Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Objectives
1. Provide management with an independent assessment of the progress, quality and attainment of project
objectives, at defined milestones within the project, based off of company policies and procedures.
2. Provide management with an assessment of the adequacy of project management methodologies and that
the methodologies are applied consistently across all projects.
3. Provide management with an evaluation of the internal controls of proposed business processes at a point in
the development cycle where enhancements can be easily implemented and processes adapted.
4. Provide management with an assessment of the adequacy of security controls implemented.
5. Provide management with an evaluation of the project metrics / KPIs and expected benefits stated within the
project business case report.
Scope
The audit of the SDLC process will review each phase of a system implementation project. The audit will
address the following areas: governance and risk management, compliance with company procedures and
regulation, project management methodology, budget, internal controls, and business processes.
Audit Step
AA - Planning
1. Prepare the audit announcement / notification letter informing
applicable people of the estimated start date of the audit, the
objective and the scope. E-mail it to addressee(s). Maintain e-mail
in audit file.
2. Prepare a budget of estimated audit hours by audit category. See
Audit Time Budget tab. Identify audit staff that will be assigned to
the engagement.
3. Review prior SDLC audits and permanent files to ensure
understanding of SDLC process and previously identified audit
findings. Document any risks noted in the Risk Assessment tab.
Update information in the permanent files, if necessary.
4. Perform pre-audit risk assessment. Map risks identified with
audit procedures by updating the Benchmarking and Detail Audit
Testing tabs as necessary.
5. Obtain and review the most current SDLC Policies and
Procedures manual from auditee. Update the Benchmarking and
Detail Audit Testing tabs as necessary.
6. Research industry best practices (ISACA, IIA, NIST, ISO,
PMBOK) and compliance requirements (PCI DSS, Privacy, HIPAA,
etc.) that are applicable to the system being implemented. Update
the Benchmarking and Detail Audit Testing tabs as necessary.
W/P Ref
Preparer
Sign-off
Reviewer
Sign-off
Audit Step
7. Schedule pre-audit meeting with audit team and IT Project Team
to discuss the objectives, scope, timing, involvement and
requirements of the audit. Maintain meeting minutes.
(Note: Audit Team should communicate to the Project Team the
expectation that Audit Team will be invited to project meetings and
included in any project e-mail groups.)
8. Prepare a preliminary request list of documentation and discuss
it during the pre-audit meeting (e.g. flow charts, process narratives,
listing of project team members, business case, system product
information, etc).
Detailed Audit Testing
See separate tab for detailed audit program.
BB - Audit Conclusion and Reporting
1. Prepare Audit Memos for each major phase of the IT Project (see
below) and e-mail it to Project Team and Project Sponsor. Request
from addressee(s) response(s) to all audit findings, along with an
implementation date.
a.
b.
c.
d.
f. Training phase.
2. Prepare draft Audit Report and e-mail it to direct addressee(s).
Request from addressee(s) response(s) to all audit findings, along
with an implementation date.
3. Schedule an audit completion meeting with the Project team and
Project Sponsor within 2 weeks of issuing the draft report. Review
draft audit report and discuss audit findings and recommendations.
Maintain meeting minutes.
4. Review management response (i.e. Action Plan) to audit findings.
Review completion date(s) of action items for reasonableness.
5. Prepare final version of Audit Report and include the responses
received from addressee(s) for all audit findings (if applicable). Email it to addressee(s) and management.
6. Prepare and e-mail Audit Survey to auditees. Request that
responses are returned to the Audit Manager. See Audit Survey
tab.
W/P Ref
Preparer
Sign-off
Reviewer
Sign-off
Audit Step
W/P Ref
[insert date]
[insert date]
Preparer
Sign-off
Reviewer
Sign-off
Audit Area
Audit Charge Code:
Audit Manager: [Insert Auditor Name]
Planning
Reporting
Follow-up Audit Procedures
Audit Close-out
Detailed Audit Testing
Project Governance
Pre Implementation - Business Case & Project Planning
Pre Implementation - System Development
Pre Implementation - Testing
Pre Implementation - Pre Go-Live & Conversion
Pre Implementation - Training
Post Implementation - Support & Maintenance
Post Implementation - Project Assessment
Post Implementation - Internal Controls Assessment
Total Hours
Audit Senior: [Insert Auditor Name]
Planning
Reporting
Follow-up Audit Procedures
Audit Close-out
Detailed Audit Testing
Project Governance
Pre Implementation - Business Case & Project Planning
Pre Implementation - System Development
Pre Implementation - Testing
Pre Implementation - Pre Go-Live & Conversion
Pre Implementation - Training
Post Implementation - Support & Maintenance
Post Implementation - Project Assessment
Post Implementation - Internal Controls Assessment
Total Hours
Notes
Audit Area
Charge
Code:Auditor Name]
Audit Staff:
[Insert
Planning
Reporting
Follow-up Audit Procedures
Audit Close-out
Detailed Audit Testing
Project Governance
Pre Implementation - Business Case & Project Planning
Pre Implementation - System Development
Pre Implementation - Testing
Pre Implementation - Pre Go-Live & Conversion
Pre Implementation - Training
Post Implementation - Support & Maintenance
Post Implementation - Project Assessment
Post Implementation - Internal Controls Assessment
Total Hours
Notes
[Provide a high level overview of the area(s), function(s), business process(es), and current systems that will be affected by the system being
implmeneted.]
