This is the checklist I use when dealing with legacy code that is neither tested nor well documented.
- Try to understand the code - read it and make notes.
- Identify possible candidates for refactor and improvement.
- If possible, check with the person that wrote the code whenever you have doubts about why something does what it does or why it was written in a particular way.
- Check with stakeholders or whomever knows about the business about how the part you are refactoring should work.
- Write unit tests. Integration tests should be written If it is not possible to write unit tests before refactoring.
- Document the functionality you are refactoring (i.e: code comment, wiki entry, etc).
- Fix the issues identified on step 2.
- Jump to step 2.