Question

Write report on the application of an audit test in a specific system

Answer 1

Introduction

Organizations are looking towards their internal or external audit dept. to reign in the challenges. In the current business climate , it is essential that IT professionals understand the process of information systems (IS) audit and the concepts of risk and control.

IS auditing involves providing independent evaluations of an organization's policies,procedures,standards,measures,and practices for safeguarding electronic information from loss , damage , unintended disclosure or denial of availability.

APPLICATION AUDIT

An Application audit is a specific audit of one application , for example an audit of an excel spreadsheet with embedde macros used to analyze data and generate reports could be considered an Application audit.It also pertains to business process that heavily relies on various information technology system.

An Application Auidt , should , at a minimum determine the existence of controls in following areas :

1. Administration
2. Inputs , Processing , outputs
3. Logical Security
4. Disaster Recovery plan
5. Change Management
6. User Support
7. Third party services

Administration

• Most important area of application audit review
• Focuses on overall ownership and accountability of the business
• An IT manager or business owner should ensure that roles and responsibilities are clearly defined and documented for each individual on their team.
• Performance metrics should be defined and key processes around these metrics should be monitored.
• Service level agreement should be required
• SLA should be documented up to date
• Auditor should review the SLA

INPUTS , PROCESSING & OUTPUTS

• The Auditor will be looking for evidence of datda preparation procedure , handling requirements, etc
• It is esential that manual inputs are complete and approximately authorized prior to being processed by the application.
• The auditor could also request a sample of source document and ensure that they are appropriately secured and retained.
• Using Computer Assisted Auditing Techniques , an auditor can recalculate and validate the accuracy and completeness of key system calculations which occur during processing.
• The auditor may request a listing of all system generated reports to determine the owner and business use.

LOGICAL SECURITY

• Applications audit usually involve in-depth evaluation of logical security for the application.
• This review is done on top of the logical security review performed as part of infrastructure review which looks at the enterprise wide systems.
• The auditors will need to have your application used ID administration process documented and evidence that is being followed.

DISASTER RECOVERY PLAN

• The surest evaluation of the adequacy of the DRP is documentation of the recovery testing that is performed. The testing process must be defined and implemented for the plan. Subsequently, the DRP must be updated to reflect any
  deficiency determined in the test results. The auditor will form an opinion on whether the test process sufficiently determines whether the plan will work in an actual disaster, and how reliable the test plans assumptions are. From there, the
  auditor can then determine if the test results are sufficient to ensure that the DRP could bring back the application in a time and manner that would prevent any significant or unnecessary business interruptions.

USER SUPPORT

One of the most overlooked aspects, of any application, is whether there exists
adequate end user support in order to control risk. Auditors will be looking for
evidence that user documentation around the application, in the form of user
manuals, online help, etc., is readily available and up to date. If the application was developed within the organization or has aspects of it that were, there
should be a document update process that is documented and followed.

CHANGE MANAGEMENT

A page on Tripwire’s website states “Change management and operational
stability go hand in hand”. No IS auditor in today’s business climate could refute
that statement. IT professionals need to understand the basic concept that all
changes to an application must go through a formal, standardized process. The
auditor is first going to ensure that this process is documented and being
followed.All changes to the application should be logged, tracked and properly
documented in some centralized system. There are many change management
software products available on the market today. The auditor should have access to the system, and can provide an opinion on whether the system is effective in tracking the changes.

THIRD PARTY SERVICES

The auditor will look at the controls around any third party services that are
required to meet business objectives for the application or system. It is important that a relationship manager role is present for the third party and that this individual or group is in constant contact with the third party. Auditors will request the contract with the vendor and review to ensure that: it follows company procedures, was reviewed and signed off by legal.