Show download pdf controls
  • Unit 1: Systems inventory assessment summary sheet

    This unit must be completed separately for each system included in the assessment.

    For each system:

    Systems inventory assessment summary table

    Unit 1: Systems inventory assessment summary table

    System identity

    System total score from unit score table

    Tick risk rating if low

    Tick risk rating if medium

    Tick risk rating if high

    Enter system

    Enter
    score

    1–33

    34–65

    66–97

    Enter system

    Enter
    score

    1–33

    34–65

    66–97

    Enter system

    Enter
    score

    1–33

    34–65

    66–97

    Total score

    Enter total
    of scores

    Low
    1–33

    Medium
    34–65

    High
    66–97

    After filling out the above table, you need to work out:

    • your total score
    • your total number of systems
    • the average systems score.

    Systems inventory assessment questions

    Unit 1: Systems identity table

    System commercial name

    Name

    Version

    Version

    Business function

    Business function

    Entities using the system

    Entities

    Contact

    Contact

    Fill out the tables below to answer the twelve questions and the risk rating that you will record with your scores. Also record additional comments and document evidence for each question.

    Unit 1: Systems score table

    Question

    Score

    Tick risk rating if low

    Tick risk rating if medium

    Tick risk rating if high

    1. Nature

    Enter
    score

    1–4

    5–8

    9–12

    2. Systems support

    Enter
    score

    1–2

    3–4

    5–8

    3. User base

    Enter
    score

    1

    2–3

    4–5

    4. Audit software

    Enter
    score

    1–3

    4–6

    7–9

    5. Database

    Enter
    score

    1–2

    3–6

    7–10

    6. Software delivery

    Enter
    score

    1–2

    3–4

    5–6

    7. Software infrastructure

    Enter
    score

    1–2

    3–4

    5–6

    8. Prior audit findings

    Enter
    score

    1–2

    3–6

    7–10

    9. Maturity of application

    Enter
    score

    1–2

    3–6

    7–10

    10. Data reconciliation

    Enter
    score

    1–2

    3–4

    5–8

    11. Documentation

    Enter
    score

    1–3

    4–6

    7–9

    12. Criticality

    Enter
    score

    1

    2

    3–4

    After filling out the above table, you need to work out your total score.

    The below information is an example of how to fill out these tables to answer the twelve questions and the risk rating that you will record with your scores. Also record additional comments and document evidence for each question.

    1. Nature

    Question 1: What is the nature of your application package?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Off the shelf cloud product or vendor developed and vendor maintained

    2

    Low

    Custom built by vendor and maintained by vendor

    4

    Low

    Vendor developed and in–house maintained

    6

    Medium

    Vendor developed and not maintained at end of life cycle

    6

    Medium

    Jointly developed and vendor maintained

    8

    Medium

    Jointly developed and in–house maintained

    10

    High

    In–house developed and maintained

    12

    High

    Mitigated

    2

    Low

    2. System support

    Question 2: How is your system supported?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    In–house support

    2

    Low

    External support

    2

    Low

    Mixture of in–house and external support

    4

    Medium

    No support

    8

    High

    3. User base

    Question 3: How many staff have access to the system?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Up to 20% of staff

    1

    Low

    Between 20% and 40% of staff

    2

    Medium

    Between 40% and 60% of staff

    3

    Medium

    Between 60% and 80% of staff

    4

    High

    Between 80% and 100% of staff

    5

    High

    4. Audit software

    Question 4: Is the auditing functionality turned on so you can monitor access, date and time of transactions

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Auditing software is always turned on

    3

    Low

    Auditing software is always turned off

    6

    Medium

    No auditing software used

    9

    High

    5. Database

    Question 5: What type of database do you have?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Cloud

    2

    Low

    Relational Database Management System (RDMS)

    2

    Low

    MS Access

    6

    Medium

    Excel spreadsheet

    8

    High

    Flat file

    10

    High

    6. Software delivery

    Question 6: How is your software delivered to end users?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Externally supplied and maintained

    2

    Low

    In–house developed, delivered and maintained

    4

    Medium

    Mixture of both External and in–house

    6

    High

    Mitigated

    2

    Low

    7. Software infrastructure

    Question 7: Who develops and maintains your software defined infrastructure?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Externally owned, provided and maintained

    2

    Low

    In–house developed, provided and maintained

    4

    Medium

    Mixture of both external and in–house

    6

    High

    Mitigated

    2

    Low

    8. Prior audit findings

    Question 8: Has this system recently been audited by the ATO or your external or internal auditors?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Recent audit – no weaknesses

    2

    Low

    Recent audit – minor weaknesses

    2

    Low

    Audit – some weaknesses

    4

    Medium

    Audit – many weaknesses

    6

    Medium

    No previous audit

    10

    High

    Mitigated

    2

    Low

    9. Maturity of application

    Question 9: How old is your system?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Over 10 years – supported and maintained

    2

    Low

    Over 10 years – not supported or maintained

    10

    High

    7 – 10 years

    4

    Medium

    4 – 6 years

    6

    Medium

    1 – 3 years

    8

    High

    Less than 1 year

    10

    High

    Mitigated

    2

    Low

    10. Data reconciliation

    Question 10: How is data reconciliation and exception reporting handled?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Both system generated data reconciliation and exception reporting with full transaction audit trail

    2

    Low

    Only system generated data reconciliation and exception reporting with no, or only limited, transaction audit trail

    4

    Medium

    Transaction audit trail only with no system generated data reconciliation or exception reporting

    6

    High

    Neither system generated data reconciliation and exception reporting nor transaction audit trail

    8

    High

    Mitigated

    2

    Low

    11. Documentation

    Question 11: What documentation do you have for this information system?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Version controlled specifications and data dictionary and test scripts

    3

    Low

    Out of date specifications and no test scripts

    6

    Medium

    No specifications and no test scripts

    9

    High

    12. Criticality

    Question 12: How critical is the system to your daily business functions?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Non–sensitive – application functions may be interrupted for an extended period of time at little or no cost to the company and require little or no catching up when restored

    1

    Low

    Sensitive – application functions can be performed manually at a tolerable cost and for an extended period of time. However, manual execution is a difficult and laborious process that requires additional staff.

    2

    Medium

    Vital – application unavailability will result in some loss of revenue or goodwill to the company. System functions can be performed manually but at great financial and resource costs to the company and therefore for only a brief period of time.

    3

    High

    Critical – application unavailability will incur significant loss of revenue and goodwill to the company.

    4

    High

    Mitigated

    1

    Low

    Last modified: 18 Jun 2019QC 59343