Information

  • Document No.

  • Audit Title

  • Client / Site

  • Conducted on

  • Prepared by

  • Location
  • Personnel

Access Control

  • 1.1 What do you do with your user I.D and password to protect them?

  • 1.4 How do ensure that they are unique?

  • 1.6 (Managers)<br>How do you make sure that employees have the correct access permissions for their role?<br>

  • 1.6 (Managers)<br>What checks do you carry out and what frequency?

  • 1.9 (Managers)<br>If one of your employees changes roles how do you make sure they only have the access they require for their new role?

  • 1.9 (Managers)<br>How do you ensure that employee access is terminated immediately when they leave?<br><br>

Compliance

  • 6.1 What compliance activities do you carry out in relation to:

  • Information Security?

  • Business Continuity

  • Fraud

  • Anti Bribery and Corruption?

  • 6.2 Can you load software onto your P.C?

  • 6.9 Did you sign an NDA when you started at the organisation?

  • 6.9 Who are you allowed to share information with externally either to a customer or a customers agent?

  • 6.9 How do you make sure that you are giving information to the appropriate person/people?

E Mail Security

  • 9.1 Do you use external email?<br>If yes what process would you follow if you need to send an email private or confidentially?

  • 9.1 Do you use Rightfax in branch?<br>If yes what controls do you have in place to ensure that the fax is going to the correct person?

Equipment Security

  • 10.1 MANAGERS - Whats steps do you need to take to protect your portable equipment?<br>

  • 10.2 What process do you take to protect any equipment you are responsible for?<br>i.e to prevent unauthorised (Workstation or keys)

  • 10.3 MANAGERS- What process do you follow if you need to move a PC or printer?

Asset Management

  • 2.2 MANAGERS- When do you notify technology of changes in ownership of equipment?

Information Classification Handling & Transfer

  • 12.1 If you needed to know about classifying documents where would you look?

  • 12.4 MANAGERS- Do you know where your departments data detention policy is stored?

  • 12.4 Have you complied with it in the last 12 months?

  • OBSERVATION: Are the Slim Jims locked or overflowing<br>

  • OBSERVATION: Are documents stored correctly and the process for storage is understood?<br>

  • 12.5 What do you do with any account information you have written down?

  • 12.5 What would you do if you are asked to look up and provide information on a partner?

  • 12.5 What would you do if a family member wanted you to perform transactions on your account?

Information Security Incident Management

  • 13.1 Explain what you think a security incident is?

  • 13.1 Who would you report a security to ?

Management of malicious and mobile code

  • 14.1 Are you authorised to work from home using your home PC or Laptop?<br>If yes then who provided the authentication and what checks did they make?

  • 14.2 What process do you follow if you receive a virus alert on your PC or Laptop?

  • 14.8 OBSERVATION: Check encryption of laptops

  • 14.8 OBSERVATION: Test AV Signatures

Media Management

  • 16.1 What process should you follow for the protection of media or storage device

  • 16.1 Can you take media or storage devises offsite?

  • 16.2 How do you dispose of media or storage devises

Mobile Computer and Homeworking

  • 17.1 Who would you report a lost laptop/ Blackberry to?

Personnel Security & Fraud

  • 20.1 Can you confirm that you have completed your IS & Fraud PRS in the last 12 months?

  • 201.1 Did you comply with all the statements?

Personal Security

  • 20.5 MANAGERS- How do you make sure that all your staff comply with the IS PRS?

  • 20.5 MANAGERS- What process is followed for non compliance?

  • 20.5 MANAGERS- Can you provide evidence that all your staff comply?

  • 20.7 MANAGER- Have all your staff signed a compliance statement?

  • 20.7 MANAGERS- What do you do to check the agreement has been signed?

  • 20.12 MANAGERS- How do you ensure that all staff are aware of their legal rights and responsibilities with respect to the use of company information assets and business systems.

Physical Security

  • 21.7 What process must you follow when you have a visitor at the branch?

  • 21.10 MANAGER- Are there any segregated areas within your branch?<br>

  • 21.10 MANAGER-Who has access to the Server Room

  • 21.10 MANAGER- Who has access to the safe?

