Check Yes or No or N/A (where not applicable). Where a No is indicated, some action may be required to rectify the situation. Cross-references (e.g., See FN 1.01) point to the relevant policy in the First Reference Internal Control Library. FN = Finance & Accounting PolicyPro, Volume 1; GV = Finance & Accounting Policy- Pro, Volume 2; OP = OMPP policies in FAPP electronic version; IT = Information Technology PolicyPro; NP = Not-for-Profit PolicyPro. Identify automated solutions AI1 Are identified application needs evaluated in the context of business and IT objectives and plans? See IT 3.01, AI2 AI3 AI4 AI5 AI6 AI7 AI8 AI9 Do system or business process owners approve the initial definition of the application? See IT 3.01, Have senior management and IT management approved the initial definition of the application and given approval to proceed to the next stage? See IT 3.01, Are decisions to proceed to the next phase of development or acquisition taken at key, predetermined checkpoints? See IT 3.01, 3.02, Have comprehensive requirements been established, including user-functionality and data requirements? See IT 3.01, Has there been extensive user and owner involvement in the definition of requirements? See IT 3.01, Have you ensured that data requirements and the impact on the current data architecture is taken into account in the definition of requirements? See IT 3.01, Have you ensured that system integration and interface issues and the impact on users and other stakeholders has been considered in the definition of requirements? See IT 3.01, 3.02, Have you identified the hardware and systems software requirements of the proposed system? See IT 3.01, 2008-2010 First Reference Inc. All Rights Reserved. 1
AI10 AI11 AI12 AI13 AI14 Have you estimated the staff required to support the proposed system? See IT 3.01, 3.02, Have you estimated the benefits and savings of the proposed system, and done a cost/benefit analysis? See IT 3.01, Have you assessed the business and technology risks of the proposed system? See IT 3.01, Have you carefully considered and evaluated alternative solutions? See IT 3.01, Have you obtained approval on the best solution from all key stakeholders? See IT 3.01, Acquire and maintain application software AI15 Have you defined procedures to ensure that detailed design specs refer back to initial design, user requirements and risk analysis? See AI16 AI17 AI18 AI19 AI20 Do you require sign-off on the detailed design from the computer operations and software support service providers, confirming that requirements and risks have been addressed? See Do you establish standards for legal contracts associated with system acquisitions? See Do you establish standards to ensure that application programming is efficient and effective, requiring that existing code be reused where possible and that appropriate programming tools and techniques are employed? See Do you use RFPs to provide programming and systems standards to vendors? See IT2.02, 3.02 Do you review code received from vendors for compliance with standards? See 2008-2010 First Reference Inc. All Rights Reserved. 2
AI21 AI22 AI23 AI24 AI25 Do you protect your intellectual property by requiring that outsourced contracts include penalty clauses covering proprietary systems logic, processes and data? See Do you consider the ongoing maintenance of information systems by specifying user-maintainable tables, standard text formats, modularized code and high-quality documentation? See Do you have a policy that mandates that application systems design includes an assessment of business risks and controls? See IT1.03, 3.02 Do you have a policy requiring the application control design to be approved by the business system owner? See IT1.03, 2.02, 3.02 Does application security and controls design comply with your organization s overall security architecture? See IT1.03, 2.02, 3.02 Acquire and maintain technology infrastructure AI26 Have measurable objectives and performance targets been established for systems development and acquisition? Have targets been communicated to those responsible for meeting them? See, 12.01 AI27 AI28 AI29 For developed and acquired systems, have you prepared an implementation plan that sets out resource needs, dependencies, as well as fallback, recovery, conversion, and verification steps? See Has the implementation plan been reviewed and signed off by implementing management and the system owner? See IT1.03, 2.04, 3.01, Are processes in place to maintain effective control over conversion data, including a data conversion plan, verification of conversion data, and detailed verification of the results. See IT2.04, 3.01, 2008-2010 First Reference Inc. All Rights Reserved. 3
Enable operation and use AI30 Have all personnel involved in systems acquisition and development activities received adequate training and supervision? See IT2.02, 3.02, 12.01 AI31 AI32 AI33 Are implementation responsibilities assigned to appropriate personnel via position descriptions, mandates and project roles and responsibilities documents? See IT1.03, 2.04, 3.01,, 12.01 Have you developed manual procedures for the operation and control of the system in conjunction with development of the application? See IT2.04, 3.01, Have you written adequate operating documentation for information systems processing? Has it been reviewed and approved? See IT2.04, 3.01, Procure IT resources AI34 Are computer operations line management personnel required to sign-off on all implementations? See AI35 When designing, staffing and scheduling IT conversions, have implementation and business risks been identified and considered? See Install and accredit solutions and changes AI36 Have developed and acquired systems been adequately tested before implementation? Did you prepare and approve a test strategy and test plans? See AI37 Have you completed a formal acceptance process with appropriate system owners to confirm that testing has been satisfactorily completed and user requirements have been met? See 2008-2010 First Reference Inc. All Rights Reserved. 4
AI38 AI39 Have you received final approval after implementation but before operation from appropriate user management, including sign-off that implementation has been successful. See Have you conducted a post-implementation review to confirm that the objectives for implementing the system have been met? See Manage changes AI40 Have you assigned specific responsibilities and authorization requirements for change management? See IT 6.01, 1.03, 3.02 AI41 AI42 AI43 AI44 AI45 AI46 AI47 Do you ensure that all anticipated changes are in accordance with your IT strategic plan? See IT1.01, 1.02, 1.03, 3.02, 6.01 Do you establish and enforce standards to ensure that there is appropriate segregation of duties between the different roles involved in changes to IT resources? See IT1.03, 6.01,1.03 Do you have independent quality assurance and/or audit processes to review change management activities, and assess the security and control implications of the change prior to implementation? See IT6.01, 1.03, 7.06 Where changes are to be applied to multiple environments with different levels of risk, do you implement changes in lower-risk environments first? See IT6.01, 1.03 Do your system software change management procedures include system software maintenance activities? See IT3.02, 1.03 Do you ensure that system software maintenance is monitored and approved by technically qualified independent resources? See IT3.02, 1.03, 7.06 Do you periodically report on the content of key parameters and key processes within security mechanisms, to allow their contents to be verified? See IT5.01, 7.02, 8.02, 9.03, 9.04 2008-2010 First Reference Inc. All Rights Reserved. 5