IS Standards, Guidelines and Procedures for Auditing and Control ...

More documents

Recommendations

Info

G14 Application Systems Review1. BACKGROUND1.1 Linkage to Standards1.1.1 Standard S6 Performance of Audit Work states “During the course of the audit, the IS auditor should obtain sufficient, reliableand relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriateanalysis and interpretation of this evidence.”1.2 Need for Guideline1.2.1 The purpose of this guideline is to describe the recommended practices in performing an application systems review.1.2.2 The purpose of an application systems review is to identify, document, test and evaluate the controls over an application thatare implemented by an organization to achieve relevant control objectives. These control objectives can be categorized intocontrol objectives over the system and the related data.2. PLANNING2.1 Planning Considerations2.1.1 An integral part of planning is understanding the organisation’s information system environment to a sufficient extent for the ISauditor to determine the size and complexity of the systems and the extent of the organisation’s dependence on informationsystems. The IS auditor should gain an understanding of the organisation’s mission and business objectives, the level andmanner in which information technology and information systems are used to support the organisation, and the risks andexposures associated with the organisation’s objectives and its information systems. Also, an understanding of theorganisational structure including roles and responsibilities of key IS staff and the business process owner of the applicationsystem should be obtained.2.1.2 A primary objective of planning is to identify the application level risks. The relative level of risk influences the level of auditevidence required.2.1.3 Application level risks at the system and data level include such things as:• System availability risks relating to the lack of system operational capability• System security risks relating to unauthorised access to systems and/or data• System integrity risks relating to the incomplete, inaccurate, untimely, or unauthorised processing of data• System maintainability risks relating to the inability to update the system when required in a manner that continues toprovide for system availability, security, and integrity• Data risks relating to its completeness, integrity, confidentiality, privacy and accuracy2.1.4 Application controls to address the application level risks may be in the form of computerised controls built into the system,manually performed controls, or a combination of both. Examples include the computerised matching of documents (purchaseorder, invoice and goods received report), the checking and signing of a computer generated cheque and the review by seniormanagement of exception reports.2.1.5 Where the option to place reliance on programmed controls is taken, relevant general IT controls should be considered, aswell as controls specifically relevant to the audit objective. General IT controls could be the subject of a separate review,which would include such things as: physical controls, system level security, network management, data backup andcontingency planning. Depending on the control objectives of the review, the IS auditor may not need to review generalcontrols, such as, where an application system is being evaluated for acquisition.2.1.6 Application system reviews can be performed when a package application system is being evaluated for acquisition, beforethe application system goes into production (pre-implementation) and after the application system has gone into production(post-implementation). Pre-implementation application system review coverage includes the architecture of application levelsecurity, plans for the implementation of security, the adequacy of system and user documentation and the adequacy ofactual or planned user acceptance testing. Post-implementation review coverage includes application level security afterimplementation and may cover system conversion if there has been a transfer of data and masterfile information from the oldto the new system.2.1.7 The objectives and scope of an Application Systems Review usually form part of the Terms of Reference. The form andcontent of the Terms of Reference may vary but should include:• The objectives and scope of the review• IS Auditor/s performing the review• A statement regarding the independence of IS auditor/s from the project• When the review will commence• The timeframe of the review• Reporting arrangements• Closing meeting arrangements• Objectives should be developed to address the 7 COBIT information criteria and then agreed upon by the organisation.The 7 COBIT information criteria are the following:- Effectiveness- Efficiency- Confidentiality- Integrity- Availability46
