Page 106 - ITGC_Audit Guides
P. 106

Objectives


                   This guide is intended to help the reader:
                   •   Define business applications and obtain a working knowledge of relevant processes,
                       including related administrative and operational controls.
                   •   Understand risks and opportunities associated with business applications.

                   •   Understand components of the system development life cycle, including:
                          o  Coding to meet operational and security requirements.
                          o  Testing for security and functionality.

                          o  Controlling the release and storage of source code.
                          o  Installing security patches and other updates.
                   •    Understand components of production support, including:

                          o  Configuring the application and connections to external systems.
                          o  Administering system roles and accounts.
                          o  Responding to user and operational feedback, including errors and outages.
                   •   Understand some related controls for documentation, vendor management, asset
                       management, and reporting from application databases.
                   •   Understand approaches to auditing business applications, including specific controls that
                       should be present and evaluated.

                   Business Application Engagement Planning



                   Before setting an engagement’s scope, internal auditors can take a methodical approach to
                   understand an application’s context and delivery model by assessing relevant risks. Asking a
                   series of questions about the application’s use and administration may help internal auditors
                   assess the inherent risks of a business application. Figure 2 shows potential questions and
                   describes their relevance to an application risk assessment.

                    Q#   Question                           Relevance to Risk Assessment
                    1.    Is the application a single software program   An application platform is inherently riskier than a single
                         or a platform that consists of multiple   application due to security and performance risks with
                         applications and products interfacing and   component technologies — on top of risks associated with
                         operating together?                the primary application.

                    2.    What significant business processes does the   Unclear or disengaged ownership may lead to suboptimal
                         application support, and who is/are the   management of strategy, governance, business requirements,
                         business owner(s)?                 service delivery, or the prioritization or funding of
                                                            enhancements.

                    3.    Does the application process financial   Applications that process financial transactions may be
                         transactions? Is the process a significant   subject to external audits of financial statements, so
                         input to the financial statement accounts?   coordination of assurance services should be considered (per
                                                            Standard 2050 – Coordination and Reliance). Fraud is also a
                                                            likely risk.



                   6 — theiia.org
   101   102   103   104   105   106   107   108   109   110   111