What is an Application Audit

Usually required to assess

• Business risk• Internal control• Strong linkage to corporate governance and compliances such as SOX, PCI, HIPAA and GLBA

It is an audit of a single application

• Example: audit of an Excel spreadsheet with embedded macros

It could also be an audit of business processes that use IT heavily

• Example: Payroll processing involving multiple servers and databases• Application audit could also be technology related

o Example: audit of organizational PBXo Example: audit of a data warehouse

Periodicity of audit:

o As the system is developedo Post-implementation of a new systemo Every  n  months (n =12)

What does the auditor look for?

o Assurance that the application provides adequate control over data being processedo Level of control related to degree of risk being assumedo Risk coming from incorrect or unauthorized processing of datao Job descriptions for

• Aplication developers• Business owners• Production support groups

What does the auditor look for?

o Level of segregation for system access and application privileges

SANS recommends checking for following controls:

• Application Administration• Inputs, Processing, Outputs• Logical Security• Disaster Recovery Plan• Change Management• End user Support• Third Party Services

Impact of application on the business

• Team members roles and responsibilities are defined and documented• Organizational chart is current• Charts and roles help managers:

o Understand the business implicationso Training tool for new members

• Legal and regulatory compliance issues with respect to an application must be specified• Service Level Agreements (SLAs) between the application provider and the business must be in place• Auditor will review SLA with respect to customer incentives and business objectives

What the auditor will look for?

• Evidence of data preparation• Procedures• Reconciliation processes• Handling requirements• Evidence of control over manual processes• Verification of certain calculations using Computer Auditing Techniques (CATs)

What the auditor will look for?

• Balancing and reconciliation for outputs• Traceability of control totals to upstream and downstream systems