Access to Programs and Data Audit Work Program

Access to Programs and Data Audit Work Program

Audit Objectives
The purpose of this work program – focused on access to programs and data – is to outline the IT general controls to be tested, review the results of management’s testing, and document the procedures to test each control.

Document the procedures to be performed to conclude on the operating effectiveness of the controls identified, including a specific description of the nature, timing and extent of procedures to be performed. For all controls that are tested at an interim date, list the procedures performed to roll-forward the interim testing to period end.

Project Work Step
I. Audit Procedures
A. Determine that information security is managed to guide consistent implementation of security practices and that users are aware of the organization's position with regard to information security, as it pertains to financial reporting data.
B. Determine that logical and physical access to IT computing resources is appropriately restricted by the implementation of identification, authentication and authorization mechanisms to reduce the risk of unauthorized/inappropriate access to the organization’s relevant financial reporting applications or data.
C. Determine that procedures have been established so that user accounts are added, modified and deleted in a timely manner to reduce the risk of unauthorized/inappropriate access to the organization's relevant financial reporting applications or data.
D. Determine that an effective control process is in place to periodically review the appropriateness of access rights in order to reduce the risk of unauthorized/inappropriate access to the organization’s relevant financial reporting applications or data.
E. Determine that controls used to provide appropriate segregation of duties within key processes exist and are followed.
F. Document the procedures to be performed to conclude on the operating effectiveness of the controls identified, including a specific description of the nature, timing and extent of procedures to be performed. Consider the application of relevant PCAOB Auditing Standards and AICPA Audit and Accounting Guides.
II. Conclusion on Operating Effectiveness of Internal Controls
A. To support the overall assessment of management’s evaluation process, document internal audit’s evaluation of management’s tests of operating effectiveness for the related audit objective. Specifically, address the following key considerations:
1. Were procedures sufficient to assess design and operating effectiveness?
- Consider the nature, timing and extent of management’s procedures.
2. Were findings supported based on the testing performed?
3. Were exceptions/deficiencies adequately documented and followed up?
B. Conclude on the operating effectiveness of the controls over this audit objective and document any deficiencies noted. Weaknesses in pervasive controls should cause the internal auditor to alter the nature, timing, or extent of tests of operating effectiveness that otherwise would have been performed.
C. Document the impact of any deficiencies on the planned testing of operating effectiveness of other controls.