IT Audit Program for General Controls
Areas of Risk Possible errors or Irregularities
 Improper or unauthorized use of system
utilities
 Lack of backups and contingency planning
1. Operating Systems increases the risk of being unable to
continue processing following a disaster
 Poor help desk functions
 Delays and disruptions in processing due to
wrong configuration parameters
 Corrupt file due to hardware failure
 Unauthorized access of database system
2. Databases / Files / Records  Files and records do not have backup
 Misappropriation of assets
 Copying or viewing of sensitive or
confidential information
3. IT Organizational Structure  Unauthorized access of IT services
Audit Objectives
 To determine that the audit team has a clear
understanding of network components and
interfaces that may impact the logical
security of specific servers and
workstations.
 To ensure that existing operating system
security parameters are configured to
secure settings and in relevant corporate
policies and standards.
 To determine whether security policies are
in place to ensure that only authorized
persons are granted access to operating
system.
 To identify and help fix potential problems
with an enterprise's backup systems
and procedures.
 To verify whether only authorized personnel
can manage the database system of the
company.
 To ensure that data backup and
restore procedures occur as intended.
 To ensure that roles and responsibilities for
security management have been clearly and
appropriately defined.
 To prevent unauthorized access and
interference to IT services.
 To ensure that the management supervise
the actions of its employees to determine
whether the assets of the company are
accounted in order.
Audit Procedures
 Develop a security policy manual to assist
management in their detection of
unauthorized activity.
 Make daily maintenance activities such as
computer start-up procedures and daily data
back-up procedures to ensure management
safety.
 Evaluate current operating system
configuration settings to ensure that the
settings are in compliance with relevant
corporate policies and standards and
conform to best practices.
 Ensure that only the database administrator
has the capability to change or modify any
transactions in the database system.
 Examine the entire backup process using
the backup audit to look for the inefficiencies
and reasons for failure.
 Identify and manage data update processes
 Use common physical controls to safeguard
assets such as locked doors, CCTVs,
intruder alarms, combination keypads, and
security guards.
 Obtain documentation listing all individuals
with access to certain room or information.
 Evaluate each employee to identify their
strengths and weaknesses and determine if
the skills of each employee has line up with
his or her current work responsibilities.
  Virus infestation
 System and hardware failure
4. Computer Center Security / Disaster  Loss of assets due to fortuitous events,
Recovery Plan such as fire, flood, or earthquake
 Human intervention (e.g. sabotage)
 Insufficient time period for one or more
phases
5. New System Development  Unwritten information
 Badly done cost-benefit analysis
 Incomplete or wrong information relating to
the schedule of carrying out and necessary
resources
 Unaware end-users may not use the system
properly
 Lack of capability to maintain the system
 Failure of machines and equipment to
6. System / Program Maintenance operate efficiently
 Potentially liability exposure of on-the-job
accidents due to defective equipment.
 Non-compliance with laws and regulations
 Not licensed software may cause an error to
the system
 To verify that effective management policies
and procedures are in place to prevent the
introduction and spread of destructive
objects.
 To ensure insurance coverage and
documentation are adequate in case of
failure.
 To ensure that existing policies and
standards are applicable throughout the
processing environment.
 To determine whether all systems are in
compliance with appropriate policies and
standards.
 To ensure that end-users are aware of
appropriate corporate security policies and
standards and are informed of their
individual responsibilities.
 To ensure that the cost does not exceed the
benefits to be derived from developing new
systems.
 To keep equipment, machines and the work
environment safe and reliable.
 To ensure that the management complies
with all the requirements necessary to
conduct an operation.
 To determine whether procurement
procedures are in place to carry out safe
maintenance.
 To verify the software used by the company
is licensed.
 Examine disks or CDs transferred between
workgroups to determine if that contain
viruses.
 Make a test of physical construction, fire
detection, access control, and back-up
power supply.
 Check resources of supplies and documents
to make sure these are stored off-site.
 Identify the procedures in place to ensure
compliance with relevant corporate security
policies and standards.
 Check if corporate security policies and
standards are applicable to the
environment.
 Tell the security administration personnel to
be aware of corporate security policies and
standards for the operating environment
under review.
 Assess the risk to predict all situations
which could exert bad influence on the
project carrying out.
 Implement a risk-based
maintenance process to make sure that the
total risk of failure is minimized across the
facility in the most economical way.
 Make different care strategies such as
corrective maintenance, preventive
maintenance, and condition-based
maintenance.
 Make a regular inspection of equipment and
machine before using it on operation.
 Review the software licensing maintenance
to make sure that it is compatible with the
system.
 Provide a written report, complete with
recommendations for improvement,
detailing the results of the maintenance
audit and review.
  Interception of network messages  To verify the security and integrity of
 Insider threat financial transactions by determining that
7. Networks and Data Communication  Distributed Denial of Service Attacks (DDoS network controls can prevent and detect
(Internet & Intranet) Attacks) illegal access both internally and from the
internet.
 To assess an intrusion prevention system
(IPS) with deep packet inspection (DPI) is in
place for organizations that are vulnerable
to DDoS Attacks.
 To prevent data loss and mitigate insider
threat.
 Security and confidentiality risks  To focus primarily on solving business-
8. Electronic Commerce (E-Commerce) /  Hacking related problems to achieve cost savings
Electronic Data Interchange (EDI)  Virus and worm attacks measure.
 Costly to implement  To ensure short-term data are deleted
immediately to avoid information theft.
 To ensure that only authorized employees
have the access to business computers.
 To keep systems secure with high security
and password protected.
 Security attack  To ensure that only the owner of the PC has
 Unauthorized access the access.
 Password cracking  To secure that the computer is password
9. Stand-Alone PCs  Malware and Spyware protected.
 To determine whether Windows Encrypting
File System is built-on the operating system
of the computer.
References:
http://www.sfisaca.org/download/gensecaudpgm.pdf?fbclid=IwAR0xmaXpMIsVV-kyp1Lji7_Td-TCRiR9W4u8_JmBNVFfHwNVnmRJg3VHBss
 Review security procedures governing the
administration of data encryption keys.
 Establish a firewall to assess that only
authorized traffic between organization and
outside are passing through the wall.
 Require a digital certificate to authenticate
the sender of the message.
 Use a request-response technique to control
a message from the sender and a response
from the receiver are sent at synchronized
intervals.
 Educate employees and establish
accountability with managers.
 Allocate data across a more extensive
variation of communicating protocols and
safety standards.
 Use strong passwords to protect the data.
 Plan thoroughly the implementation of EDI
and E-commerce to determine the amount
of cost.
 Authenticate third party security controls.
 Install anti-virus, firewall, and anti-spyware.
 Secure the computer on which data resides
in a locked room.
 Protect the computer with a password.
 Restrict access to data to project personnel
using the security features available via
operating systems.
 Install Windows Encrypting File System to
enable data encryption to secure the entire
system.
https://www.undp.org/content/dam/albania/docs/STAR/IT%20AUDIT%20MANUAL.pdf