General listing of common risks that may occur during a system implementation project.
The potential for a material impact on the company's earnings, assets, reputation, customers, and operations. This risk
has a high likelihood of occurring.
Medium Rating:
The potential for a significant impact on the company's earnings, assets, reputation, customers, and operations. This
risk has a medium likelihood of occurring.
Low Rating:
The potential for a significant impact on the company's earnings, assets, reputation, customers, and operations. This
risk has a low likelihood of occurring.
Audit Notes
Risk Rating
Audit Step
Audit Notes
Risk Rating
Audit Step
Audit Risk
Section A - Governance
Lack of procedures leads to
mismanaged project, system not
meeting business needs, and
ineffective responsibilities and
accountabilities.
Control
Audit Procedures
A1
A2
A3
A4
A5
A6
A7
A8
An organizational change
communication plan is developed and
implemented. (typically for major
systems)
A10
A9
A11
A12
A13
A14
Section B - Pre-Implementation:
Lack of business justification
results in the purchase of a system
that does not meet business
needs.
B1
B2
B3
B4
B5
B6
B7
B8
B9
B10
B11
B12
Project documentation is in
conformance with company
procedures.
B13
B14
B15
Section C - Pre-Implementation:
Inadequate system design results
in a system that does not meet
user needs and increases
likelihood of nonacceptance.
C3
C4
C5
C6
C7
C8
C9
Project documentation is in
conformance with company
procedures.
C10
C11
C12
C13
C14
C15
C16
C17
C18
C19
C20
C21
C22
C23
C24
C25
C26
C27
C28
Section D - Pre-Implemetntation:
Lack of a test plan may lead to
ineffective testing resulting in
acceptance of a system that does
not meet business needs.
Test
Test Plan is created to ensure testing
is complete and system meets stated
requirements prior to implementation.
Project documentation is in
conformance with company
procedures.
D1
D2
D3
D4
D5
D6
Lack of a test scripts may lead to Test scripts are created and monitored
ineffective testing resulting in
for satisfactory results.
acceptance of a system that does
not meet business needs.
D7
D8
D9
D10
Testing issues identified are not
resolved prior to implementation.
D11
Lack of a test scripts may lead to Test scripts are created and monitored D12
ineffective testing resulting in
for satisfactory results.
acceptance of a system that does
not meet business needs.
D13
D14
D15
D16
D17
D18
D19
D20
D21
Section E - Pre-Implementation:
Lack of implementation plan
results in go-live steps being
missed leading to a system that
does not meet business needs or
unavailability of the new system.
Project documentation is in
conformance with company
procedures.
E2
E3
E4
E5
E6
E7
E8
E9
E10
E11
E12
E13
E14
Lack of access review may lead to System owner reviews and approves
unauthorized users having access user access rights prior to system
to the system or authorized users going live.
set up in the wrong access group.
E16
E17
E18
Lack of go-live checklist results in Go-live checklist is maintained to track
go-live steps being missed leading all go-live tasks and ensure all have
to a system that does not meet
been completed.
business needs or unavailability of
the new system.
