ACCESS TO PROGRAMS AND DATA AUDIT WORK
PROGRAM
PROJECT TEAM (LIST MEMBERS)
Project Timing Date Comments
Planning
Fieldwork
Report Issuance (Local)
Report Issuance (Worldwide)
AUDIT OBJECTIVES
The purpose of this work program – focused on access to programs and data – is to outline the IT general
controls to be tested, review the results of management’s testing, and document the procedures to test each
control.
Document the procedures to be performed to conclude on the operating effectiveness of the controls identified,
including a specific description of the nature, timing and extent of procedures to be performed. For all controls that
are tested at an interim date, list the procedures performed to roll-forward the interim testing to period end.
Time Project Work Step Initial Index
Audit Procedures
Determine that information security is managed to guide consistent
implementation of security practices and that users are aware of the
organization's position with regard to information security, as it pertains to
financial reporting data.
Determine that logical and physical access to IT computing resources is
appropriately restricted by the implementation of identification, authentication and
authorization mechanisms to reduce the risk of unauthorized/inappropriate
access to the organization’s relevant financial reporting applications or data.
Determine that procedures have been established so that user accounts are
added, modified and deleted in a timely manner to reduce the risk of
unauthorized/inappropriate access to the organization's relevant financial
reporting applications or data.
Determine that an effective control process is in place to periodically review the
appropriateness of access rights in order to reduce the risk of
unauthorized/inappropriate access to the organization’s relevant financial
reporting applications or data.
Determine that controls used to provide appropriate segregation of duties within
key processes exist and are followed.
1 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
Document the procedures to be performed to conclude on the operating
effectiveness of the controls identified, including a specific description of the
nature, timing and extent of procedures to be performed. Consider the
application of relevant PCAOB Auditing Standards and AICPA Audit and
Accounting Guides.
Conclusion on Operating Effectiveness of Internal Controls
To support the overall assessment of management’s evaluation process,
document internal audit’s evaluation of management’s tests of operating
effectiveness for the related audit objective. Specifically, address the following
key considerations:
• Were procedures sufficient to assess design and operating effectiveness?
− Consider the nature, timing and extent of management’s procedures.
• Were findings supported based on the testing performed?
• Were exceptions/deficiencies adequately documented and followed up?
Conclude on the operating effectiveness of the controls over this audit objective
and document any deficiencies noted. Weaknesses in pervasive controls should
cause the internal auditor to alter the nature, timing or extent of tests of operating
effectiveness that otherwise would have been performed.
Document the impact of any deficiencies on the planned testing of operating
effectiveness of other controls.
2 Source: www.knowledgeleader.com
