SOX IT Audit - What is the documents normally requested by auditor

Posted on 2009-12-20
Last Modified: 2013-12-06
I pretty new to SOX IT Audit anyone can give me pointer normally what the documents auditor will request you to present to them. I just got the list given here by my auditor which some of the items seem a bit out of context. Any advice will be helpful like what software would help pull those report or prepare those document they want.

Entity-Level Controls Testing:
1      Details of MIS Committee Meetings.
2      Approved MIS Budget.
3      Approved IT Manpower budget and Training plan.
4      IT Risk Assessment for all locations.
5      Evidence of participation of MIS Committee members in the budget exercise (e-mails received from members giving their inputs)
6      Copy of some slides of MIS Committee presentation in Exempt Staff Meeting held in FY 10 - slides to be selected after reviewing the presentation.
7      Copy of MIS Orientation for new staff.
8      Department orientation presentation/checklist for MIS staff.
9      Training records of MIS staff from July 09 to till date.
10      Details of updates to MIS Policies and Standard Operation Procedure.
11      Evidence of sending out reminders to staff for reading IT policies.
12      Updated Organization chart of IT Department.
13      Latest asset listing of all IT assets of the Group - all locations.
14      List of significant IT events or failures year to date along with action plan undertaken by IT department
15      Details of any special training conducted by IT department to any user department from July 09 to till date.
16      Print screen of access list for all company applications running.
17      Print screen to evidence adoption of Microsoft Group Policy in locations wherever it is adopted.
18      Print screen of password settings for all IT systems - Servers, Operating systems, Lotus Notes and all applications.
19      Details of any IT review conducted / licence audits conducted by any external party from July 09 to till date.
20      Physical files for all applications host in the servers (filed with all documents relevant to the application)
IT General Controls Testing:
1      Details of any new applications implemented / initiated year to till date in any of the locations in scope.
2      Details of any updates / enhancements to existing applications from July 09 to till date in any of the locations in scope.
3      Print screen to evidence that all PCs are on restricted mode in locations wherever they are on restricted mode.
4      List of PCs which are not on restricted mode - MIS request forms will be verified if the list is different from the list obtained during earlier audit.
5      Print screen to evidence automated patch implementation for general software updates in all locations where this is implemented.
6      Report from safeend auditor - dated within one week of actual audit date.
7      Print screen to evidence firewall installation
8      Server Room logs for all server rooms in all locations in scope.
9      MIS authorization forms prepared from July 09 to till date - for enabling remote access and for third party access to server rooms.
10      Print screen of backup settings in all locations.
11      Details of testing backup restoration, if any, between July 09 to till date.
12      Details of IT assets disposed from July 09 to till date with all supporting documentation.
13      Details of any new IT vendors in all locations between July 09 to till date.
14      All documentation relating to implementation of monitoring tool - includes samples of reports generated from the tool for monitoring.
15      Print screen showing list of users with internet access (in locations where internet access is restricted).
16      Print screen of audit policy.
17      Print screen of SQL Server properties.
18      Evidence of the following monitoring activities:
       - Failed logon attempts;
       - Granting/revoking of remote access;
       - Security Logs including server room logs;
       - Monitoring of actual security settings against security baselines;
       - Report from Safeend auditor.
       - Changes to backup schedule
       - Review of performance and capacity issues
       - Review of users having access to critical shared drives against the approved request forms
19      Print screen of users of critical shared drives of finance department - all locations in scope.
20      Print screen of scheduled tasks.
Question by:aneky
    LVL 46

    Accepted Solution

    LVL 46

    Assisted Solution

    LVL 1

    Author Closing Comment

    The information only give me a better picture of the requirement.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    You can provide a virtual interface for remote stakeholders in a SWOT analysis through a Google Drawing template. By making real time viewing and collaboration possible, your team can build a stronger product.
    Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now