Information
-
Document No.
-
Audit Title
-
Client / Site
-
Conducted on
-
Prepared by
-
Location
-
Personnel
Access Control
-
1.1 What do you do with your user I.D and password to protect them?
-
1.4 How do ensure that they are unique?
-
1.6 (Managers)<br>How do you make sure that employees have the correct access permissions for their role?<br>
-
1.6 (Managers)<br>What checks do you carry out and what frequency?
-
1.9 (Managers)<br>If one of your employees changes roles how do you make sure they only have the access they require for their new role?
-
1.9 (Managers)<br>How do you ensure that employee access is terminated immediately when they leave?<br><br>
Compliance
-
6.1 What compliance activities do you carry out in relation to:
-
Information Security?
-
Business Continuity
-
Fraud
-
Anti Bribery and Corruption?
-
6.2 Can you load software onto your P.C?
-
6.9 Did you sign an NDA when you started at the organisation?
-
6.9 Who are you allowed to share information with externally either to a customer or a customers agent?
-
6.9 How do you make sure that you are giving information to the appropriate person/people?
E Mail Security
-
9.1 Do you use external email?<br>If yes what process would you follow if you need to send an email private or confidentially?
-
9.1 Do you use Rightfax in branch?<br>If yes what controls do you have in place to ensure that the fax is going to the correct person?
Equipment Security
-
10.1 MANAGERS - Whats steps do you need to take to protect your portable equipment?<br>
-
10.2 What process do you take to protect any equipment you are responsible for?<br>i.e to prevent unauthorised (Workstation or keys)
-
10.3 MANAGERS- What process do you follow if you need to move a PC or printer?
Asset Management
-
2.2 MANAGERS- When do you notify technology of changes in ownership of equipment?
Information Classification Handling & Transfer
-
12.1 If you needed to know about classifying documents where would you look?
-
12.4 MANAGERS- Do you know where your departments data detention policy is stored?
-
12.4 Have you complied with it in the last 12 months?
-
OBSERVATION: Are the Slim Jims locked or overflowing<br>
-
OBSERVATION: Are documents stored correctly and the process for storage is understood?<br>
-
12.5 What do you do with any account information you have written down?
-
12.5 What would you do if you are asked to look up and provide information on a partner?
-
12.5 What would you do if a family member wanted you to perform transactions on your account?
Information Security Incident Management
-
13.1 Explain what you think a security incident is?
-
13.1 Who would you report a security to ?
Management of malicious and mobile code
-
14.1 Are you authorised to work from home using your home PC or Laptop?<br>If yes then who provided the authentication and what checks did they make?
-
14.2 What process do you follow if you receive a virus alert on your PC or Laptop?
-
14.8 OBSERVATION: Check encryption of laptops
-
14.8 OBSERVATION: Test AV Signatures
Media Management
-
16.1 What process should you follow for the protection of media or storage device
-
16.1 Can you take media or storage devises offsite?
-
16.2 How do you dispose of media or storage devises
Mobile Computer and Homeworking
-
17.1 Who would you report a lost laptop/ Blackberry to?
Personnel Security & Fraud
-
20.1 Can you confirm that you have completed your IS & Fraud PRS in the last 12 months?
-
201.1 Did you comply with all the statements?
Personal Security
-
20.5 MANAGERS- How do you make sure that all your staff comply with the IS PRS?
-
20.5 MANAGERS- What process is followed for non compliance?
-
20.5 MANAGERS- Can you provide evidence that all your staff comply?
-
20.7 MANAGER- Have all your staff signed a compliance statement?
-
20.7 MANAGERS- What do you do to check the agreement has been signed?
-
20.12 MANAGERS- How do you ensure that all staff are aware of their legal rights and responsibilities with respect to the use of company information assets and business systems.
