IT internal control program
An IT audit is basically the process of collecting and evaluating evidence (paper or /and digital evidence) of an organization’s information systems, practices, and operations. IT auditors look not only at physical controls as a security auditor would, but they also look at business and financial internal controls within an organization. .
The program will generally have the following sections.
- Application Security
- Physical Security
- IT Change Management (change request from cradle to grave)
- Backup and Recovery
- Systems Interfaces Controls
- Business Process Controls
- Obtain or prepare a diagram showing the current components that make up the architecture. Obtain or draw a flowchart including components such as, development, testing, and production servers application servers, database servers, and WEB servers, as well as backbone routers, bridges and gateways that connect the various components
- Gather documents related to (1) Security policies and charter (2) Security administration (3) Request forms
- Request access to production
- DATABASE access (Select Row only access to the DBMS tables)• Display-only to panels
- Sit with functional experts and document the mission critical business processes and the determine if they audit the critical tables