IT內(nèi)審IT審計IT內(nèi)控問卷中英文版.doc

1、文檔來源為 :從網(wǎng)絡(luò)收集整理 .word 版本可編輯 .歡迎下載支持 .Information Technology AuditIT審核Internal Control QuestionnaireFor Information Technology (“ IT ”)IT 內(nèi)控問卷1文檔來源為 :從網(wǎng)絡(luò)收集整理 .word 版本可編輯 .歡迎下載支持 .Company:_Date:_Completed by: _Signature:_Name, title and departmentPlease complete this questionnaire (in English or Chines

2、e) according to the following instructions:?Answer all the yes/no questions by marking a“ x” in the column of“ Yes” ,“ No” or“ N/A”;?Write the comments or additional information according to the instruction (in italic ) of each question in the column of“ Comments” ; and?Attach reference documents in

3、 soft or hard copies and write their names in the column of“ Names of documents attached”.QuestionsYesNoN/ACommentsName of documentsattachedAIT environment IT 環(huán)境1Is access to system program libraries, application systemdocumentation, test files, etc restricted to authorizedpersonnel? 是否訪問系統(tǒng)程序數(shù)據(jù)庫、應(yīng)用系

4、統(tǒng)文檔、測試文件，等，是否僅限于授權(quán)人訪問？State the authorized personnel for system program libraries,application system documentation, test files, etc.請列出程序數(shù)據(jù)庫、應(yīng)用系統(tǒng)文件，測試文件，等等的授權(quán)個人請列出貴公司使State the major systems used in your company.用的主要系統(tǒng)2Are all programs and systems and their changes sufficiently所有程序和系統(tǒng)及他們的改documents

5、for proper maintenance?變是否有足夠的文檔用于正常維護(hù)？3 Are all changes to programs and system design properlyapproved? 所有針對程序和系統(tǒng)設(shè)計上的變化是否有嚴(yán)格的批核？2文檔來源為 :從網(wǎng)絡(luò)收集整理 .word 版本可編輯 .歡迎下載支持 .QuestionsYesNoN/ACommentsName of documentsattachedDescribe the approval process for changes to programs andsystem design.請描述有關(guān)程序和系統(tǒng)設(shè)計變

6、化上的批核程序4Are changes to programs and system design reviewed on atimely basis by a responsible individual for improper changes?所有程序和系統(tǒng)設(shè)計上的變化是否有相關(guān)負(fù)責(zé)人就不適當(dāng)?shù)淖兓M(jìn)行及時地審查？State who is responsible for reviewing changes to programsand system design.請列明負(fù)責(zé)審查程序和系統(tǒng)設(shè)計的負(fù)責(zé)人5 Are users consulted on all new system progr

7、amming or revisions to existing programming regarding user needs,layout, test data, etc?所有的新系統(tǒng)程序或者關(guān)于用戶需要，設(shè)計，測試數(shù)據(jù)等等的針對現(xiàn)有程序的修正是否有與用戶商議過？State the major channels of consultation and theireffectiveness.列明商議的主要渠道和他們的效果6 Are all new systems or system revisions run side-by-side with existing systems or ext

8、ensively tested with realistic test dataprior to their exclusive use for transaction processing?所有的新系統(tǒng)或者系統(tǒng)修正與現(xiàn)有系統(tǒng)一起運行，或者被廣泛用實際的測試數(shù)據(jù)測試，優(yōu)先于他們在事務(wù)處理上的專門用途。7Is current computer capacity and response time periodicallyreviewed for adequacy against present and expected futureneeds?是否有周期性地檢查當(dāng)前電腦的能力和反應(yīng)時間是否有能充

9、分地和滿足目前和未來預(yù)期需要？State the frequency of review. Provide a report/record of the3文檔來源為 :從網(wǎng)絡(luò)收集整理 .word 版本可編輯 .歡迎下載支持 .QuestionsYesNoN/ACommentsName of documentsattachedmost recent review. 列出檢查的頻率。提供一份最近期的檢查報告/記錄8 Is IT hardware physically secured (from fire, flood and other hazards) and access restricted

10、 to authorized personnel via card,keys, locked doors, etc? IT 硬件的物理可靠性和訪問限止是否通過卡片，鑰匙授權(quán)給指定的授權(quán)人員。9Are users PC protected from unwarranted exposure to theft?所有用戶的電腦是否受到免于被剽竊者非法暴光的保護(hù)？State the internal controls for the physical security of PC.列出關(guān)于個人電腦的物理安全上的內(nèi)部管控10Are adequate internal controls to preven

