Application IT Systems Audit

By Yvonne Thompson,2014-11-13 13:19
8 views 0
Application IT Systems Audit

Prepared by Paul Hugenberg, CISA, Sky Financial Group


    Application IT Systems Audit

Business Application Control Objectives:

    The major control objectives associated with any business application are as follows: ; Security and confidentiality of application information is appropriate. ; Integrity of the data processed ensures accurate and complete management reporting. ; Availability of information for business users is consistent with Service Level Agreement (SLA) requirements.

    ; Effective and efficient processing of application systems.

    ; System documentation is adequately maintained.

Application Risks

1. The application may be inefficient or ineffective because manual controls are needed to compensate for inadequate built-in controls.

    2. Inaccurate and/or corrupted data may lead to erroneous management decisions. 3. The lack of written procedures could result in a failure to comply with corporate policies and guidelines, as well as, regulatory agency (e.g.,

    FFIEC) requirements.

    4. Business applications may not be adequately protected from unauthorized access due to ineffective security procedures.

    5. Customer information may be lost, manipulated or stolen.

    Prepared by Paul Hugenberg, CISA, Sky Financial Group

    Audit Program

     Audit Procedures W/P Ref. Init/Date Comments IA Use


     A.1. Ascertain whether a prior audit has been performed

    (e.g., pre-implementation, financial audit,

    Corporate Audit, IT Audit). Obtain prior

    workpapers and determine what information can be

    pulled forward for the current audit.

     A.2. If a prior audit has been performed, obtain a copy

    of the audit report. For each audit

    issue/finding/control weakness, perform the

    following steps:

    a. Obtain and document the current status

    of each audit issue (include the name of

    the individuals you met, date of the

    interviews, and status of each issue).

    b. Note the disposition of each issue

    (Corrected/Still Open).

    c. If the issue still exists, carry it forward

    to the current audit report. Note in the

    follow-up workpaper that it was

    brought forward into the current audit


     A.3. Request the following documentation from the

    application and operational managers:

    ; List of ENS staff and their responsibilities

    for maintaining the application.

    ; List of Business Units that utilize functions

    or output of the application.

    ; Organization Charts from both the business

    units that utilize the system and the ENS


    ; List of Major Changes made to this

    Prepared by Paul Hugenberg, CISA, Sky Financial Group

     Audit Procedures W/P Ref. Init/Date Comments IA Use

    application since the last time audited.

    ; List of Major Changes planned to be made

    to this application over the next 12 months.

    ; Copy of the Application System User and

    Security Manuals. Note that this may be an

    online document.

    ; Copy of the System Documentation (e.g.,

    overview system flowcharts, system

    narratives) relating to this application.

    Note this may be an online document.

    ; Vendor Contracts

    ; Copy of the User Security Administration

    procedures for this application.

    ; Service Level Agreement from ENS.

    ; Contingency/Disaster Recovery Plans for

    this application.

    ; Backup, Restart and Recovery Plan from

    Computer Operations.

     A.4. Interview the application and business unit owners to gain an understanding of how the application operates and identify any critical control points, including:

    a. Key concerns relating to this application


    b. Owner roles in defining, prioritizing,

    testing and approving system changes

    c. Participation on key system projects

    Prepare a brief narrative to document your understanding.

     A.5. Review the Vendor contract supporting the application, ensuring that the following areas are addressed:

    a. [Your Co.] Responsibilities

    b. Vendor Responsibilities

    Prepared by Paul Hugenberg, CISA, Sky Financial Group

     Audit Procedures W/P Ref. Init/Date Comments IA Use

    c. Ownership and location of the

    application/source code.

    d. Release/upgrade testing and

    installation responsibilities.

    e. Maintenance agreements and terms

    f. If accessing our data, privacy


    g. SAS70

    Document the inclusion of the contract in the

    central Contract Management Spreadsheet

    maintained by ENS in Bowling Green.


     B.1. Review system documentation obtained from the

    Preliminary Audit Steps to verify that it contains a

    description of:

    a. Transaction types processed

    b. System interfaces

    c. Critical program names and processing


    d. Batch job schedule (tasks) and critical

    processing performed

    e. Security Administration and access

    control procedures

     B.2. Obtain from the Preliminary Audit Steps or

    develop an overview system flowchart/narrative

    showing major input sources (e.g., system

    names/file names) and output types (e.g., report

    names/system names/file names/business user

    areas/IT areas).


     B.3. Obtain from the Preliminary Audit Steps or

Prepared by Paul Hugenberg, CISA, Sky Financial Group

     Audit Procedures W/P Ref. Init/Date Comments IA Use

    develop a flow of critical online input transactions.

    Identify the screen names and function types where

    the transactions are processed.

     B.4. Describe the edit and validation controls for critical

    input transactions. Review input screens to see

    that they are designed to prevent the omission of

    data and the acceptance of invalid data. Ensure

    that significant input is verified by an associate

    other than the person inputting the data.

     B.5. If the application uses batch processing, determine

    through test and observation that controls over

    input (e.g. control totals, reconciliations) are



     B.6. Review system documentation to determine that

    key computations are fully documented. Test a

    sample of key computations using a manual

    recalculation process.

     B.7. Determine and document the process to ensure that

    rejected transactions are corrected and re-entered

    promptly, and that corrected transactions are

    subject to the same edit and balancing controls as

    the original transactions.

