ITAC Audit Checklist

Prepared by Sk Peer Saheb

July 14, 2025

Application Audit Scope

The scope of this IT Application Control (ITAC) audit encompasses a comprehensive

b
review of the organization’s IT applications to ensure compliance with security,
operational, and regulatory standards. The audit focuses on the following key areas:
•​Application Architecture: Assessing the design, structure, and security controls

he
of applications, including architecture diagrams, OWASP vulnerability responses,
and performance testing results.
•​Input Validation: Verifying that applications properly validate inputs to prevent
invalid, out-of-range, or duplicate data processing.
Sa
•​Interface Control: Evaluating automated interfaces, encryption controls, and API
security measures to ensure secure data exchange.
•​Access Control: Reviewing user access policies, user ID management, and
password management procedures to ensure secure access.
•​Output Control: Ensuring error reports and sensitive data masking are
er

implemented and reviewed.

•​Security Features: Verifying server inventories, Vulnerability Assessment and
Penetration Testing (VAPT) reports, and issue trackers.
•​Jobs and Stored Procedures: Checking batch job configurations, dependency
Pe

mappings, and access reviews.

•​Change Management: Auditing change request processes, patch manage- ment,
and user acceptance testing (UAT) procedures.
•​Audit Trails and Logs: Ensuring comprehensive logging, review, and monitoring
of application and database activities.
•​Backup and Restoration: Verifying backup policies, encryption, restora- tion
testing, and data retention practices.
•​Documentation: Reviewing user manuals, technical manuals, and stan- dard
operating procedures (SOPs).
 •​Manageability: Assessing end-of-day (EOD) and beginning-of-day (BOD)
operations, including job failure logs and rollback procedures.
•​Legal and Statutory Compliance: Ensuring adherence to regulatory
requirements and exception management processes.
•​API Security: Verifying API security assessments, rate limiting, and dor- mant API
management.
•​Business Continuity and Disaster Recovery (BCDR): Evaluating BCDR plans, drill
reports, and training evidence.
The audit aims to identify risks, ensure compliance with organizational policies and
industry standards, and recommend improvements to enhance system reliability,
security, and performance.

Audit Checklist :

b
he
Auditee Auditor’s
Sr No. Domain Evidence Required Data Status Remarks Remark
Application Architecture
Application diagram along with approval
1 Architecture and version number
Sa
Application Details of application as per
2 Architecture Ann.1
Application security report that
Application includes the response to each
3 Architecture OWASP vulnerabilities
er

4 Evidence of load testing, stress

Application testing, and performance
Architecture benchmarks (e.g., response
/ Performance time under peak load) to meet
Testing business requirements
Pe

Application Approved Interface Control

5 Architecture Document (ICD)
Total List of reports generated
Input on
6 Validation daily and monthly basis
Input Input validation configured at
7 Validation entry stage
8 Evidence to check whether
system accepts invalid / out of
range / incorrect / duplicate
Input Validation data inputs
Procedure or version control /
release management (Source
9 Input Validation code / VSS / SVN repositories)
 List of rules set within the
applications for the various
10 Input Validation processing requirements
List of automated interfaces
connected with the main
11 Interface Control application
12 Interface Control Evidence for interface logs
generated for data exchanged
or data processed between
interfacing applications
(including success / failure and
timestamp)
13 Interface Control Details of Encryption Controls
used for data communications
between systems, also give

b
details of security controls used
for data in-transit
API that are dormant beyond

he
180
days shall be disabled and
14 Interface Control removed from API platform
Interface
15 Control Periodic review of error reports
Sa
Interface API platform shall be accessed
16 Control only through Jump server
18 List of authorized makers and
checkers (especially in case of
Maker- Checker transaction processing) - USER
Control LIST
er

Maker- Configuration details for

19 Checker Control Maker-Checker controls
List of authorized makers and
Pe

Maker- checkers (master maintenance

20 Checker Control processing) - USER LIST
Output Reports available in application
21 Control basis requirement
UAT Testing results before
deployment on production
22 Output Control environment
Error report should be
generated
and reviewed in case there is a
failure in the EOD / BOD
23 Output Control process
Evidence ensuring that
sensitive
24 Output Control data like Credit Card number,
 debit card numbers are masked
25 Security Features Total servers under application
scope with inventory (Database
+ Application Platform + IP
Address) including UAT
Environment details (IP
Address and Server Details)
VAPT report carried out for the
application along with the
26 Security Features revalidation report
Security List of open issue / observation
27 Features tracker for the application
28 Access Control policy and
procedure (including the
Access Control / Procedure for granting,

b
User Access maintaining and revoking the
Controls access)
29

he
Access
Control / User List of Active employees master
Access Controls including DOJ and designation
30
Access
Sa
Control / User List of employees joined and
Access Controls Left during the audit period
31 Access Control / Kindly provide the list of total
User Access users (inclusive of roles and
Controls permission e.g. Admin, Normal,
privilege etc.) for the in-scope
er

applications. Kindly capture the

query screenshot used to
generate the list along with the
system date/ time stamp for
completeness and accuracy
Pe

purposes. The list should

include date for creation,
modification, revocation, last
login, last password change
date, active users, generic users,
admin users and dormant users
32 Evidence of User ID creation
Access approval (sample will be
Control / User selected from the new joiners
Access Controls list)
33 Evidence of User ID
Deactivation
Access / deletion (sample will be
Control / User selected from the new joiners
Access Controls list)
34 Access Password policy and procedure
Control /
Password
Management