E19
E20
E21
E22
E23
F1
F2
F3
F4
F5
G1
G2
G3
G4
G5
G6
G8
G7
G9
H2
H3
H4
H5
H6
I1
I2
I3
- operations
- continuity
- business processes
I4
Audit Procedures
COBIT 5
COSO
Principle
BAI01.01
4, 5, 10, 11,
12
BAI01.12
BAI01.02
BAI01.05,
BAI01.06,
BAI01.07,
BAI01.11
5, 13, 16
Pre-Audit
Risk #
Company
Procedures
BAI01.06,
BAI01.07,
BAI01.11
14, 16
BAI01.06,
BAI01.11
17
BAI01.08
16
BAI01.03
14
BAI01.03
15
BAI01.03
BAI01.03
14
BAI01.03
14
BAI01.02
BAI01.02,
BAI01.10,
BAI02.02
6, 7, 9, 13
ning
APO10.02
APO10.02
BAI03.03,
BAI03.04,
APO10.01,
APO10.02
BAI01.04,
BAI01.05,
BAI01.07,
BAI01.08,
BAI01.10,
BAI01.12,
BAI02.03
BAI01.07
BAI01.07.
BAI01.08
BAI01.12
3, 5, 6, 7, 14
14
BAI01.01
BAI01.01
12
BAI01.12
BAI02.01,
BAI03.01
10, 14
BAI01.12,
BAI03.01
10, 14
BAI02.01,
BAI03.01,
BAI03.02,
BAI03.03
5, 11
& Build
- Project team
- System implementors
- Subject matter experts
- Super users
- End users
- Network administrators
- System administrators
- Security administrators
Verify that a System Development Plan has been
created and includes:
- System documentation
- System specification
- User specification
- Functional requirements
- Reporting requirements
- Customization
- Security and internal controls requirements
- Interfaces with other systems (consider impact
on inter-operability)
- Process and data flowcharts
- Data storage
- Issue identification and resolution
- Constraints
- Backout / Contingency Plan
BAI02.01,
BAI03.01,
BAI03.02,
BAI03.03
BAI03.01
BAI03.01,
BAI03.02,
BAI03.06,
BAI07.01
BAI03.02,
BAI07.02
BAI03.02,
BAI07.04
5, 11
11
BAI02.04
BAI02.01
BAI01.08
BAI01.09,
BAI03.05
11
BAI01.09,
BAI03.05
11
12
BAI01.09,
BAI03.05,
BAI06
11
BAI07.02
BAI07.02
BAI07.02
BAI03.05,
BAI03.06,
BAI07.02
11, 13
BAI07.02
BAI03.05,
BAI07.02
11
BAI03.05,
BAI07.02,
BAI10.03
11
BAI07.02
11
BAI01.09,
BAI02.01,
BAI03.03,
BAI03.05,
BAI03.10,
BAI10.03
11
- flow charts
- screenshots
- exhibits of code
- online and batch operating instructions
- system narratives
- configuration baselines
At the end of the system build phase, verify that
the Project Team has created the User Manual.
The manual may include:
- description of the system
- use of the system
- input data and parameters
- output data
- operating procedures
- error identification and resolution
- user responsibilities related to security, privacy
and internal controls
At the end of the system build phase, verify that
the Project Team has created the Operations and
Maintenance Manual. This manual may include:
- description of software
- instructions to operate software
- technical flow charts
- exhibits of code
- technical specifications
- security specifications
- description of internal controls
- description of non-routine procedures and
security requirements
- procedures for error resolution
- maintenance procedures
- configuration baselines
Determine if any change orders have been
approved. If so, verify if the project budget cost,
labor hours and timeline have been updated.
Determine if there is any risk due to scope creep.
BAI01.11,
BAI03.09
BAI01.08,
BAI01.11
BAI01.10,
BAI01.11,
BAI02.03
BAI01.05
BAI01.09,
BAI03.06,
BAI03.07,
BAI07.01,
BAI07.03
11
BAI01.01,
BAI03.07,
BAI07.03
12
BAI07.03
BAI03.07,
BAI07.04
12
BAI03.07,
BAI07.04
BAI01.12,
BAI03.08,
BAI07.03
BAI01.09,
BAI03.06,
BAI03.07,
BAI07.03
11
BAI03.06,
BAI07.05
11
11
BAI03.08,
BAI07.05
11
BAI03.06,
BAI03.08,
BAI07.05
11
BAI01.09,
BAI03.08,
BAI07.05
11
BAI02.01,
BAI03.10
BAI01.11,
BAI03.09
BAI01.08,
BAI01.11
BAI01.10,
BAI01.11
BAI01.05
11, 12
ersion
Verify that an Implementation Plan has been
created and includes:
BAI01.09,
BAI07.01,
BAI07.06
11
BAI01.01
12
- implementation schedule
- development of production environment
- testing of production environment
- securing production environment
- data conversion
- data back-up
- contingency / fallback plan
- approvals to go live
- resolution of any issues identified prior to go-live
- acceptance of any unresolved issues identified
- tracking go-live tasks (e.g. checklist)
- go / no-go criteria
Verify that the Implementation Plan is in
compliance with company policy and procedures.
