B.2 Review the current IT organization chart(s) and assess segregation of duties for key functions (i.e.: system analysis, development, programming, testing, operations, quality ). Change management policies and procedures of 18Ĥ B IT Organization and Operations B.1 Obtain the current IT Organization Chart(s) and assess segregation of duties for key functions (i.e.: system analysis, development, programming, testing, operations, quality ). Personnel Practices e.g., clearance policies and procedures (background check, etc.), visitor and maintenance personnel control, disciplinary policies g. Policies and Procedures for Release of Information e. State and other Privacy Requirements, etc. All Privacy Policies including HIPAA, HITECH. State and other Security Requirements, etc. All Security Policies including HIPAA, HITECH. General IT and IS Policies and Procedures b. (See also Security Training in the Security and Application Systems Sections.) of 18ģ A.12 Assess the management, maintenance, planning, and appropriateness of Documented Policies, Procedures, Standards, and Guidelines including, but not limited to: a. A.11 Assess the general state of training provided to IT staff and the related policies, procedures, and plans, schedules, and training records. Assess their appropriateness for the roles identified, how well they address separation of duties, and other considerations. A.10 Review the job descriptions for IT positions including Security and Privacy Officers. A.8 Review example business associate contract / chain of trust agreements A.9 Assess the roles and related risks for key personnel responsible for the exchange of data / information with external entities. A.7 Review the list of trading partners / business associates with whom the organization shares or exchanges electronic information, and assess arrangements for information security and compliance across organizational boundaries. A.6 Review the status of outsourced IT services and respective vendor(s) and adjust audit procedures as appropriate to address issues affected by outsourcing. A.5 Review status of IT initiatives underway (changes in business operations or IT infrastructure, outsourcing initiatives, web strategies, etc.) and note those impacting risks and controls. Establish and document follow-up plans as appropriate. Contact of 18Ģ A.4 Review Business & IT Strategic Planning Initiatives. ISO 27001 AUDIT CHECKLIST .XLS SOFTWAREPlatform information for includes: Equipment manufacturer and model Quantity Software applications information includes: Application vendor and name Version / Release A.3 Review Board of Directors and Committee agenda and minutes from the past year for content relevant to IT. A.2 Identify the technology platforms in use and the applications processed on each platform. Document the action taken for each recommendation and determine whether any prior year's comments should be carried forward to the current year's comments. Reference: Section Procedures A A.1 General Review prior assessments, audit reports, findings, and recommendations of IT activities for two years to include: External audit reports Internal audit reports Regulatory agency reports Consulting reports Workpaper # Date Auditor and Comments Assess appropriateness of corrective actions has taken. COBIT provides the general framework for the assessment and is augmented as necessary with applicable regulations, legislation, standards, policies, agreements, and related guidance. The auditor(s) will inquire, observe, and gather evidence to obtain an understanding of the IT control environment. The ITGC audit will identify and assess general controls throughout the organization s IT infrastructure. 1 Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the IT function and its management and governance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |