In: Computer Science
Write report on the application of an audit test in a specific system
Introduction
Organizations are looking towards their internal or external audit dept. to reign in the challenges. In the current business climate , it is essential that IT professionals understand the process of information systems (IS) audit and the concepts of risk and control.
IS auditing involves providing independent evaluations of an organization's policies,procedures,standards,measures,and practices for safeguarding electronic information from loss , damage , unintended disclosure or denial of availability.
APPLICATION AUDIT
An Application audit is a specific audit of one application , for example an audit of an excel spreadsheet with embedde macros used to analyze data and generate reports could be considered an Application audit.It also pertains to business process that heavily relies on various information technology system.
An Application Auidt , should , at a minimum determine the existence of controls in following areas :
Administration
INPUTS , PROCESSING & OUTPUTS
LOGICAL SECURITY
DISASTER RECOVERY PLAN
USER SUPPORT
One of the most overlooked aspects, of any application, is
whether there exists
adequate end user support in order to control risk. Auditors will
be looking for
evidence that user documentation around the application, in the
form of user
manuals, online help, etc., is readily available and up to date. If
the application was developed within the organization or has
aspects of it that were, there
should be a document update process that is documented and
followed.
CHANGE MANAGEMENT
A page on Tripwire’s website states “Change management and
operational
stability go hand in hand”. No IS auditor in today’s business
climate could refute
that statement. IT professionals need to understand the basic
concept that all
changes to an application must go through a formal, standardized
process. The
auditor is first going to ensure that this process is documented
and being
followed.All changes to the application should be logged, tracked
and properly
documented in some centralized system. There are many change
management
software products available on the market today. The auditor should
have access to the system, and can provide an opinion on whether
the system is effective in tracking the changes.
THIRD PARTY SERVICES
The auditor will look at the controls around any third party
services that are
required to meet business objectives for the application or system.
It is important that a relationship manager role is present for the
third party and that this individual or group is in constant
contact with the third party. Auditors will request the contract
with the vendor and review to ensure that: it follows company
procedures, was reviewed and signed off by legal.