141AuditingITProjectsAuditReportTemplateIsaca141审计.docx
《141AuditingITProjectsAuditReportTemplateIsaca141审计.docx》由会员分享,可在线阅读,更多相关《141AuditingITProjectsAuditReportTemplateIsaca141审计.docx(8页珍藏版)》请在冰豆网上搜索。
141AuditingITProjectsAuditReportTemplateIsaca141审计
[insertcompanylogo]
InternalAuditReport
[insertsystemname]Pre-&Post-SystemImplementationAudit
Report#[insert#]
[InsertCompanyaddress]
AuditType:
InformationTechnology
IssuanceDate:
[InsertDate]
[Updatetableofcontentslast]
IssuanceDate:
[InsertDate}
ReportDistribution
[InsertAddresses]
ActionItemOwners
[InsertActionItemOwners]
The[InsertSystemName]Pre-andPost-SystemImplementationAudit,number[InsertAuditNumber],isbeingreleasedforgeneraldistributionasofthisdate.Theobjective(s)andscopeofthisengagementisnotedintheAuditObjectiveandScopesectionofthisreport.AsummaryoftheauditproceduresperformedisnotedintheAuditDetailsandObservationssectionofthisreport.
Responseshavebeenobtainedfromtheapplicableownerforeachrecommendationdevelopedfromourexamination.Allfindings,recommendations,andmanagementresponses(intheirentirety)havebeenincorporatedintheFindingsandRecommendationssectionofthisreport.
Afollowupreviewofmanagement’simplementationofactionsinresponsetotherecommendationswillbeperformed[InsertDate].
InternalAuditnotesthatsufficientandappropriateauditprocedureshavebeenconductedandevidencegatheredtosupporttheaccuracyoftheconclusionsreachedandcontainedinthisreport.Theconclusionswerebasedonacomparisonofthesituations,astheyexistedatthetimeagainstauditcriteria.Theconclusionsareonlyapplicablefortheprocessexamined.Theevidencegatheredmeetsprofessionalauditstandardsandissufficienttoprovideseniormanagementwithproofoftheconclusionsderivedfromtheinternalaudit.
Auditor:
[InsertName]
ResponsibleManager:
[InsertName]
Thisreportprovidesmanagementwithinformationabouttheconditionofrisksandinternalcontrolsatonepointintime.Futurechangesinenvironmentalfactorsandactionsbypersonnelwillimpacttheserisksandinternalcontrolsinwaysthisreportcannotanticipate.ThisdocumentisCONFIDENTIALforinternalusebymanagementonlyandshouldnotbeused,reliedupon,ordistributedtoanythirdpartywithoutpriorwrittenapproval.
Provideahighlevel,1pagesummaryofwhatthesystemis,itsimpactonthebusiness,andasummaryofthefindingsnoted.
Ouroverallopiniononthe[InsertSystemName]Auditis:
óóóóóExcellent(nofindings)
óóóóGood(minorfindings)
óóóSatisfactory(moderatefindings)
óóNeedsImprovement(significantfindings)
óUnsatisfactory(materialfindings)
Objective
Theobjectiveofthepre-andpost-implementationreviewof[InsertSystemName]isasfollows:
1.Providemanagementwithanindependentassessmentoftheprogress,qualityandattainmentofprojectobjectives,atdefinedmilestoneswithintheproject,basedoffofcompanypoliciesandprocedures.
2.Providemanagementwithanassessmentoftheadequacyofprojectmanagementmethodologiesandthatthemethodologiesareappliedconsistentlyacrossallprojects.
3.Providemanagementwithanevaluationoftheinternalcontrolsofproposedbusinessprocessesatapointinthedevelopmentcyclewhereenhancementscanbeeasilyimplementedandprocessesadapted.
4.Providemanagementwithanassessmentoftheadequacyofsecuritycontrolsimplemented.
5.Providemanagementwithanevaluationoftheprojectmetrics/KPIsandexpectedbenefitsstatedwithintheprojectbusinesscasereport.
ScopeofAudit
Thescopeofthisauditis:
1.TheauditoftheSDLCprocesswillrevieweachphaseofasystemimplementationproject.Theauditwilladdressthefollowingareas:
governanceandriskmanagement,compliancewithcompanyproceduresandregulation,projectmanagementmethodology,budget,internalcontrols,andbusinessprocesses.
2.Toperformotherproceduresdeemednecessarytoachievetheauditobjectives.
ScopeChanges
Noteanyscopechanges.
