ENTITY NAME GOES HERE

March 31, 20XX

IT ENVIRONMENT DOCUMENT

Purpose of Document
This is a PLANNING document that is intended to provide a high level overview of the general IT environment. It is important to note that the work documented is NOT sufficient, by itself, to
conclude that IT controls are operating effectively.

Client liaison contact:

OAG entity PX contact:

OAG entity Team lead

contact:

OAG IT Audit Specialist:

Template 1.3

1 of 9

ENTITY NAME GOES HERE

March 31, 20XX

1. Information Resource Strategy and Planning

Client Contact(s):
#
Points of Focus
1.1
List the significant financial system(s) being used.

1.2
1.3

1.4
1.5
1.6

1.7
1.8
1.9
1.1
0
1.11
1.1
2

Documentation
Application Name:

Observations and References

Date Installed /
Operating System
Upgraded
Version
Name & Version

Database Name &

Version

How is the IT budget determined and controlled?

Have any reports been issued by internal audit or other
parties on the IT environment or on specific financial
applications (e.g., MITS?) If so, what were the main
findings?
Future Direction and Initiatives:
Are there significant IT activities outside the IT function?
What is the future direction of IT within the organization
(i.e. IT strategy)? Is there a documented and up to date
IT strategic plan?
What major IT initiatives are planned, within the next 12
months and in the long term?
Business/Client Needs:
How does non-IT management assess whether the IT
systems meet their information needs?
What service level agreements (SLAs) does IT have in
place with non-IT management?
What process does the IT function have in place to
measure users satisfaction? What are the results of
latest survey?
How does the IT function benchmark its operations with
other organizations?
Organization Structure:
What is the IT organization structure? Who does the
Head of IT report to?
How does management ensure the appropriate
segregation of duties within the IT function (for example,
database administrator, network administrator,

Template 1.3

2 of 9

ENTITY NAME GOES HERE

March 31, 20XX

1. Information Resource Strategy and Planning

Client Contact(s):
#
Points of Focus
application programmer, system administrator?)
1.1
Is there an IT Steering Committee? If not, then how are
3
priorities determined?
1.1
Are roles and responsibilities for the IT functions clearly
4
defined? If so, how?
1.1
How does the organization ensure that IT staff maintain
5
their skills?

Template 1.3

Documentation

Observations and References

3 of 9

ENTITY NAME GOES HERE

March 31, 20XX

2. Implementation and Maintenance: Application Systems / Software Systems / Database

Client Contact(s):
#
Points of Focus
Change Management and Maintenance:
2.1
How does management ensure that changes to the IT
environment (e.g., database, network, operating
system, hardware or applications) are managed
appropriately?

2.2
2.3

Documentation

Observations and References

Implementation and Maintenance: Application

Systems / Software Systems / Database
Is a formal systems development methodology used?
What new financial systems have been implemented?

Template 1.3

4 of 9

ENTITY NAME GOES HERE

March 31, 20XX

3. Business Continuity
Client Contact(s):
#
Points of Focus
3.1 Has the organization addressed business continuity
planning and disaster recovery planning issues?
3.2 Has management put in place a system to test these
plans on a periodic basis? When was it last tested?
3.3 Does management have a formal process regarding the
backup of financial information (i.e. backup frequency,
backup testing, retention period and storage location)?

Template 1.3

Documentation

Observations and References

5 of 9

ENTITY NAME GOES HERE

March 31, 20XX

4. Information Security
Client Contact(s):
#
Points of Focus
4.1
How does management ensure that Access to the IT
environment (e.g., database, network, operating
system, hardware or applications) are managed
appropriately?
4.2
Does the organization have a security policy?
4.3
Who is responsible for administering the security policy?
4.4
How is the policy communicated to employees and
contractors and enforced?
4.5
How does management ensure that users receive
appropriate education and training on information
security?
4.6
When was the most recent Threat and Risk Assessment
(TRA) done?

Template 1.3

Documentation

Observations and References

6 of 9

ENTITY NAME GOES HERE

March 31, 20XX

5. Information Systems Operation

Client Contact(s):
#
Points of Focus
5.1 How is information regarding any problems with
systems communicated to non-IT management?
5.2 Have there been any significant operational failures,
security incidents or data corruption problems? Please
describe.
5.3 What are the key IT operational indicators reported to
non-IT management (e.g., accessibility, reliability,
performance, capacity?)

Template 1.3

Documentation

Observations and References

7 of 9

ENTITY NAME GOES HERE

March 31, 20XX

6. Relationship with Outsourced Vendors

Client Contact(s):
#
Points of Focus
6.1 Is use made of outsourced service providers? If so,
identify what key components have been outsourced
and provide Service Level Agreements.
6.2 Who is responsible for monitoring service delivery of the
outsourced service provider?
6.3 Are there reports for Third Party Assurance provided by
a vendor or host? (CICA Section 5970 or SAS70)

Template 1.3

Documentation

Observations and References

8 of 9

ENTITY NAME GOES HERE

March 31, 20XX

7. Network Support
Client Contact(s):
#
Points of Focus
7.1 Does the organization have a network diagram? When
was it last updated?
7.2 What process is in place to maintain the network
diagram (e.g., owner, frequency?)

Template 1.3

Documentation

Observations and References

9 of 9