An IS auditor is conducting a post implementation review of an enterprise network

CONTROL ID
01003

CONTROL TYPE
Testing

CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control[s]:

• Establish, implement, and maintain project management standards., CC ID: 00992

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

• App 2-1 Item Number VI.2.2[2]: Evaluation results must be reflected in the plans for subsequent project phases. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. App 2-1 Item Number VI.2.2[3]: Evaluation results must be used to i… [App 2-1 Item Number VI.2.2[2], App 2-1 Item Number VI.2.2[3], Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards]
• A monitoring function must be implemented in the system during the system design phase to collect and analyze data for verifying it is meeting the specified performance criteria. This is a control item that constitutes a greater risk to financial information. This is an IT general control. [App 2-1 Item Number III.2[14], Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards]
• There needs to be a documented Migration Policy indicating the requirement of roadmap / migration plan / methodology for data migration [which includes verification of completeness, consistency and integrity of the migration activity and pre and post migration activities along with responsibilities … [Critical components of information security 12] [i], Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds]
• Require that, at the end of each project, the project stakeholders ascertain whether the project delivered the planned results and benefits. Identify and communicate any outstanding activities required to achieve the planned results of the project and the benefits of the programme, and identify and … [PO10.14 Project Closure, CobiT, Version 4.1]
• Establish procedures in line with the organisational change management standards to require a post-implementation review as set out in the implementation plan. [AI7.9 Post-implementation Review, CobiT, Version 4.1]
• Post-implementation reviews occur after the new system has gone live. Some factors for determining when to conduct this review include determining if the system needs time to stabilize, knowing how long team members will be available to fix any problems, considering vendor contract issues, and deter… [§ 4.3 [Post-implementation Review], IIA Global Technology Audit Guide [GTAG] 12: Auditing IT Projects]
• A stabilization period occurs after the system go-live period. This provides time for users to acclimate to the new system or functionality and to correct outstanding issues. The auditors must determine if the functionality meets the intended requirements and the new system is being used correctly. … [§ 3.5, IIA Global Technology Audit Guide [GTAG] 12: Auditing IT Projects]
• Post-implementation reviews should be conducted for all new systems. [CF.18.08.01, The Standard of Good Practice for Information Security]
• Post-implementation reviews should cover fulfilment of business [including Information Security] requirements; the efficiency, effectiveness, and cost of security controls; scope for improvement of security controls; and information security incidents that occurred during system development. [CF.18.08.02, The Standard of Good Practice for Information Security]
• Post-implementation reviews should provide assurance that information risks associated with the new system have been identified and treated [e.g., accepted, avoided, transferred, or mitigated], selected security controls have been reviewed and built into new systems, and outstanding security issues … [CF.18.08.03, The Standard of Good Practice for Information Security]
• Post-implementation reviews should identify successful approaches to Information Security [e.g., new software development techniques, security protocols, or technologies], and provide recommendations for improving the systems development lifecycle. [CF.18.08.04, The Standard of Good Practice for Information Security]
• The findings of post-implementation reviews should be signed off by the person in charge of systems under development, an appropriate business representative, and an Information Security specialist, communicated to individuals involved in the development of new systems, business owners of the new sy… [CF.18.08.05, The Standard of Good Practice for Information Security]
• Post-implementation reviews should be conducted for all new systems. [CF.18.08.01, The Standard of Good Practice for Information Security, 2013]
• Post-implementation reviews should cover fulfilment of business [including Information Security] requirements; the efficiency, effectiveness, and cost of security controls; scope for improvement of security controls; and information security incidents that occurred during system development. [CF.18.08.02, The Standard of Good Practice for Information Security, 2013]
• Post-implementation reviews should provide assurance that information risks associated with the new system have been identified and treated [e.g., accepted, avoided, transferred, or mitigated], selected security controls have been reviewed and built into new systems, and outstanding security issues … [CF.18.08.03, The Standard of Good Practice for Information Security, 2013]
• Post-implementation reviews should identify successful approaches to Information Security [e.g., new software development techniques, security protocols, or technologies], and provide recommendations for improving the systems development lifecycle. [CF.18.08.04, The Standard of Good Practice for Information Security, 2013]
• The findings of post-implementation reviews should be signed off by the person in charge of systems under development, an appropriate business representative, and an Information Security specialist, communicated to individuals involved in the development of new systems, business owners of the new sy… [CF.18.08.05, The Standard of Good Practice for Information Security, 2013]
• [§ 8.4[h], ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]
• Releases shall be monitored and analyzed for success or failure. [§ 9.3 ¶ 8, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition]
• Post-implementation evaluation of the performance and results of IT projects and initiatives to determine whether each project achieved the anticipated goals. [App A Objective 2:5e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021]
• Reliability of the items purchased is regularly reviewed post-implementation. [App A Objective 6.19.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016]
• The auditor should conduct a post-implementation review. The review should include extensive testing of program logic, calculations, error conditions, and controls. [Pg 19, FFIEC IT Examination Handbook - Audit, August 2003]
• A post-implementation review should be conducted at the end of each project to validate that the project objectives were met and to assess project management. [Pg 31, FFIEC IT Examination Handbook - Development and Acquisition]
• Build, install, configure, and test dedicated cyber defense hardware. [T0335, National Initiative for Cybersecurity Education [NICE] Cybersecurity Workforce Framework, NIST Special Publication 800-181]

What should be included in a post implementation review?

What is a post implementation audit?

Which of the following should be of primary concern of the auditor reviewing the management of external IT service providers?

When reviewing system parameters an IS auditor's primary concern should be that?