BAI07.01
11
BAI07.02
BAI01.09,
BAI07.02
11
BAI01.09,
BAI07.02
11
BAI01.09,
BAI07.02
11
BAI01.09
11
BAI01.09
11
BAI07.05
BAI07.05
BAI07.05
BAI01.09
11
BAI01.09
11
BAI01.09
11
11
BAI01.09
BAI01.08,
BAI01.11
BAI01.10,
BAI01.11
BAI01.05
BAI08.04
BAI08.04
4, 14
14
BAI03.10,
BAI07.07
BAI01.06,
BAI03.11
BAI01.06,
BAI03.10,
BAI03.11
BAI03.11
BAI02.01
BAI03.10,
BAI06
11
BAI03.10
11
BAI03.10
11, 12
13
BAI03.04,
BAI09.01
BAI01.05,
BAI01.06,
BAI01.11,
BAI01.13,
BAI07.08
ose Out
BAI01.13,
BAI07.08
BAI01.13,
BAI07.08
BAI01.06,
BAI01.11
BAI01.14
11, 13, 14
BAI01.14
11
11, 12, 17
11
BAI09.02
11
20 Critical
Security
Controls
CSC 17-3
CSC 6-6
CSC6-3
CSC 6-1
CSC 1 & 2
Audit Procedures
Section A - Governance
A1 Obtain and examine policy, procedures and
templates. Verify that they address the following:
- Business Case Analysis
- Project risk assessment
- Roles and responsibilities
- System documentation
- System specification
- User specification
- Security specification
- System development plan
- Change requests
- Developing internal controls
- Project issue procedures
- Data conversion plan
- Test plan
- Pre Go-live plan
- Training
- Organizational change management plan
- Project monitoring & status updates
- Post implementation project review
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
A6 Verify that the Project Team Lead is submitting
status reports on a periodic basis and any other
required documentation to the Project Steering
Committee throughout the lifecycle of the project.
Status reports should contain budget-to-actual
comparison & variation analysis, monitoring of
milestones & KPIs, description of achievements
and any issues effecting the progress of the
project.
A7 Verify that the Project Steering Committee has
reviewed the post implementation project results
report and develops an Action Plan to address
any actionable lessons learned.
A8 A member of the Audit Team should attend the
Project Team status meetings.
A9 Examine the Project Team's status meeting
minutes and verify that the team discusses tasks
completed / to be completed and issues identified
/ assigned / resolved.
A10 Verify that an organizational change
communication plan has been developed and
should address:
- Assessing company's readiness to accept
change
- Educating end users on the reason and timing
behind the change
- Roles and responsibilities of organizational
change management team
- Vision and strategy for change
- Communication of vision and strategy to end
users
- Remove barriers / silos that inhibit end user
acceptance
- Short-term and long-term goals identified and
monitored
- Identify training needs
- Other communication activities (newsletter,
posters, intranet site, etc.)
- Continuous feedback
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
B3 Verify that a Request for Proposal was prepared
and sent to selected vendors.
B4 Verify that Vendor proposals were reviewed for:
- Reputation and experience of vendor
- Experience of vendor personnel
- Proposal content met scope of the project
- Rates for time and expense
- Ability to respond to system vulnerabilities and
provide patches to customers timely
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
B7 Verify that a Project Plan has been created and
includes:
- Project objectives
- Project scope
- Project risk assessment
- Identifies stakeholders
- Project Sponsor
- Team members
- Roles and responsibilities
- Budgets and timelines
- Project milestones and KPIs
- Communication plan
- Deliverables
- Change in scope procedures
B8 Verify that the Project Plan has been approved by
the Project Team Lead and Project Sponsor.
B9 Verify that a project kick-off meeting has been
held to review the Project Plan with team
members by obtaining the meeting minutes.
B10 Assess project timelines and determine if timeline
is reasonably acheivable.
B11 Assess project pesonnel resources for:
- Availability
- Cross functional respresentation of all
departments impacted by system
- Experience
B12 Review prior project lessons learned and
determine if they have been properly incorporated
into the Project Plan.
B13 Verify that the Project Plan is in compliance with
company procedures.
B14 Verify that employees involved in the design and
build of the application system have been
properly trained to configure / customize the
system and ability to use the system when
performing tests.