11、t employees fromusing/copying illegal software? 是否有足夠的控制，預(yù)防止員工使用 /復(fù)制非法軟件？State the relevant internal controls. 列出相關(guān)的內(nèi)部管控11Does the IT Department conduct periodic review of ITsecurity and communicate the results to the management?IT 部是否有執(zhí)行周期性的IT 安全檢查，且將結(jié)果傳給管理部門State the frequency of review and provid

12、e a copy of the recentreview report/record. 列出檢查的頻率和提供一份近期的檢查報告/記錄12Are roles and responsibilities of the IT organization defined,documented and understood?IT 部的角色和職責(zé)是否有被定義，文件化和理解？13 Has IT management communicated policies and procedures governing the IT organizations activities to all relevantparti

13、es?IT 管理是否已傳達(dá)有關(guān)監(jiān)管IT 部與所有相關(guān)方的政策和流4文檔來源為 :從網(wǎng)絡(luò)收集整理 .word 版本可編輯 .歡迎下載支持 .QuestionsYesNoN/ACommentsName of documentsattached程？BComputer access security 電腦訪問安全1 Is access to computer terminals and equipment limited to authorized personnel?訪問電腦終端和設(shè)備是否限制于授權(quán)人員？2 Do procedures exist and are they followed to e

14、nsure that all users are authenticated to the system to support the validity oftransactions? 否存在這樣的流程？他們用于確保所有用戶被用于支持處理有效性的系統(tǒng)鑒定的流程？State the names and document numbers of the procedures列.出流程的名稱和文件序號3 Do procedures exist and are they followed to ensure timely action relating to requesting, establishi

15、ng, issuing, suspendingand closing user accounts?是否存在這樣的流程？他們用于保證對要求、建立、發(fā)放、中止和關(guān)閉用戶帳號作出及時的反映的流程？State the names and document numbers of the procedures列.出流程的名稱和文件序號4Does a formal approval process exist for granting access tosystems and data?是否存在一個允許進(jìn)入系統(tǒng)和數(shù)據(jù)庫的正式的確認(rèn)流程？Briefly describe the approval proces

16、s. 簡單描述確認(rèn)流程5Is there a process to periodically review access rights?是否有一個周期性審查訪問權(quán)限的流程？Briefly describe the review process including the frequencyand scope of review. 簡單描述包括頻率和范圍在內(nèi)的審查流程5文檔來源為 :從網(wǎng)絡(luò)收集整理 .word 版本可編輯 .歡迎下載支持 .QuestionsYesNoN/ACommentsName of documentsattached6Are processes in place to en

17、sure all devices: including servers,mainframe hardware, routers and switches are properlyconfigured to prevent unauthorized access?是否確保所有裝置到位？包括服務(wù)器，主機(jī)架硬件，路由器和轉(zhuǎn)換器是否正常地裝備以防止非法入侵？7Are security violations and other incidents (in all systemsincluding Oracle) automatically logged and reviewed? 安全違規(guī)和其它意外事件

18、(包括 Oracle 在內(nèi)的所有系統(tǒng)) 是否能自動記錄和審查？8 Are the current computer access security controls adequate?If some passwords of systems (such as the Oracle system) are shared by users, state the compensating controls to minimizethe risk of unauthorized access.當(dāng)目前電腦的訪問安全控制是否充足？如果一些系統(tǒng)的密碼(例如 Oracle 系統(tǒng) )被用戶分享，請列出用于減小非

19、法入侵的補(bǔ)償性管控CNetwork security 互聯(lián)網(wǎng)安全1Is sensitive and confidential data on networks, personnel1，computers and back up tapes/disks protected by restrictedaccess or other controls?是否有對網(wǎng)絡(luò)、用戶電腦和備份磁帶/磁盤中的敏感的和機(jī)密的數(shù)據(jù)進(jìn)行限制訪問或者其它控制。Briefly describe the controls. 簡述管控2 Have procedures been established to check all

