General check list for IS audit of application A.

Detailed design document

B. C. D. E. F. G. H. I. J. K. L. M. N. O. P. Copy of Administrative manual Copy of Architecture and Application Setup System specification document Copy of User manual One time parameter setting details. Details of accounting parameter setting. Data flow diagram Interface with other applications Whether Remote access to vendor is given Details of application dependency Generic user ID. Details of hard coded user ID and passwords. Copy of sign off document. Copy of UAT Test cases with sign-off What are the Outstanding issues as on date Whether report on User activities ( Audit trail) can be generated from application. Q. List of modules implemented. Schedule for implementation of remaining modules , if any R. Segregation of duties List of DB/OS/Application administrator from Bob and from HP / vendor

S. Access Control Logical Application Group Application Users System / application administrator Application Group- rights & privileges Application Users- rights & privileges Audit trail / Logs Report from application Maker / Checker Access to application key files & folders Application password policy Generic users User Ids & Password hard coded in any scriptsDocumentation Super user passwords in sealed envelop Application version Application patches testing and procedure followed Input data validation for key fields. Sign off document

 Application Exception reports Data base Data base Group Data base Users Data base administrator Data base Group- rights & privileges Data base Users- rights & privileges Audit logging Auditing of data base administrator. Log shipping Access to log files Access to archival log files Access to DB home directory Data base password policy Database hardening Data base version Data base patches Data base licenses Generic users User Ids & Password hard coded in any scripts Documentation Super user passwords in sealed envelop Review of database user access rights - guidelines Back end access Back up offsite storage BCP & Disaster recovery setup Testing of BCP & Disaster recovery setup Monitoring of online replication from DC to DR

Log monitoring DB,OS - How , frequency Operating system Application, Database, Web application. Operating system Group Operating system Users Operating system administrator Operating system Group- rights & privileges Operating system Users- rights & privileges Audit logging Auditing of Operating system administrator. Log shipping

Access to log files Access to archival log files Access to OS directory Operating system password policy Operating system hardening Operating system version Operating system service pack / hot fixes Operating system licenses Generic users User Ids & Password hard coded in any scripts Documentation Super user passwords in sealed envelop Review of OS user access rights - guidelines Clock synchronisation Application , DB ,Web Servers part of domain

User Access Management application User Access Management data base User Access Management Operating system Interfaces between other applications documentation Data upload Test environment Segregation of duties - Access to production setup Developer Documented Operating critical procedures Various processes