Jobs and Sample outputs and validation

50 Stored Procedures reports
51
Processing,
Batch Jobs and Dependency mappings and
Stored Procedures process flow diagrams
52
Processing,
Batch Jobs and Logs of job completion and user
Stored Procedures activity

b
53 List of person having access to
Processing, change the job scheduler and

he
Batch Jobs and Evidence of User access review
Stored Procedures carried out for the same
54 List of automated interfaces
connected with the application
- Interface Type (Manual
Sa
Control Review Intervention, DB link, API calls)
55 Evidence for interface logs
generated for data exchanged
or data processed between
Control Review interfacing
Server and
er

Database Source Code Review Report of

70 Hardening the application
71 Master logs (including client
and
server-side, SQL prompt
Pe

command usage, database

Auditing / Audit logging) of application for the
Trails and Logs audit period
72 Evidence for review of All logs
along with the periodicity (if
SIEM is used for review of logs,
Auditing / Audit please share the evidence of
Trails and Logs SIEM integration)
Auditing / Evidence for transaction logs
Audit Trails and enabled on the systems for all
73 Logs the users
Auditing /
Audit Trails and Transaction Logs of application
74 Logs for the audit period
 Change Management Policy and
Change procedure including Change
75 Management authorization matrix
76 Change System generated list of all
Management change requests for application
and underlying Operating
System and Database in the
defined Audit period. Kindly
capture the system generated
change request details like
Change system, date/time,
stamp for the completeness and
accuracy. List of change should
include change number,
description, change type,
priority, initiated by, developer,
date of deployment, status,

b
department, roll back plan, UAT
sign off, test cases, etc.

he
77 Change Manag
\UAT For the selected samples of the
Customization population, kindly share the
below mentioned evidences -
Change request form
Sa
Change Approval (from CAB)
evidence

Change Analysis

Uat sign off and test causes and

er

test results.

5.QAT sign-off and QAT test

case, test result
6.Security review sign-off
Pe

7.Rollback plan
8.Post-implementation review
78 Patch Management policy and
procedure, including defined
Change TAT for the deployment based
Management on the Criticality
79 Change Total List of patches deployed
Management (OS patches + Server patches +
DB patches + Application
patches
+ Security patches) and Audit
period for application,
Underlying databases and OS
system
Change Evidence of Patch deployment
80 Management in
 the UAT / lower environment
81 Backup Management policy and
procedure including type of
Backup & backup and frequency of the
Restoration backup
82 Frequency of Data Retention
period for backups and
Backup & Database along with the
Restoration evidence (screenshot)
Evidence of Encryption
Backup & implemented for storage of
87 Restoration backups
88 Frequency of restoration
testing
and Evidence of Restore testing

b
Backup & conducted during the audit
Restoration period
Evidence of Restore testing

he
Backup & conducted during the audit
89 Restoration period
Backup & Details of site where the backup
90 Restoration is stored
91 Documentation User id naming convention
Sa
policy and procedure (confirm
with the user id naming
convention policy is followed at
the time of re-creation)
User Manual & Technical
Manual
er

92 Documentation of the application

Standard Operating Procedure
93 Documentation Document for the application
Vendor Agreement including
Pe

SLA
94 Documentation defined
List of EOD and BOD job carried
95 Manageability out related to application
Logs of completed EOD
operations including job failure
96 Manageability log
Logs of completed BOD
operations including job failure
97 Manageability log
List of changes failed during the
98 Manageability audit period
Evidence of rollback performed
99 Manageability for failed changes instances
100 List of open issues for the
Legal and in-scope application
Statutory (Regulatory, Internal Risk,
Compliance assessment reports)
101 List of Exceptions taken related
to
the application along with
Legal and description of exception, date of
Statutory exception taken and reason for
Compliance exception
102 Evidence of Approval taken as
Legal and per the process. (sample will be
Statutory selected from the list of the
Compliance exception)
List of API used in the
103 API Security application

b
Evidence of API security
104 API Security assessment completed

he
Evidence of implementation of
105 API Security rate limiting mechanisms
API that are dormant beyond
180
days shall be disabled and
Sa
106 API Security removed from API platform
114
Business
Continuity and Business Impact Analysis
Disaster Recovery document for the application
115 Updated BCP/DR Plan
er

Business
Continuity and
Disaster Recovery
116
Pe

BCP and DR Drill reports

including all screenshots for
switchover and switchback /
Business DR report should include all
Continuity and application related (application
Disaster Recovery related servers/infra)
117
Business
Continuity and Evidence of BCP and DR drill
Disaster Recovery training carried out (if any)
 Annexure 1: Application Details

Network Details Other Details

Hash Value (make/model
(for for
Name of Criticality of Internal IP Public IP applicatio Versio network/secu
S. No. Application Asset Address URL Address ns) n No. rity devices)
1

b
Annexure 2: Host Details

he Hosted Location
Disast
Sa
er Other
Recove Applicat
Type OS and Primary ry Environm Commission Resource ions
S. No. Host Name (Server/DB) IP Address Version (PR) (DR) ent Type Date Type Hosted

1
er

Annexure 3: Additional Configuration Details

Recommend Compliance
Pe

S. No. Configuration Item Current Setting ed Setting Status Remarks

1 Firewall Rules
2 Data Encryption
3 Access Control Policies

The End