     B.8. Verify that a reconciliation process is performed

    daily for all interfaces and any outstanding items

    are aged and resolved timely. Ensure that the

    reconciliation activities are adequately separated

    from input activities.

Prepared by Paul Hugenberg, CISA, Sky Financial Group

     Audit Procedures W/P Ref. Init/Date Comments IA Use

     B.9. Determine that rejected items are logged, tracked,

    aged, and resolved timely. Review reject items

    reports to determine that:

    a. Reports are produced and distributed to

    the business user area.

    b. Reports evidence that they are reviewed

    daily by appropriate business user staff

    (e.g., user initials and review date).

    c. Rejects are resolved accurately and

    timely (e.g., request reject follow-up



     B.10. Verify that controls are in place to ensure that

    output confidentiality is maintained (when

    necessary). Obtain a list of reports indicating their

    frequency, purpose, and the identity of the


     B.11. Review reports produced by the application.

    Provide an opinion on the adequacy of the reports

    to satisfy the requirements of management. These

    requirements should have been gathered in the

    Preliminary Audit Steps.

     B.12. Determine that a review of critical transactions is

    performed. This should be performed by someone

    other than the person who input data from the

    source documents.


     C.1. Review the User Security Administrator

    Procedures to ensure that:

    Prepared by Paul Hugenberg, CISA, Sky Financial Group

     Audit Procedures W/P Ref. Init/Date Comments IA Use

    a. Procedures are in place for issuing,

    approving and monitoring application


    b. Application access procedures comply

    with the policy of “minimum access”.

    c. User access control reports are

    periodically reviewed for accuracy and

    completeness by user management.

     C.2. Ensure that User Security Administration

    procedures are defined for the timely

    deletion/disabling of user Ids (e.g., hires,

    terminations, changes in responsibility).

     C.3. Verify that User Security Administration

    procedures exist to ensure that unique user Ids are

    assigned to system users. In cases where the

    access control system prevents individual

    accountability, compensating controls must exist.

     C.4. Obtain a sample of access request forms for 10

    users of the application. Ensure that the forms

    evidence proper approvals for the requested


     C.5. Obtain a copy of the system generated user access

    report that identifies all users and their assigned

    authority levels and determine that:

    a. Only current employees have access to

    the application.

    b. All users are uniquely identified on the

    access control report.

    c. Passwords are not displayed on the


    d. Each user is granted an access level that

    is commensurate with their job

Prepared by Paul Hugenberg, CISA, Sky Financial Group

     Audit Procedures W/P Ref. Init/Date Comments IA Use


    e. Management periodically reviews and

    approves users who have access to the

    application. The review should be

    performed independently of the

     C.6. Obtain a copy of the current Password

    Management/Access Control Policy (See Intranet

    Central) and determine that this application

    complies with guidelines for:

    a. Character components

    b. Length

    c. Password change frequency

    d. Invalid password attempts

    e. Password storage

     C.7. Obtain a job description for the Application

    Security Administrator function. Ensure that the

    reporting lines and responsibilities for this function

    do not compromise security policies.

     C.8. Identify the other responsibilities assigned to data

    security-related personnel besides security

    administration. Evaluate if a separation of duties

    deficiency may exist.

     C.9. Determine whether there are designated back-up

    security administrators. Ensure that the

    responsibilities of the back-up security

    administrators do not cause separation of duties


     C.10. Obtain copies of the security violation reports and

    verify that they evidence documented management

    review. Verify that questionable activity can be

Prepared by Paul Hugenberg, CISA, Sky Financial Group

     Audit Procedures W/P Ref. Init/Date Comments IA Use

    identified and is appropriately addressed.

     C.11. Determine that a review of the security

    administrator‟s maintenance activity is periodically

    performed by someone other than the User

    Security Administrator who performed the



     D.1. Determine that access to sensitive application

    processing areas is adequately controlled.

    Document the physical access controls observed

    and tested.

     D.2. Verify that critical hardware (e.g., application

    servers) is protected from unauthorized access.

    Document the physical access controls observed

    and tested.



     E.1. Determine the processes used for problem

    resolution. Verify that information regarding

    problems is documented and retained whenever

    problems are encountered.



     F.1. Obtain a copy of the business contingency and

    disaster recovery plans for the application. Review

    and evaluate the level of detail documented in the

    plan. Conclude on whether the plan appears

Prepared by Paul Hugenberg, CISA, Sky Financial Group

     Audit Procedures W/P Ref. Init/Date Comments IA Use

    effective in the event it would be relied upon in a


     F.2. Document the last time this application was

    Disaster Recovery tested. Verify the results of the

    test with Test Coordinator.

     F.3. Determine that copies of the contingency/disaster

    recovery plan and restart/recovery procedures are

    stored off-site.

     F.4. Current organization network structure involves

    “mirroring” the software/hardware configuration at

    each processing site. Determine whether ENS has

    constructed the application on the network to be

    supported at each center.


     G.1. Obtain a copy of any Service Level Agreement in

    place between ENS, Finance, and Business Unit

    management related to this application.

     G.2. Interview Business User management and

    determine whether the SLA requirements are being

    met such as:

    a. Timeliness of the information provided

    b. Accuracy of the information provided

    c. Names of IT contact people for

    problem resolution

     G.3. Determine if there is a process to identify and

    provide continual improvements to the application.

     G.4. Interview business user management and determine

    if they are aware of the application‟s processing

Report this document

For any questions or suggestions please email