Physical Security
-
21.7 What process must you follow when you have a visitor at the branch?
-
21.10 MANAGER- Are there any segregated areas within your branch?<br>
-
21.10 MANAGER-Who has access to the Server Room
-
21.10 MANAGER- Who has access to the safe?
-
21.10 MANAGER- Who has access to the document store?
Fraud- Training and Awareness: Managers and all staff
-
1.1 MANAGERS- Do you have to complete any fraud awareness compliance activities?
-
1.5 Are you aware of regular messages?
-
1.5 OBSERVATION: Can you provide evidence messages and procedures?
FRAUD - Acceptance of Funds: For all staff accepting funds / handling cash
-
5.1 What do you look for when you receive a cheque from someone who is paying?
-
5.2 When carrying out cash exchanges in and out, what process do you follow?<br>Where is this documented?
-
5.3 What is the Banking process and where is it documented?
-
5.3 OBSERVATION: Check evidence that it is being followed? e.g signatures on control documents
-
5.4 What process do you follow if you suspect a suspicious transaction. e.g Money laundering
-
5.4 Who would you report this to?
-
5.5 What process do you follow when accepting or paying out cash when systems are unavailable? <br>How do you maintain the audit trail?
Fraud: Reconciliations: All staff handling funds
-
6.2 What process is followed for the movement and storage of cash and cheques?
-
6.2 Who has access to the cheques and cash?
-
6.2 Where is the process documented?
-
6.3 What is the process for balancing the branch?
-
6.4 What is the process for dealing with cash under`s and overs?<br>Where is the process documented?
-
6.5 What is the process for managing sundries accounts? (i.e error suspense accounts, petty cash)
Fraud: Release of Funds: All staff releasing funds
-
7.1 What process do you follow to identify a customer?<br>What and where are the details recorded?<br>Can you provide evidence of this?
-
7.2 What is your mandate for specific transactions (i.e Cheque withdrawals, CHAPS)<br>Can you provide evidence of this?
-
7.3 What would happen on requests above this limit?
-
7.4 MANAGERS- What process do you follow when managing leavers,movers and joiners to mandate structure?<br>Can you provide evidence?
Fraud: Validation All staff with customer contact
-
10.1 What do you do before giving out customer information?
-
10.2 What validation process do you follow when talking to customers?<br>Where is information recorded?
Fraud: Gifts and Hospitality All Staff
-
13.1 What do you need to do if you receive or are offered gifts or hospitality from external sources?
-
13.2 What process do you follow when you are submitting an expense claim, and how is it approved?<br>What would you expect to happen if you submitted a false claim?
-
13.2 MANAGER: How do you approve expense claims>
Fraud: Incident Management All Staff
-
What process do you follow if you identify fraud?<br>Who do you notify?
Business Continuity: People Planning All Staff
-
1.2 What is your role in the event of a business continuity incident (i.e fire alarm,bad weather,break in)
-
1.2 How will you receive information?<br>
-
1.2 When did last check Peoplesoft to ensure that you information was up to date?
-
1.2 Does your manager have your contact number?
-
1.2 Do you have the staff incident Helpline number?
-
1.3 What business continuity training/awareness have you received and when did you receive this training?
Business Continuity and Recovery Planning: Managers Only
-
3.20 What planning do you have in place to ensure that you have the relevant staffing levels in the event of an incident?<br>How do you know the contact numbers of your team and where are they stored?<br>What process do you follow to ensure that the information on Peoplesoft is up to date?<br>When did you last read your areas BCP?<br>
HR: Communications & Private Policy ALL Staff
-
2.5 Are you aware of your responsibilities under the computer misuse act?<br>1. Try to log on to a system which you are not authorised to use.<br>2. Sign on to a system with the intention of committing an offence.<br>3. Sign on to a system that your are not authorised to use and then modify any data.<br>4. Deliberately do something that causes a degradation. failure or other adverse impact on a computer system.
-
2.5 What do you do if you find you can access systems or information that you do not require for your role?
-
2.11 What are the arrangements for using a personnel mobile phone?<br>Are you allowed to use it at your desk?
-
2.13 (STAFF with email access) Can you give an example of email abuse?