G14 Application Systems Review continued- Compliance- Reliability of Information2.1.8 Where the IS auditor has been involved previously in the development, acquisition, implementation or maintenance of anapplication system and is assigned to an audit engagement, the independence of the IS auditor may be impaired. The ISauditor should refer to appropriate guidelines to deal with such circumstances.3. PERFORMANCE OF AUDIT WORK3.1 Documenting the Flow of Transactions3.1.1 Information gathered should include both the computerised and manual aspects of the system. The focus should be on datainput (whether electronic or manual), processing, storage, and output that are of significance to the audit objective. The ISauditor may find, depending upon the business processes and the use of technology, that documenting the transaction flowmay not be practical. In that event, the IS auditor should prepare a high level data flow diagram or narrative and/or utilisesystem documentation if provided. Consideration should also be given to documenting application interfaces with othersystems.3.1.2 The IS auditor may confirm the documentation by performing procedures such as a walkthrough test.3.2 Identifying and Testing the Application System Controls3.2.1 Specific controls to mitigate the application risks may be identified and sufficient audit evidence obtained to assure the ISAuditor that the controls are operating as intended. This can be accomplished through procedures such as:• Inquiry and observation• Review of documentation• Testing of the application system controls where programmed controls are being tested; the use of CAATs may beconsidered3.2.2 The nature, timing and extent of testing should be based on the level of risk of the area under review and the audit objectives.In the absence of strong general IT controls, the IS auditor may make an assessment of the effect of this weakness on thereliability of the computerised application controls.3.2.3 If the IS auditor finds significant weaknesses in the computerised application controls, assurance should be obtained(depending on the audit objective), if possible, from the manually performed processing controls.3.2.4 The effectiveness of computerised controls is dependent on strong general IT controls. Therefore, if general IT controls arenot reviewed, the ability to place reliance on the application controls may be severely limited and the IS auditor shouldconsider alternative procedures.4. REPORTING4.1 Weaknesses4.1.1 Weaknesses identified in the application review either due to an absence of controls or to non-compliance should be broughtto the attention of the business process owner and to IS management responsible for the support of the application. Whereweaknesses identified during the application systems review are considered to be significant or material, the appropriate levelof management should be advised to undertake immediate corrective action.4.1.2 Since effective computerised application controls are dependent on general IT controls, weaknesses in this area should alsobe reported. In the event that general IT controls were not reviewed, this fact should be included in the report.4.1.3 The IS auditor should include appropriate recommendations to strengthen controls in the report.4. EFFECTIVE DATE5.1 This guideline is effective for all information systems audits beginning on or after 1 November 2001.47
Page 1: IS Standards, Guidelines and Proced
Page 4 and 5: Code of Professional EthicsThe Info
Page 6 and 7: IS Auditing Standards OverviewIssue
Page 8 and 9: IS Auditing StandardsIssued by Info
Page 10 and 11: 03 The IS auditor should plan the i
Page 12 and 13: information provided, appropriate t
Page 14 and 15: Operative Date14 This ISACA standar
Page 16 and 17: IS Auditing GuidelinesG1 Using the
Page 18 and 19: G2 Audit Evidence Requirement1. BAC