Provideageneralbackground,assomeofthepeoplethereportisbeingdistributedtomaynothaveagoodunderstandingoftheoldprocessandthenewprocess.Thingsthatyoumaywishtoincludeare:
∙Briefdescriptionofsystemandwhyanewsystemwasneeded–discusspainpoints
∙Impactofthesystemontheoverallbusiness(e.g.thevendormanagementsystemprocesses1,000invoicesadayandissues1,000checksaday,totaling$1milliondaysintransactions).
∙Discussprojectobjectives,budgettoactualresults(cost,timeline,laborhours),andresultsofmetrics/KPIs.
∙Providedates:
startdateofproject,dateofimplementation.
∙Discussifsystemissubjecttoregulation(e.g.SOX,PCIDSS,HIPAA,Privacylaws,etc.)
Thekeyrisksrelatedtoimplementingasystemareasfollows:
∙Inadequateprojectmanagementprocedurescouldleadtoscopecreep,apoorlydesignedsystemthatdoesnotmeettheneedsofthebusinessorendusers,unclearresponsibilities,lackofcommunication,inadequatemonitoring,andundetecteddeviationsfromprojectscope.Allofthesehaveadirectimpactonthebudgeteddollarsandtimelinesoftheproject.Italsoindicatesalackofmanagementcontrolovercapitalizableprojects.
∙Inadequatesystemimplementationproceduresresultingfrompoorplanning,poororinsufficientusertesting,systemissuesnotbeingresolved,inadequatesecuritymeasuresforbothnetworkandapplication,lackofcommunication,inadequatelydesignedautomatedcontrolsoreditchecks.Thiswouldhaveadirectimpactonthesystem’sabilitytointegratewithintheexistinginfrastructure,thefunctionalityofthesystem,theproductivityandbuy-inofemployees,dataintegrity,completenessandaccuracy,thesystembeingvulnerabletoasecuritycompromise.Italsoindicatesalackofmanagementcontrolovertheproject.
∙Inadequatesecuritycontrolsresultinvulnerabilitiesthatmayexposedatatounauthorizedaccess,unauthorizeddisclosureortheft.
∙Returnoninvestmentfailstomeetmanagement’sexpectations;expectedbenefitsarenotrealizedornotrealizedtimely.
∙Alackofmanagementcontroloversystemscouldleadtonon-complianceofrequiredregulationsresultinginfinesand/orpenalties.
IAperformedanauditofthe[InsertSystemName]SystemImplementationProject(the“Project”)basedonthesystemdevelopmentlifecycle,whichconsistedofthefollowingphases:
1.ProjectGovernance
2.
BusinessCase&ProjectPlanning
3.SystemDevelopment–Design&Build
4.Testing
5.PreGo-Live&DataConversion
6.Training
7.Support&Maintenance
8.ProjectAssessment
9.InternalControlAssessment
IAnotestheresultsofeachphase,asfollows:
1.ProjectGovernance
[Insertabriefsummaryoftheresultsofeachphase.]
2.BusinessCase&ProjectPlanningPhase
[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]
3.SystemDevelopment–Design&BuildPhase
[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]
4.TestingPhase
[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]
5.PreGo-Live&DataConversionPhase
[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]
6.TrainingPhase
[Insertabriefsummaryoftheresultsofeachphase–shouldsummarizeauditmemorandum.]
7.Support&MaintenancePhase
[Insertabriefsummaryoftheresultsofeachphase.]
8.ProjectAssessmentPhase
[Insertabriefsummaryoftheresultsofeachphase–makesuretoincludetheProjectLead’sidentifiedlessonslearnedandInternalAudit’sassessmentofeachitemnoted.]
9.InternalControlsAssessment
[Insertabriefsummaryoftheresultsofeachphase–makesuretonoteanycontroldeficiencies.]
1
[InsertFinding]
ControlGap
[ReferenceCobit5managementpractice/activityorotherbestpractice/regulationrequirement]
[InsertRecommendation]
Owners
[InsertOwnerofFinding]
[InsertManagement’sResponse]
[Insertlow,medium,high]
AuditFollow-Up
[IfFindingwasaddressedduringtheaudit,notefollow-upproceduresperformedandwhetherornotfindinghasbeenclosed.Ifnotapplicable,deleterow.]
2
ControlGap
Owners
AuditFollow-Up
1
2
3
Afollowupreviewofmanagement’simplementationofactionsinresponsetotherecommendationswillbeperformed[InsertAuditFollow-Update/quarter].