Page 23 - Souvenir - v4 (2)
P. 23

•    Sub-systems (inventory, sales, production, logistics, procurement etc.) and other applications and interfaces
              identification.
         •    Core accounting system to sub-systems mapping.
         •    Dataflow interconnection of these sub-systems and identification, handling, and storage of personal
              identifiable information.
         •    Data and application touchpoints identification.

         Audit execution

         The internal audit execution would require in-depth analysis of different applications to review the following.
             Data origin stage – Is this direct input by potential customers or manual feed? If manual feed, is validation
              controls exists?

             Data review stage – Who is responsible for data quality? Are critical fields defined as mandatory and idiot
              proofing done (e.g. PAN and GST number length and its structure, PIN code being X number of digits)?

             Data transfer stage – Whether data transfer is through batch run? If yes, who validate complete and timely
              transfer of data from one application to another application or from sub-system to main system?
             Data reconciliation stage – Who is responsible for reconciliation from one application to other or from one

              period to another period?

             Application governance model
             The organization should have well laid down governance model for new software application development or

              modification of existing applications which may include the following.
             Need for new software application or modification.
             Whether application would be accessed by internal stakeholders or external parties e.g. customers, vendors,

              suppliers or other third parties or fourth parties etc.
             Review of application data security aspects.

             Blueprint documentation and review.
             Application user acceptance testing.

             Technology vendor contracting and service level agreements.
             Vulnerability Assessment and Penetration Testing.

             Patch management.
             The recent cyber attacks have indicated that certain applications were developed and installed by functions

              without the knowledge of chief Information Security Officer and ignoring application governance model which
              had resulted in substantial loss of key business and personal information, disruption of business, significant

              erosion of market share and market capitalization and loss of reputation for the organizations.




















                                                                                                                    23
   18   19   20   21   22   23   24   25   26   27   28