I pretty new to SOX IT Audit anyone can give me pointer normally what the documents auditor will request you to present to them. I just got the list given here by my auditor which some of the items seem a bit out of context. Any advice will be helpful like what software would help pull those report or prepare those document they want.
Entity-Level Controls Testing:
1 Details of MIS Committee Meetings.
2 Approved MIS Budget.
3 Approved IT Manpower budget and Training plan.
4 IT Risk Assessment for all locations.
5 Evidence of participation of MIS Committee members in the budget exercise (e-mails received from members giving their inputs)
6 Copy of some slides of MIS Committee presentation in Exempt Staff Meeting held in FY 10 - slides to be selected after reviewing the presentation.
7 Copy of MIS Orientation for new staff.
8 Department orientation presentation/checklist for MIS staff.
9 Training records of MIS staff from July 09 to till date.
10 Details of updates to MIS Policies and Standard Operation Procedure.
11 Evidence of sending out reminders to staff for reading IT policies.
12 Updated Organization chart of IT Department.
13 Latest asset listing of all IT assets of the Group - all locations.
14 List of significant IT events or failures year to date along with action plan undertaken by IT department
15 Details of any special training conducted by IT department to any user department from July 09 to till date.
16 Print screen of access list for all company applications running.
17 Print screen to evidence adoption of Microsoft Group Policy in locations wherever it is adopted.
18 Print screen of password settings for all IT systems - Servers, Operating systems, Lotus Notes and all applications.
19 Details of any IT review conducted / licence audits conducted by any external party from July 09 to till date.
20 Physical files for all applications host in the servers (filed with all documents relevant to the application)
IT General Controls Testing:
1 Details of any new applications implemented / initiated year to till date in any of the locations in scope.
2 Details of any updates / enhancements to existing applications from July 09 to till date in any of the locations in scope.
3 Print screen to evidence that all PCs are on restricted mode in locations wherever they are on restricted mode.
4 List of PCs which are not on restricted mode - MIS request forms will be verified if the list is different from the list obtained during earlier audit.
5 Print screen to evidence automated patch implementation for general software updates in all locations where this is implemented.
6 Report from safeend auditor - dated within one week of actual audit date.
7 Print screen to evidence firewall installation
8 Server Room logs for all server rooms in all locations in scope.
9 MIS authorization forms prepared from July 09 to till date - for enabling remote access and for third party access to server rooms.
10 Print screen of backup settings in all locations.
11 Details of testing backup restoration, if any, between July 09 to till date.
12 Details of IT assets disposed from July 09 to till date with all supporting documentation.
13 Details of any new IT vendors in all locations between July 09 to till date.
14 All documentation relating to implementation of monitoring tool - includes samples of reports generated from the tool for monitoring.
15 Print screen showing list of users with internet access (in locations where internet access is restricted).
16 Print screen of audit policy.
17 Print screen of SQL Server properties.
18 Evidence of the following monitoring activities:
- Failed logon attempts;
- Granting/revoking of remote access;
- Security Logs including server room logs;
- Monitoring of actual security settings against security baselines;
- Report from Safeend auditor.
- Changes to backup schedule
- Review of performance and capacity issues
- Review of users having access to critical shared drives against the approved request forms
19 Print screen of users of critical shared drives of finance department - all locations in scope.
20 Print screen of scheduled tasks.