141AuditingITProjectsAuditReportTemplateIsaca141审计.docx

141AuditingITProjectsAuditReportTemplateIsaca141审计.docx

《141AuditingITProjectsAuditReportTemplateIsaca141审计.docx》由会员分享，可在线阅读，更多相关《141AuditingITProjectsAuditReportTemplateIsaca141审计.docx（8页珍藏版）》请在冰豆网上搜索。

141AuditingITProjectsAuditReportTemplateIsaca141审计

[insertcompanylogo]

InternalAuditReport

[insertsystemname]Pre-&Post-SystemImplementationAudit

Report#[insert#]

[InsertCompanyaddress]

AuditType:

InformationTechnology

IssuanceDate:

[InsertDate]

[Updatetableofcontentslast]

IssuanceDate:

[InsertDate}

ReportDistribution

[InsertAddresses]

ActionItemOwners

[InsertActionItemOwners]

The[InsertSystemName]Pre-andPost-SystemImplementationAudit,number[InsertAuditNumber],isbeingreleasedforgeneraldistributionasofthisdate.Theobjective（s）andscopeofthisengagementisnotedintheAuditObjectiveandScopesectionofthisreport.AsummaryoftheauditproceduresperformedisnotedintheAuditDetailsandObservationssectionofthisreport.

Responseshavebeenobtainedfromtheapplicableownerforeachrecommendationdevelopedfromourexamination.Allfindings,recommendations,andmanagementresponses（intheirentirety）havebeenincorporatedintheFindingsandRecommendationssectionofthisreport.

Afollowupreviewofmanagement’simplementationofactionsinresponsetotherecommendationswillbeperformed[InsertDate].

InternalAuditnotesthatsufficientandappropriateauditprocedureshavebeenconductedandevidencegatheredtosupporttheaccuracyoftheconclusionsreachedandcontainedinthisreport.Theconclusionswerebasedonacomparisonofthesituations,astheyexistedatthetimeagainstauditcriteria.Theconclusionsareonlyapplicablefortheprocessexamined.Theevidencegatheredmeetsprofessionalauditstandardsandissufficienttoprovideseniormanagementwithproofoftheconclusionsderivedfromtheinternalaudit.

Auditor:

[InsertName]

ResponsibleManager:

[InsertName]

Thisreportprovidesmanagementwithinformationabouttheconditionofrisksandinternalcontrolsatonepointintime.Futurechangesinenvironmentalfactorsandactionsbypersonnelwillimpacttheserisksandinternalcontrolsinwaysthisreportcannotanticipate.ThisdocumentisCONFIDENTIALforinternalusebymanagementonlyandshouldnotbeused,reliedupon,ordistributedtoanythirdpartywithoutpriorwrittenapproval.

Provideahighlevel,1pagesummaryofwhatthesystemis,itsimpactonthebusiness,andasummaryofthefindingsnoted.

Ouroverallopiniononthe[InsertSystemName]Auditis:

óóóóóExcellent（nofindings）

óóóóGood（minorfindings）

óóóSatisfactory（moderatefindings）

óóNeedsImprovement（significantfindings）

óUnsatisfactory（materialfindings）

Objective

Theobjectiveofthepre-andpost-implementationreviewof[InsertSystemName]isasfollows:

1.Providemanagementwithanindependentassessmentoftheprogress,qualityandattainmentofprojectobjectives,atdefinedmilestoneswithintheproject,basedoffofcompanypoliciesandprocedures.

2.Providemanagementwithanassessmentoftheadequacyofprojectmanagementmethodologiesandthatthemethodologiesareappliedconsistentlyacrossallprojects.

3.Providemanagementwithanevaluationoftheinternalcontrolsofproposedbusinessprocessesatapointinthedevelopmentcyclewhereenhancementscanbeeasilyimplementedandprocessesadapted.

4.Providemanagementwithanassessmentoftheadequacyofsecuritycontrolsimplemented.

5.Providemanagementwithanevaluationoftheprojectmetrics/KPIsandexpectedbenefitsstatedwithintheprojectbusinesscasereport.

ScopeofAudit

Thescopeofthisauditis:

1.TheauditoftheSDLCprocesswillrevieweachphaseofasystemimplementationproject.Theauditwilladdressthefollowingareas:

governanceandriskmanagement,compliancewithcompanyproceduresandregulation,projectmanagementmethodology,budget,internalcontrols,andbusinessprocesses.

2.Toperformotherproceduresdeemednecessarytoachievetheauditobjectives.