20、disks, files attached to email, and downloaded software for computerviruses? 是否有建立起檢測所有為防電腦病毒的與電郵、下載軟件相關(guān)的磁盤、文件的程序？6文檔來源為 :從網(wǎng)絡(luò)收集整理 .word 版本可編輯 .歡迎下載支持 .QuestionsYesNoN/ACommentsName of documentsattachedBriefly describe the procedures. 簡述流程3 Do appropriate controls, including firewalls, intrusiondetec

21、tion and vulnerability assessments exist and are they usedto prevent unauthorized access?是否有包括防火墻，入侵檢測和弱性評估上的合適管控？并且它們是用于阻止非授權(quán)入侵的？State the controls used. 列出所使用的管控4Have all unnecessary services and parts been disabled on alldevices connected to the network?所有不必要的服務(wù)和部分在與網(wǎng)絡(luò)有關(guān)的所有設(shè)施上是否被禁用？DBackup and IT

22、 disaster recovery備份和 IT 災(zāi)難修復(fù)1 Have the systems been prioritized for back-up and recoverypurposes? 系統(tǒng)是否有備份和修復(fù)目的上的優(yōu)先？Are back-up processes performed on a scheduled basis?備份程序是否在一定的排期上執(zhí)行的？Provide the schedule for backup.請?zhí)峁﹤浞菖牌? Are backup files of all operational/financial data, system programs, and

23、other irreplaceable files kept off-site or in areasecure from fire and other damage?是否有關(guān)于所有操作性/財務(wù)數(shù)據(jù)，系統(tǒng)程序，和其它保持界外或現(xiàn)場防火安全和避免其它損壞的不可替換文件上的備份文件？State the location for keeping the backup files.列明保留備份文件的位置3 Does a Business Continuation Plan exist which identifies critical activities, contains plans for co

24、ntinued operations for short and long term emergencies and identification of backup7QuestionsYesfiles, programs, documentation and alternative processingsites? 是否存在一份應(yīng)對緊急情況(包括長短期的突發(fā)事件和備份文件、程序、可轉(zhuǎn)換處理點證明的持續(xù)作業(yè)計劃)的業(yè)務(wù)持續(xù)計劃Provide a copy of the business continuation plan.提供一份 IT災(zāi)難修復(fù)計劃4Is there an IT disaste

25、r recovery plan which aligns with the overall business continuity plan? 是否有與總體業(yè)務(wù)持續(xù)計劃相關(guān)聯(lián)的 IT 災(zāi)難修復(fù)計劃？Provide a copy of the IT disaster recovery plan. 提供一份 IT 災(zāi)難修復(fù)計劃的副本5 Is it ensured that the IT disaster recovery plan is adequately tested, at least annually, and that any deficiencies arecorrected?IT 災(zāi)

26、難修復(fù)計劃是否確保有充分測驗過，或者至少每年一次，及任何缺陷可以糾正的？State the frequency of testing for the IT disaster recovery plan.列出為 IT 災(zāi)難修復(fù)計劃而進(jìn)行的測試頻率EManagement of third party services (Please complete this part if third party IT services are used in the company) 第三方服務(wù)管理(請完成此部分，如果公司有用到第三方IT 服務(wù) )1 Have service level agreements

27、 (SLAs) been created and agreed upon by the IT Department and users for the availability,performance, and capacity of the application environment?是否有由 IT 部門和用戶基于實用、職能和應(yīng)用環(huán)境能力而生成和許可的服務(wù)等級協(xié)議 )。Provide a list of information (including agreement dates, services provided, name of service providers, etc) al

28、l the service level agreements提.供一份信息清單 (包括協(xié)議日期，所提文檔來源為 :從網(wǎng)絡(luò)收集整理 .word 版本可編輯 .歡迎下載支持 .NoN/ACommentsName of documentsattached8文檔來源為 :從網(wǎng)絡(luò)收集整理 .word 版本可編輯 .歡迎下載支持 .QuestionsYesNoN/ACommentsName of documentsattached供的服務(wù) , 服務(wù)提供者名字，等等)2Are service level agreements (SLAs) used for monitoring thedatabase performance?(是否有用于監(jiān)測數(shù)據(jù)庫職能的服務(wù)等級協(xié)議 )3Have network data transmission security standards beenadhered to and approved by the IT security team?(網(wǎng)絡(luò)數(shù)據(jù)傳送安全標(biāo)準(zhǔn)是否有經(jīng)由IT 安全小組批核)FInput/output controls信息輸入 /輸出管控1 Are there adequate controls