IT 内审 （IT审计+IT 内控问卷）中英文版.doc

Information Technology AuditIT 审核Internal Control Questionnaire For Information Technology (“IT”)IT内控问卷Company: _ _ Date: _ _Completed by: _ Signature: _ Name, title and departmentPlease complete this questionnaire (in English or Chinese) according to the following instructions: Answer all the yes/no questions by marking a “x” in the column of “Yes”, “No” or “N/A”; Write the comments or additional information according to the instruction (in italic) of each question in the column of “Comments”; and Attach reference documents in soft or hard copies and write their names in the column of “Names of documents attached”.QuestionsYesNoN/ACommentsName of documents attachedAIT environment IT环境1Is access to system program libraries, application system documentation, test files, etc restricted to authorized personnel? 是否访问系统程序数据库、应用系统文档、测试文件，等，是否仅限于授权人访问？State the authorized personnel for system program libraries, application system documentation, test files, etc. 请列出程序数据库、应用系统文件，测试文件，等等的授权个人State the major systems used in your company. 请列出贵公司使用的主要系统2Are all programs and systems and their changes sufficiently documents for proper maintenance? 所有程序和系统及他们的改变是否有足够的文档用于正常维护？3Are all changes to programs and system design properly approved? 所有针对程序和系统设计上的变化是否有严格的批核？Describe the approval process for changes to programs and system design. 请描述有关程序和系统设计变化上的批核程序4Are changes to programs and system design reviewed on a timely basis by a responsible individual for improper changes? 所有程序和系统设计上的变化是否有相关负责人就不适当的变化进行及时地审查？State who is responsible for reviewing changes to programs and system design. 请列明负责审查程序和系统设计的负责人5Are users consulted on all new system programming or revisions to existing programming regarding user needs, layout, test data, etc? 所有的新系统程序或者关于用户需要，设计，测试数据等等的针对现有程序的修正是否有与用户商议过？State the major channels of consultation and their effectiveness. 列明商议的主要渠道和他们的效果6Are all new systems or system revisions run side-by-side with existing systems or extensively tested with realistic test data prior to their exclusive use for transaction processing? 所有的新系统或者系统修正与现有系统一起运行，或者被广泛用实际的测试数据测试，优先于他们在事务处理上的专门用途。7Is current computer capacity and response time periodically reviewed for adequacy against present and expected future needs? 是否有周期性地检查当前电脑的能力和反应时间是否有能充分地和满足目前和未来预期需要？State the frequency of review. Provide a report/record of the most recent review. 列出检查的频率。提供一份最近期的检查报告/记录 8Is IT hardware physically secured (from fire, flood and other hazards) and access restricted to authorized personnel via card, keys, locked doors, etc? IT 硬件的物理可靠性和访问限止是否通过卡片，钥匙授权给指定的授权人员。9Are users PC protected from unwarranted exposure to theft? 所有用户的电脑是否受到免于被剽窃者非法暴光的保护？State the internal controls for the physical security of PC. 列出关于个人电脑的物理安全上的内部管控10Are adequate internal controls to prevent employees from using/copying illegal software? 是否有足够的控制，预防止员工使用/复制非法软件？State the relevant internal controls. 列出相关的内部管控11Does the IT Department conduct periodic review of IT security and communicate the results to the management? IT部是否有执行周期性的IT安全检查，且将结果传给管理部门State the frequency of review and provide a copy of the recent review report/record. 列出检查的频率和提供一份近期的检查报告/记录12Are roles and responsibilities of the IT organization defined, documented and understood? IT部的角色和职责是否有被定义，文件化和理解？13Has IT management communicated policies and procedures governing the IT organizations activities to all relevant parties? IT管理是否已传达有关监管IT部与所有相关方的政策和流程？BComputer access security电脑访问安全1Is access to computer terminals and equipment limited to authorized personnel? 访问电脑终端和设备是否限制于授权人员？2Do procedures exist and are they followed to ensure that all users are authenticated to the system to support the validity of transactions? 否存在这样的流程？他们用于确保所有用户被用于支持处理有效性的系统鉴定的流程？State the names and document numbers of the procedures. 列出流程的名称和文件序号3Do procedures exist and are they followed to ensure timely action relating to requesting, establishing, issuing, suspending and closing user accounts? 是否存在这样的流程？