  • 21.10 MANAGER- Who has access to the document store?

Fraud- Training and Awareness: Managers and all staff

  • 1.1 MANAGERS- Do you have to complete any fraud awareness compliance activities?

  • 1.5 Are you aware of regular messages?

  • 1.5 OBSERVATION: Can you provide evidence messages and procedures?

FRAUD - Acceptance of Funds: For all staff accepting funds / handling cash

  • 5.1 What do you look for when you receive a cheque from someone who is paying?

  • 5.2 When carrying out cash exchanges in and out, what process do you follow?<br>Where is this documented?

  • 5.3 What is the Banking process and where is it documented?

  • 5.3 OBSERVATION: Check evidence that it is being followed? e.g signatures on control documents

  • 5.4 What process do you follow if you suspect a suspicious transaction. e.g Money laundering

  • 5.4 Who would you report this to?

  • 5.5 What process do you follow when accepting or paying out cash when systems are unavailable? <br>How do you maintain the audit trail?

Fraud: Reconciliations: All staff handling funds

  • 6.2 What process is followed for the movement and storage of cash and cheques?

  • 6.2 Who has access to the cheques and cash?

  • 6.2 Where is the process documented?

  • 6.3 What is the process for balancing the branch?

  • 6.4 What is the process for dealing with cash under`s and overs?<br>Where is the process documented?

  • 6.5 What is the process for managing sundries accounts? (i.e error suspense accounts, petty cash)

Fraud: Release of Funds: All staff releasing funds

  • 7.1 What process do you follow to identify a customer?<br>What and where are the details recorded?<br>Can you provide evidence of this?

  • 7.2 What is your mandate for specific transactions (i.e Cheque withdrawals, CHAPS)<br>Can you provide evidence of this?

  • 7.3 What would happen on requests above this limit?

  • 7.4 MANAGERS- What process do you follow when managing leavers,movers and joiners to mandate structure?<br>Can you provide evidence?

Fraud: Validation All staff with customer contact

  • 10.1 What do you do before giving out customer information?

  • 10.2 What validation process do you follow when talking to customers?<br>Where is information recorded?

Fraud: Gifts and Hospitality All Staff

  • 13.1 What do you need to do if you receive or are offered gifts or hospitality from external sources?

  • 13.2 What process do you follow when you are submitting an expense claim, and how is it approved?<br>What would you expect to happen if you submitted a false claim?

  • 13.2 MANAGER: How do you approve expense claims>

Fraud: Incident Management All Staff

  • What process do you follow if you identify fraud?<br>Who do you notify?

Business Continuity: People Planning All Staff

  • 1.2 What is your role in the event of a business continuity incident (i.e fire alarm,bad weather,break in)

  • 1.2 How will you receive information?<br>

  • 1.2 When did last check Peoplesoft to ensure that you information was up to date?

  • 1.2 Does your manager have your contact number?

  • 1.2 Do you have the staff incident Helpline number?

  • 1.3 What business continuity training/awareness have you received and when did you receive this training?

Business Continuity and Recovery Planning: Managers Only

  • 3.20 What planning do you have in place to ensure that you have the relevant staffing levels in the event of an incident?<br>How do you know the contact numbers of your team and where are they stored?<br>What process do you follow to ensure that the information on Peoplesoft is up to date?<br>When did you last read your areas BCP?<br>

HR: Communications & Private Policy ALL Staff

  • 2.5 Are you aware of your responsibilities under the computer misuse act?<br>1. Try to log on to a system which you are not authorised to use.<br>2. Sign on to a system with the intention of committing an offence.<br>3. Sign on to a system that your are not authorised to use and then modify any data.<br>4. Deliberately do something that causes a degradation. failure or other adverse impact on a computer system.

  • 2.5 What do you do if you find you can access systems or information that you do not require for your role?

  • 2.11 What are the arrangements for using a personnel mobile phone?<br>Are you allowed to use it at your desk?

  • 2.13 (STAFF with email access) Can you give an example of email abuse?

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.