Title: Application Auditing Scope, Approach,
1Application AuditingScope, Approach, Execution
- January 2009
- Michael Kirk, CIA, CISA
2Introduction
- Mike Kirk, CIA, CISA
- Application experience includes Oracle,
PeopleSoft, JD Edwards, and industry-specific and
customized applications for healthcare,
insurance, energy/utility, manufacturing,
construction, and environmental industries. - Board member of the Central Ohio Chapter of ISACA
3Introduction
JD Edwards
4Overview
- Risk Considerations for Application Auditing
- Defining Your Scope
- Developing Your Approach
- Execution
- Q A
5Where do you start?
- Understand the environment
- Understand business technical processes
- Assess risks controls
- Develop improvements
6Defining Your Scope
- Understand the business environment the
application supports - Develop a complete understanding of the business
process flow (inputs, processing, outputs), - and, the data flow, including interfaces
7Defining Your Scope
- Understand the applications technical
environment - IT control environment
- Off-the-shelf or customized
- Legacy or web-based
- Housed internally or external provider
- Developed in-house or 3PP
- User population
- Dispersion of users
8Defining Your Scope
- Understand the business process and technical
environment - Assess business information risks
9Defining Your Scope
- Business Information Risks
- Regulatory compliance
- F/S integrity
- PCI-related
- Integration of an acquisition
- Data privacy
- Integrity of the application
- Process control validation
10Lessons Learned on Scope
- Critical dependencies personnel, technical,
external providers BCP - Canned still seems to get modified
- Dont forget spreadsheets report-writers!
- Leverage existing flow diagrams
- Invest the time to understand the process flow...
- Adds value to your internal client
- You may find that you are now the expert!
11Developing Your Approach
- Top-down Approach
- Auditing around the application
- Information Technology General
- Controls (ITGCs)
- Bottom-up Approach
- Auditing the insides
- Application Controls Testing
12Top-down Approach
- Relationship between ITGCs and application
controls - Development
- Change Management
- Security Administration
- Operations
13Top-down Approach
Source COBIT 4.1 Framework
14Top-down Approach
- Development
- AI2 Acquire and Maintain Application Software
- AI2.7 Development of Application Software
- Ensure that automated functionality is developed
in accordance with design specifications,
development and documentation standards, QA
requirements, and approval standards.
Source COBIT 4.1 Framework
15Top-down Approach
- Change Management
- AI6 Manage Changes
- AI6.1 Change Standards and Procedures
- Set up formal change management procedures to
handle all requests (including maintenance and
patches) for changes to applications, procedures,
processes, system and service parameters, and the
underlying platforms in a standardised manner.
Source COBIT 4.1 Framework
16Top-down Approach
- Security Administration
- AI2 Acquire and Maintain Application Software
- AI2.4 Application Security and Availability
- Address application security and availability
requirements in response to identified risks and
in line with the organisations data
classification, information architecture,
information security architecture and risk
tolerance.
Source COBIT 4.1 Framework
17Top-down Approach
Application Controls
18Lessons Learned on Top-down
- Security roles and functionality
- Software Development Life Cycle
- Test plans supporting documentation
- Testing to break vs. testing to pass
19Lessons Learned on Top-down
- Dispersion and diversity of the business,
processes, and technology compounds the effort - Dont underestimate the value of a thorough
general controls review!
20Bottom-up Approach
- Auditing the functionality and control
effectiveness of the application can only be
determined based on the maturity level and
effectiveness of the ITGCs - Auditing the insides Application Controls Testing
21Bottom-up Approach
Input
Processing
Output
22Bottom-up Approach
- Understand the business process and technical
environment - Assess business information risks
23Bottom-up Approach
- Understand the transaction process related to the
application identify key transactions - Assess Application Controls
24Bottom-up Approach
- Transaction and Data Flow Detail
25Bottom-up Approach
Application Walk Through Key Screens
26Bottom-up Approach
Source COBIT 4.1 Framework
27Bottom-up Approach
- Application Controls
- AC1 Source Data Preparation and Authorisation
- Ensure that source documents are prepared by
authorised and qualified personnel following
established procedures - AC2 Source Data Collection and Entry
- Establish that data input is performed timely
- AC3 Accuracy, Completeness and Authenticity
Checks - Ensure that transactions are accurate, complete
and valid. Validate data that were input, and
edit or send back for correction as close to the
point of origination as possible.
Source COBIT 4.1 Framework
28Bottom-up Approach
- Application Controls
- AC4 Processing Integrity and Validity
- Maintain the integrity and validity of data
throughout the processing cycle. - AC5 Output Review, Reconciliation and Error
Handling - Establish procedures and associated
responsibilities to ensure that verification,
detection and correction of the accuracy of
output occurs. - AC6 Transaction Authentication and Integrity
- When sharing data between internal applications
and business/operational functions maintain
integrity.
Source COBIT 4.1 Framework
29Bottom-up Approach
- Testing Documentation
- Application Function (screen mapping)
- Function Description
- Testing Procedures
- Control Observations (testing results)
- Recommendations
- Key Risks Impact
- Lots of screen shots!
30Bottom-up Approach
sample
31Bottom-up Approach
- Testing Procedures
- Good code vs. not-so-good code
- Sequence checks
- Limit checks
- Range checks
- Validity checks
- Reasonableness checks
- Table lookups
- Existence checks
- Completeness checks
- Duplicate checks
- Logical relationships
32System-Based Data Entry Integrity Controls
33Bottom-up Approach
- Testing Procedures contd.
- Field formats are defined locked
- Grayed fields better yet, linked to user and
displayed only if applicable to functionality - On screen, visual feedback
- Not-so-good better have monitoring reports as
mitigating controls!
34Lessons Learned on Bottom-up
- Applications pre-dating the current climate of
control - Baselining
- Value of an implementation project audit
- Application functionality best if conducted
throughout testing stage - End user training desktop procedures
35Lessons Learned on Bottom-up
- Monitoring controls issues typically arise from
the one 1,000,000 transaction, not from the
million 1 transactions - Please remember to conduct audit work in a Test
environment - Dont underestimate the time commitment!
- Emerging technology trends web-based, PDAs, now
smartphones
36Summary
- Risk considerations for application auditing
- Risk-based approach drives increased efficiency
decreased costs organizational value
37Questions Discussion
Mike Kirk t 614.403.7700 e m_kirk01_at_yahoo.com