他们用于保证对要求、建立、发放、中止和关闭用户帐号作出及时的反映的流程？State the names and document numbers of the procedures. 列出流程的名称和文件序号4Does a formal approval process exist for granting access to systems and data? 是否存在一个允许进入系统和数据库的正式的确认流程？Briefly describe the approval process. 简单描述确认流程5Is there a process to periodically review access rights? 是否有一个周期性审查访问权限的流程？Briefly describe the review process including the frequency and scope of review. 简单描述包括频率和范围在内的审查流程6Are processes in place to ensure all devices: including servers, mainframe hardware, routers and switches are properly configured to prevent unauthorized access? 是否确保所有装置到位？包括服务器，主机架硬件，路由器和转换器是否正常地装备以防止非法入侵？7Are security violations and other incidents (in all systems including Oracle) automatically logged and reviewed? 安全违规和其它意外事件(包括Oracle在内的所有系统) 是否能自动记录和审查？8Are the current computer access security controls adequate?If some passwords of systems (such as the Oracle system) are shared by users, state the compensating controls to minimize the risk of unauthorized access. 当目前电脑的访问安全控制是否充足？如果一些系统的密码(例如Oracle系统)被用户分享，请列出用于减小非法入侵的补偿性管控CNetwork security互联网安全1Is sensitive and confidential data on networks, personnel computers and back up tapes/disks protected by restricted access or other controls? 是否有对网络、用户电脑和备份磁带/磁盘中的敏感的和机密的数据进行限制访问或者其它控制。Briefly describe the controls. 简述管控1，2Have procedures been established to check all disks, files attached to email, and downloaded software for computer viruses? 是否有建立起检测所有为防电脑病毒的与电邮、下载软件相关的磁盘、文件的程序？Briefly describe the procedures. 简述流程3Do appropriate controls, including firewalls, intrusion detection and vulnerability assessments exist and are they used to prevent unauthorized access? 是否有包括防火墙，入侵检测和弱性评估上的合适管控？并且它们是用于阻止非授权入侵的？State the controls used. 列出所使用的管控4Have all unnecessary services and parts been disabled on all devices connected to the network? 所有不必要的服务和部分在与网络有关的所有设施上是否被禁用？DBackup and IT disaster recovery 备份和IT灾难修复1Have the systems been prioritized for back-up and recovery purposes? 系统是否有备份和修复目的上的优先？Are back-up processes performed on a scheduled basis? 备份程序是否在一定的排期上执行的？Provide the schedule for backup. 请提供备份排期2Are backup files of all operational/financial data, system programs, and other irreplaceable files kept off-site or in area secure from fire and other damage? 是否有关于所有操作性/财务数据，系统程序，和其它保持界外或现场防火安全和避免其它损坏的不可替换文件上的备份文件？State the location for keeping the backup files. 列明保留备份文件的位置3Does a Business Continuation Plan exist which identifies critical activities, contains plans for continued operations for short and long term emergencies and identification of backup files, programs, documentation and alternative processing sites? 是否存在一份应对紧急情况(包括长短期的突发事件和备份文件、程序、可转换处理点证明的持续作业计划)的业务持续计划 Provide a copy of the business continuation plan. 提供一份IT灾难修复计划 4Is there an IT disaster recovery plan which aligns with the overall business continuity plan? 是否有与总体业务持续计划相关联的IT灾难修复计划？ Provide a copy of the IT disaster recovery plan. 提供一份IT灾难修复计划的副本 5Is it ensured that the IT disaster recovery plan is adequately tested, at least annually, and that any deficiencies are corrected? IT灾难修复计划是否确保有充分测验过，或者至少每年一次，及任何缺陷可以纠正的？State the frequency of testing for the IT disaster recovery plan. 列出为IT灾难修复计划而进行的测试频率 EManagement of third party services (Please complete this part if third party IT services are used in the company)第三方服务管理(请完成此部分，如果公司有用到第三方IT服务)1Have service level agreements (SLAs) been created and agreed upon by the IT Department and users for the availability, performance, and capacity of the application environment? 是否有由IT部门和用户基于实用、职能和应用环境能力而生成和许可的服务等级协议)。Provide a list of information (including agreement dates, services provided, name of service providers, etc) all the service level agreements.提供一份信息清单(包括协议日期，所提供的服务, 服务提供者名字，等等)2Are service level agreements (SLAs) used for monitoring the database performance? (是否有用于监测数据库职能的服务等级协议)3Have network data transmission security standards been adhered to and approved by the IT security team? (网络数据传送安全标准是否有经由IT安全小组批核)FInput/output controls 信息输入/输出管控1Are there adequat