Access to Programs and Data

Audit Work Program

PROJECT TEAM (LIST MEMBERS)

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES

The purpose of this work programfocused on access to programs and datais to outline the IT general
controls to be tested, review the results of managements testing, and document the procedures to test
each control.

Document the procedures to be performed to conclude on the operating effectiveness of the controls
identified, including a specific description of the nature, timing and extent of procedures to be performed.
For all controls that are tested at an interim date, list the procedures performed to roll-forward the interim
testing to period end.

Time Project Work Step Initial Index

Audit Procedures

Determine that information security is managed to guide consistent

implementation of security practices and that users are aware of the
organization's position with regard to information security, as it pertains to
financial reporting data.

Determine that logical and physical access to IT computing resources is

appropriately restricted by the implementation of identification, authentication
and authorization mechanisms to reduce the risk of
unauthorized/inappropriate access to the organizations relevant financial
reporting applications or data.

Determine that procedures have been established so that user accounts are
added, modified and deleted in a timely manner to reduce the risk of

Source: www.knowledgeleader.com 1
 Time Project Work Step Initial Index

unauthorized/inappropriate access to the organization's relevant financial

reporting applications or data.

Determine that an effective control process is in place to periodically review

the appropriateness of access rights in order to reduce the risk of
unauthorized/inappropriate access to the organizations relevant financial
reporting applications or data.

Determine that controls used to provide appropriate segregation of duties

within key processes exist and are followed.

Document the procedures to be performed to conclude on the operating

effectiveness of the controls identified, including a specific description of the
nature, timing and extent of procedures to be performed. Consider the
application of relevant PCAOB Auditing Standards and AICPA Audit and
Accounting Guides.

Conclusion on Operating Effectiveness of Internal Controls

To support the overall assessment of managements evaluation process,

document internal audits evaluation of managements tests of operating
effectiveness for the related audit objective. Specifically, address the
following key considerations:
Were procedures sufficient to assess design and operating effectiveness?
Consider the nature, timing and extent of managements procedures.
Were findings supported based on the testing performed?
Were exceptions/deficiencies adequately documented and followed up?

Conclude on the operating effectiveness of the controls over this audit

objective and document any deficiencies noted. Weaknesses in pervasive
controls should cause the internal auditor to alter the nature, timing or extent
of tests of operating effectiveness that otherwise would have been
performed.

Document the impact of any deficiencies on the planned testing of operating

effectiveness of other controls.

Source: www.knowledgeleader.com 2