented change management procedures taken place. Preventive

Patches applied without Policies and Procedures should in place to Check that all procedures reagrding Patch management documentation
authorisation or provide reasonable assurance that patch patch management has been and Authority - Responsibility
requirements management procedures are documented, adhered to. All approvals taken and matrix.
approved and adhered to. post patching all departments have
given their approval in writing that
their applications and systems are
working properly. That proper
3 restore points were created before Preventive
and well documented.

Incidents & Problems being Procedures and Policies are documented that Verify that all the IT incidents and IT Incidents and Problems
reported incorrectly reported IT incidents and related problems are problems reported and resolution documentation.
analysed, resolved and RCA (Root Cause Analysis) documented. Their solution and Incidents and Problems
has been documented. time taken to solve has been documentations and resolution of
documented too. RCA documents the same.
to be checked and whether the
4 Company has modified/improved Preventive
the systems to resist such
attacks/incidents.

* Includes reports, supporting documents etc.

# We have to identify on what basis we will/have selected the sample size for checking of any control.
## If any template is required then it has also to be included in the same.