ScopeChanges

Noteanyscopechanges.

Provideageneralbackground,assomeofthepeoplethereportisbeingdistributedtomaynothaveagoodunderstandingoftheoldprocessandthenewprocess.Thingsthatyoumaywishtoincludeare:

∙Briefdescriptionofsystemandwhyanewsystemwasneeded–discusspainpoints

∙Impactofthesystemontheoverallbusiness（e.g.thevendormanagementsystemprocesses1,000invoicesadayandissues1,000checksaday,totaling$1milliondaysintransactions）.

∙Discussprojectobjectives,budgettoactualresults（cost,timeline,laborhours）,andresultsofmetrics/KPIs.

∙Providedates:

startdateofproject,dateofimplementation.

∙Discussifsystemissubjecttoregulation（e.g.SOX,PCIDSS,HIPAA,Privacylaws,etc.）

Thekeyrisksrelatedtoimplementingasystemareasfollows:

∙Inadequateprojectmanagementprocedurescouldleadtoscopecreep,apoorlydesignedsystemthatdoesnotmeettheneedsofthebusinessorendusers,unclearresponsibilities,lackofcommunication,inadequatemonitoring,andundetecteddeviationsfromprojectscope.Allofthesehaveadirectimpactonthebudgeteddollarsandtimelinesoftheproject.Italsoindicatesalackofmanagementcontrolovercapitalizableprojects.

∙Inadequatesystemimplementationproceduresresultingfrompoorplanning,poororinsufficientusertesting,systemissuesnotbeingresolved,inadequatesecuritymeasuresforbothnetworkandapplication,lackofcommunication,inadequatelydesignedautomatedcontrolsoreditchecks.Thiswouldhaveadirectimpactonthesystem’sabilitytointegratewithintheexistinginfrastructure,thefunctionalityofthesystem,theproductivityandbuy-inofemployees,dataintegrity,completenessandaccuracy,thesystembeingvulnerabletoasecuritycompromise.Italsoindicatesalackofmanagementcontrolovertheproject.

∙Inadequatesecuritycontrolsresultinvulnerabilitiesthatmayexposedatatounauthorizedaccess,unauthorizeddisclosureortheft.

∙Returnoninvestmentfailstomeetmanagement’sexpectations;expectedbenefitsarenotrealizedornotrealizedtimely.

∙Alackofmanagementcontroloversystemscouldleadtonon-complianceofrequiredregulationsresultinginfinesand/orpenalties.

IAperformedanauditofthe[InsertSystemName]SystemImplementationProject（the“Project”）basedonthesystemdevelopmentlifecycle,whichconsistedofthefollowingphases:

1.ProjectGovernance

2.

BusinessCase&ProjectPlanning

3.SystemDevelopment–Design&Build

4.Testing

5.PreGo-Live&DataConversion

6.Training

7.Support&Maintenance

8.ProjectAssessment

9.InternalControlAssessment

IAnotestheresultsofeachphase,asfollows:

1.ProjectGovernance

[Insertabriefsummaryoftheresultsofeachphase.]

2.BusinessCase&ProjectPlanningPhase

[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]

3.SystemDevelopment–Design&BuildPhase

[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]

4.TestingPhase

[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]

5.PreGo-Live&DataConversionPhase

[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]

6.TrainingPhase

[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]

7.Support&MaintenancePhase

[Insertabriefsummaryoftheresultsofeachphase.]

8.ProjectAssessmentPhase

[Insertabriefsummaryoftheresultsofeachphase–makesuretoincludetheProjectLead’sidentifiedlessonslearnedandInternalAudit’sassessmentofeachitemnoted.]

9.InternalControlsAssessment

[Insertabriefsummaryoftheresultsofeachphase–makesuretonoteanycontroldeficiencies.]

1

[InsertFinding]

ControlGap

[ReferenceCobit5managementpractice/activityorotherbestpractice/regulationrequirement]

[InsertRecommendation]

Owners

[InsertOwnerofFinding]

[InsertManagement’sResponse]

[Insertlow,medium,high]

AuditFollow-Up

[IfFindingwasaddressedduringtheaudit,notefollow-upproceduresperformedandwhetherornotfindinghasbeenclosed.Ifnotapplicable,deleterow.]

2

ControlGap

Owners

AuditFollow-Up

1

2

3

Afollowupreviewofmanagement’simplementationofactionsinresponsetotherecommendationswillbeperformed[InsertAuditFollow-Update/quarter].