|What to review the audit, security, and control Of
the core modules?
1. Review or document the workflow of the application.
2. Identify key exposures within the workflow.
3. Determine if adequate controls exist to mitigate the
4. Access Control
Review all users that have access to the application and
ensure that they require this level of access.
Menu Level Access
File Level Access
Review User ID associated with the data file to ensure that
only authorized users are allowed access to the data.
Test the invalid attempts for userid and password
Obtain a copy of the corporate security standards. Determine
if a user can log on directly to NT, Unix, Oracle or DB2 without going
through the initial logon process.
Review all default users to ensure that proper security and
control is maintained.
Review the security administration of:
updating user information
Determine who is the system administrator for the application
and how many of these administrators are assigned to the application.
5. Integrity Checking
6. Evaluate any sensitive or critical derived data to ensure
that it is created according to the established integrity standards.
Evaluate sensitive or critical on-line transactions to ensure
that they perform according to the established integrity standards.
Evaluate sensitive or critical batch jobs to ensure that
they perform according to the established integrity standards.
7. Evaluate the outputs of the system to ensure that sensitive
or critical output is properly handled.
Review the final edit process to ensure the integrity of
Review all system interfaces to determine that data integrity
is properly maintained.
8. Evaluate any recent application failures to ensure
that an adequate contingency plan exist.
9. Evaluate several recent application changes to ensure
that proper procedures were followed.
10. Evaluate the level of system documentation to ensure
that it is adequate.
11. Interview the user to ensure that they are satisfied
with the current system and that it meets the organizationís business needs.
12. Review the management reports to see if additional
reports are needed:
13. Determine if any back doors exist in the system