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
C4 Verify that security and internal control
requirements consider the following:
- access rights based on least privilege
- segregation of duties
- system authorizations
- edit checks
- audit logs
- input checks
- matching checks
- sequence checks
- duplication checks
- output
- exception reporting
C5 Verify that the System Development Plan has
been approved by the Project Team Lead, Project
Sponsor, and System Implementor.
C6 Verify that a Data Conversion Plan has been
created and includes:
- Identification of data to be transferred /
converted
- Data cleansing procedures
- Error tolerances
- Data mapping
- Data extraction
- Data transfer
- Data validation test plans
- Issue identification and resolution
- Conversion timeline
- Conversion tasks included in go-live checklist
- Required approvals
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
C7 Verify that the Project Team has developed the
data map. Determine if data map is in sufficient
detail to assist IT in converting the data and for
testers in testing the system.
C8
C9
C10
C11
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
C12 Verify that any servers and operating systems
pertaining to the new system have been
configured according to the company's
configuration management procedures.
- default and unncecssary accounts / services are
disabled, if possible
- disable local admin account
- default passwords are changed and made
complex for admin accounts, application /
operating systems and any other new networked
device
- limiting admin privileges to those who have a
business need to modify configuration
- enable logging
C13 Verify that any servers and operating systems
pertaining to the new system have been secured
according to the company's security procedures.
Examples are:
- anti-virus / malware on server
- password management enabled (log-on
attempts, password change timeframe, password
history)
- admins have different passwords for admin
accounts and non-admin accounts
- disabling LM hashes
- encryption
- network segmentation
- enable firewall
- remote administration of servers over secure
channels
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
C14 Verify that changes made to current systems
(setting up interfaces, extracting data, importing
data) follow the company's change management
procedures.
- changes are documented
- changes are tested
- changes are approved by business and IT prior
to migration into production environment
- quality assurance review
C15 Verify that the data cleansing has been performed
by determining if the Project Team verified that:
- All mandatory fields are populated
- All records are present
- Default or dummy values cannot be inserted
where there is missing data
- Data is complete
- No duplication of data fields
C16 For data that has not been cleansed, determine
potential risks and impacts to the project.
Determine if error tolerances have been
evaluated against the approved thresholds stated
in the Data Conversion Plan.
C17 Verify that the Project Team has verified the
accuracy, integrity and completeness of data
conversion to the test system by reviewing test
documentation.
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
C18 Verify that data converted to the test system is
complete, accurate, and has integrity.
- batch and control totals
- check sums / digits
- range checks
- date and time stamps
- use a data analysis tool to compare a sample of
data from the old system and the new system
- verify a test sample of data to source
documentation
C19 Verify that the Project Team addresses any errors
or omissions identified as part of testing the data
conversion.
C20 Verify that appropriate controls are in place to
prevent or detect any data manipulation during
the conversion process and that they are
operating effectively.
C21 Verify that the Project Team has maintained
documentation of process design, configuration,
and customization.
- flow charts
- screenshots
- exhibits of code
- online and batch operating instructions
- system narratives
- configuration baselines
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
C22 At the end of the system build phase, verify that
the Project Team has created the User Manual.
The manual may include:
- description of the system
- use of the system
- input data and parameters
- output data
- operating procedures
- error identification and resolution
- user responsibilities related to security, privacy
and internal controls
C23 At the end of the system build phase, verify that
the Project Team has created the Operations and
Maintenance Manual. This manual may include:
- description of software
- instructions to operate software
- technical flow charts
- exhibits of code
- technical specifications
- security specifications
- description of internal controls
- description of non-routine procedures and
security requirements
- procedures for error resolution
- maintenance procedures
- configuration baselines
C24 Determine if any change orders have been
approved. If so, verify if the project budget cost,
labor hours and timeline have been updated.
Determine if there is any risk due to scope creep.
C25 Verify that any milestone(s) achieved during this
phase have been reviewed and approved by the
Project Sponsor.
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
C26 Verify that the Project Lead has reviewed the
Project Plan to ensure that the project is on target
with budgets, milestones and timeline. Verify that
Project Lead has reassessed the project risks for
the activities in this phase. Verify the Project
Lead has updated the Project Plan, if necessary.
C27 Review the project actual cost, labor hours and
timeline in comparison with the budget.
Determine if there are any risks that may impact
the project in the testing phase (e.g. going over
budget in the design and build phase may lead to
decreasing hours dedicated to testing system).
C28 Prepare an audit memorandum of the results of
this phase of testing and distribute to the Project
Team and Project Sponsor.