Page 20 and 21: G3 Use of Computer Assisted Audit T
Page 22 and 23: G3 Use of Computer Assisted Audit T
Page 24 and 25: G4 Outsourcing of IS Activities to
Page 26 and 27: G5 Audit Charter continued2.3.2 The
Page 28 and 29: G6 Materiality Concepts for Auditin
Page 30 and 31: G8 Audit Documentation1. BACKGROUND
Page 32 and 33: • Organisational characteristics;
Page 34 and 35: G10 Audit Sampling1. BACKGROUND1.1
Page 36 and 37: G10 Audit Sampling continued2.5.2 A
Page 38 and 39: G11 Effect of Pervasive IS Controls
Page 40 and 41: G11 Effect of Pervasive IS Controls
Page 42 and 43: G12 Organisational Relationship and
Page 44 and 45: G13 Use of Risk Assessment in Audit
Page 48 and 49: G15 Planning1.` BACKGROUND1.1 Linka
Page 50 and 51: G16 Effect of Third Parties on an O
Page 52 and 53: G16 Effect of Third Parties on an O
Page 54 and 55: G17 Effect of Nonaudit Role on the
Page 56 and 57: G17 Effect of Nonaudit Role on the
Page 58 and 59: G18 IT Governance continued4.1.3 Th
Page 60 and 61: G18 IT Governance continued• Info
Page 62 and 63: G19 Irregularities and Illegal Acts
Page 64 and 65: G19 Irregularities and Illegal Acts
Page 66 and 67: G20 Reporting continued2.1.1 The pu
Page 68 and 69: G20 Reporting continued• Statemen
Page 70 and 71: G21 Enterprise Resource Planning (E
Page 78 and 79: G22 Business-to-consumer (B2C) E-co
Page 86 and 87: G23 System Development Life Cycle (
Page 88 and 89: G23 System Development Life Cycle (
Page 90 and 91: G24 Internet Banking continued• I
Page 92 and 93: G24 Internet Banking continued6.1.2
Page 94 and 95: G24 Internet Banking continued7.2.4
Page 96 and 97:
G24 Internet Banking continuedREFER
Page 98 and 99:
G25 Review of Virtual Private Netwo
Page 100 and 101:
3.6 Operating Risk3.6.1 Risks such
Page 102 and 103:
• Highlight the risks and issues
Page 104 and 105:
G26 Business Process Reengineering
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
G27 Mobile Computing1. BACKGROUND1.
Page 112 and 113:
G27 Mobile Computing continued• N
Page 114 and 115:
G28 Computer Forensics1. BACKGROUND
Page 116 and 117:
G28 Computer Forensics continued•
Page 118 and 119:
G28 Computer Forensics continued7.2
Page 120 and 121:
G29 Post-implementation Review1. BA
Page 122 and 123:
G29 Post-implementation Review cont
Page 124 and 125:
G29 Post-implementation Review cont
Page 126 and 127:
G30 Competence continued1.4.6 This
Page 128 and 129:
G30 Competence conntinued4. RECORDS
Page 130 and 131:
G31 Privacy continued1.6 Definition
Page 132 and 133:
G31 Privacy continued■■■Secur
Page 134 and 135:
G31 Privacy continued■■■■
Page 136 and 137:
IS Auditing ProceduresIS Risk Asses
Page 138 and 139:
IS Risk Assessment Measurement Proc
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Digital Signature and Key Managemen
Page 152 and 153:
SpecificTechnicalAspect of a CAOper
Page 154 and 155:
Intrusion Detection Procedure P3 co
Page 156 and 157:
Intrusion Detection Systems (IDS) R
Page 158 and 159:
ReportingSuggested ProceduresReport
Page 160 and 161:
Suggested Procedures for Preventing
Page 162 and 163:
Suggested Procedures for Preventing
Page 164 and 165:
Control Risk Self-assessment Proced
Page 166 and 167:
Page 168 and 169:
Facilitatedworkshop usingthe proces
Page 170 and 171:
Page 172 and 173:
Firewalls Procedure P6 continued2.1
Page 174 and 175:
Page 176 and 177:
Firewalls Procedure P6 continued•
Page 178 and 179:
Page 180 and 181:
Stateful inspection/dynamic packetf
Page 182 and 183:
Suggested ProceduresConfirm network
Page 184 and 185:
Firewalls Procedure P6 continuedHar
Page 186 and 187:
Irregularities and Illegal Acts Pro
Page 188 and 189:
AnalyticalproceduresDutiesApplicati
Page 190 and 191:
Irregularities and Illegal Acts Pro
Page 192 and 193:
Security Assessment-Penetration Tes
Page 194 and 195:
Security Assessment-Penetration Tes
Page 196 and 197:
InternetPenetrationTestingSuggested
Page 198 and 199:
InternalPenetrationTestingcontinued
Page 200 and 201:
WebApplicationcontinuedReportSugges
Page 202 and 203:
Evaluation of Management Control Ov
Page 204 and 205:
Evaluation of Management Control Ov
Page 206 and 207:
Aspects ofEncryptionOrganisationalm
Page 208 and 209:
IS Control Professionals StandardsI
Page 210:
ISACA Standards Documents CommentsI
show all

IS Standards, Guidelines and Procedures for Auditing and Control ...

Create successful ePaper yourself

Delete template?

Save as template?