https://onlinelibrary.wiley.com/doi/pdf/10.1002/9781119203728.app2?fbclid=IwAR3ZwMtT1qaw-zX5sxmC44HFJ7TuWO37RvVQ4qqBsbzbm3303SUmk8t6R3w&

https://lbj.utexas.edu/sites/default/files/file/profdev/candt/2013CAI/IIIB_RICE_Digital_AccessControls.pdf?fbclid=IwAR21Eb54FCC8TYRnqcReF3cYz3QVCcYBvOJ1gBQaWecQd_Noq-mDwWPlEOI

https://slideplayer.com/slide/6227430/

https://slideplayer.com/slide/7454974/

https://pdfs.semanticscholar.org/150a/6ad95543c8237cd65ec85ddbcc0eff5169fd.pdf

http://lifetime-reliability.com/consulting/maintenance-management/Sample_Maintenance_Audit_Report.pdf

https://www.oreilly.com/library/view/accounting-information-systems/9781118162309/c09-38.html

https://businesstown.com/business-security-risks-how-to-prevent-them/

https://www.slideshare.net/dadkhah077/security-attacks-in-standalone-computer-and-cloud-computing-an-analysis

http://www.ncb.mu/English/Documents/Downloads/Reports%20and%20Guidelines/Security%20Guideline%20for%20Standalone%20and%20Network%20Computers.pdf