Section D - Pre-Implemetntation: Test
D1 Verify that a Test Plan has been created and
includes the following:
- testing methodology, including types of tests to
be performed (e.g. functional, unit, integration,
end-to-end, acceptance, performance, parallel /
pilot, volume / stress, regression, quality
assurance, penetration, scanning, fuzzing, testing
for failures, security)
- Testing procedures
- Testing templates / scripts (purpose, procedure,
conclusion, sign-off)
- Testing documentation to be maintained, along
with retention period
- Reporting, tracking and remediating issues
identified during testing
- Acceptance and approval of test results
- test location and preparation
D2 Verify that the Test Plan is in compliance with
company policy and procedures.
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
D3 Verify that the Test Plan has been reviewed and
approved by the Project Leader and Project
Sponsor.
D4 Verify that there is a separate test environment
from the development and production
environment.
D5 Verify that the test environment simluates the
production environment.
D6 Verify that the Project Team has identified all
employees to be used in the testing process.
Verify that these employees:
D7
D8
D9
D10
D11
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
E1 Verify that an Implementation Plan has been
created and includes:
- implementation schedule
- development of production environment
- testing of production environment
- securing production environment
- data conversion
- data back-up
- contingency / fallback plan
- approvals to go live
- resolution of any issues identified prior to go-live
- acceptance of any unresolved issues identified
- tracking go-live tasks (e.g. checklist)
- go / no-go criteria
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
E6 Verify that data converted to the production
system is complete, accurate, and has integrity.
- batch and control totals
- check sums / digits
- range checks
- date and time stamps
- user reconciliations / data validation
- use a data analysis tool to compare a sample of
data from the old system and the new system
- verify a test sample of data to source
documentation
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
E14 Verify that the production environment has the
appropriate security controls to prevent access to
the system by administrators or the system
implementors once the system is live.
E15 Verify that the Security group has reviewed the
security specifications of the system and has
approved it to go-live.
E16 Verify that the system owner has reviewed and
approved the access rights of end users and
assignment of user groups.
E17 Verify that the Project Lead has communicated
the results of the system build and testing phases
to the Project Steering Committee, along with any
issues that are expected to be unresolved by the
go-live date.
E18 Verify that the Project Steering Committee has
approved the system to go live.
E19 Verify that all tasks on the go-live checklist have
been signed-off on prior to going live.
E20 Verify that any milestone(s) achieved during this
phase have been reviewed and approved by the
Project Sponsor.
E21 Verify that the Project Lead has reviewed the
Project Plan to ensure that the project is on target
with budgets, milestones and timeline. Verify that
Project Lead has reassessed the project risks for
the activities in this phase. Verify the Project
Lead has updated the Project Plan, if necessary.
E22 Review the project actual cost, labor hours and
timeline in comparison with the budget.
Determine if there are any risks that may impact
the project and consider discussing with the
Project Steering Committee.
E23 Prepare an audit memorandum of the results of
this phase of testing and distribute to the Project
Team and Project Sponsor.
Section F - Pre-Implementation: Training
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
F1
F2
F3
F4
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Audit Procedures
W/P Ref
Findings
Preparer
Sign-off
Reviewer Signoff
Excellent
Good
Fair
Poor
Not applicable /
Don't Know
Improved
Significantly
Improved
Stayed
the same
Declined
Declined
significantly
Evaluation Criteria
Independence
Objectivity of auditor team
Professional Proficiency
Understanding the business & your department
Technical proficiency of audit team
Uses technology appropriately
Professionalism of audit team
Communication skills of audit team
Interpersonal skills of audit team
Works well with your team
Helps you manage and implement change
Scope of Work
Notification of the audit purpose and scope
Audit focused on key areas & risks
Department's concerns and perspective considered
Performance of Audit Work
Duration of the audit
Level of creativity
Usefulness of the audit
Disruption of activities was minimal
Sharing of best practices
Feedback of findings during the audit
Timeliness of the audit report
Clarity of the audit report
Accuracy of the audit findings
Value of the audit recommendations
Provides workable solutions for audit recommendations
Timely follow-up on corrective action
Are there any recommendations for improvement that you would like us to consider?
Additional Comments:
Name: _____________________________________
Date: ______________________________________
Please return survey to: ________________________
IIA
Tickmarks
{a}
{b}
{c}
{d}
{e}
{f}
{g}
{h}
{i}
{j}
{k}
{l}
{m}
{n}
{o}
{p}
{q}
{r}
{s}
{t}
{u}
{v}
{w}
{x}
{y}
{z}