IS Auditing Guideline: G14 Application Systems Review 

 
Follow us:
        

  Download (47K)

1. BACKGROUND

1.1 Linkage to Standards

1.1.1 Standard S6 Performance of Audit Work states ‘During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence’.

1.2 Linkage to COBIT

1.2.1 Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT’s control objectives and associated management practices. To meet the G 14 Application Systems Reviews requirements of IS auditors, the processes in COBIT most likely to be relevant, selected and adapted are classified here as primary and secondary. The process and control objectives to be selected and adapted may vary depending on the specific scope and terms of reference of the assignment.
1.2.2 Primary IT processes are:

  • PO9 Assess and manage IT risks
  • AI2 Acquire and maintain application software
  • DS5 Ensure systems security
  • ME2 Monitor and evaluate internal control
1.2.3 Secondary IT processes are:
  • PO7 Manage IT human resources
  • PO8 Manage quality
  • A16 Manage changes
  • DS3 Manage performance and capacity
  • DS10 Manage problems
  • DS11 Manage data
1.2.4 The information criteria most relevant to application system reviews are:
  • Primary: Availability, reliability, integrity and confidentiality
  • Secondary: Compliance, effectiveness and efficiency

1.3 Need for Guideline

1.3.1 The purpose of this guideline is to describe the recommended practices in performing an application systems review.
1.3.2 The purpose of an application systems review is to identify, document, test and evaluate the controls over an application that are implemented by an organisation to achieve relevant control objectives. These control objectives can be categorised into control objectives over the system and the related data.

2. PLANNING

2.1 Planning Considerations

2.1.1 An integral part of planning is understanding the organisation’s IS environment to a sufficient extent for the IS auditor to determine the size and complexity of the systems and the extent of the enterprise’s dependence on information systems. The IS auditor should gain an understanding of the enterprise’s mission and business objectives, the level and manner in which information technology and information systems are used to support the enterprise, and the risks and exposures associated with the enterprise’s objectives and its information systems. Also, an understanding of the organisational structure including roles and responsibilities of key IS staff and the business process owner of the application system should be obtained.
2.1.2 A primary objective of planning is to identify the application-level risks. The relative level of risk influences the level of audit evidence required.
2.1.3 Application-level risks at the system and data level include such things as:

  • System availability risks relating to the lack of system operational capability
  • System security risks relating to unauthorised access to systems and/or data
  • System integrity risks relating to the incomplete, inaccurate, untimely or unauthorised processing of data
  • System maintainability risks relating to the inability to update the system when required in a manner that continues to provide for system availability, security and integrity
  • Data risks relating to its completeness, integrity, confidentiality, privacy and accuracy

2.1.4 Application controls to address the application-level risks may be in the form of computerized controls built into the system, manually performed controls, or a combination of both. Examples include the computerized matching of documents (purchase order, invoice and goods received report), the checking and signing of a computer generated cheque and the review by senior management of exception reports.
2.1.5 Where the option to place reliance on programmed controls is taken, relevant general IT controls should be considered, as well as controls specifically relevant to the audit objective. General IT controls could be the subject of a separate review, which would include such things as physical controls, system-level security, network management, data backup and contingency planning. Depending on the control objectives of the review, the IS auditor may not need to review general controls, such as where an application system is being evaluated for acquisition.
2.1.6 Application system reviews can be performed when a package application system is being evaluated for acquisition, before the application system goes into production (pre-implementation) and after the application system has gone into production (post-implementation). Pre-implementation application system review coverage includes the architecture of application-level security, plans for the implementation of security, the adequacy of system and user documentation, and the adequacy of actual or planned user-acceptance testing. Post-implementation review coverage includes application-level security after implementation and system conversion if there has been a transfer of data and master file information from the old to the new system.
2.1.7 The objectives and scope of an application systems review usually form part of the terms of reference. The form and content of the terms of reference may vary but should include:

  • The objectives and scope of the review
  • IS auditors performing the review
  • A statement regarding the independence of the IS auditors from the project
  • When the review will commence
  • The time frame of the review
  • Reporting arrangements
  • Closing meeting arrangements
  • Objectives should be developed to address the seven COBIT information criteria and then agreed upon by the enterprise. The seven COBIT information criteria are:
    –Effectiveness
    –Efficiency
    –Confidentiality
    –Integrity
    –Availability
    –Compliance
    –Reliability of information

2.1.8 Where the IS auditor has been involved previously in the development, acquisition, implementation or maintenance of an application system and is assigned to an audit engagement, the independence of the IS auditor may be impaired. The IS auditor should refer to appropriate guidelines to deal with such circumstances.

3. PERFORMANCE OF AUDIT WORK

3.1 Documenting the Flow of Transactions

3.1.1 Information gathered should include both the computerized and manual aspects of the system. The focus should be on data input (whether electronic or manual), processing, storage and output that are of significance to the audit objective. The IS auditor may find, depending upon the business processes and the use of technology, that documenting the transaction flow may not be practical. In that event, the IS auditor should prepare a high-level data-flow diagram or narrative and/or utilise system documentation if provided. Consideration should also be given to documenting application interfaces with other systems.
3.1.2 The IS auditor may confirm the documentation by performing procedures such as a walk-through test.

3.2 Identifying and Testing the Application System Controls

3.2.1 Specific controls to mitigate the application risks may be identified and sufficient audit evidence obtained to assure the IS auditor that the controls are operating as intended. This can be accomplished through procedures such as:
  • Inquiry and observation
  • Review of documentation
  • Testing of the application system controls where programmed controls are being tested. The use of computer-assisted audit techniques (CAATs) may be considered.

3.2.2 The nature, timing and extent of testing should be based on the level of risk to the area under review and the audit objectives. In the absence of strong general IT controls, the IS auditor may make an assessment of the effect of this weakness on the reliability of the computerized application controls.
3.2.3 If the IS auditor finds significant weaknesses in the computerized application controls, assurance should be obtained (depending on the audit objective), if possible, from the manually performed processing controls.
3.2.4 The effectiveness of computerized controls is dependent on strong general IT controls. Therefore, if general IT controls are not reviewed, the ability to place reliance on the application controls may be limited severely and the IS auditor should consider alternative procedures.

4. REPORTING

4.1 Weaknesses

4.1.1 Weaknesses identified in the application review either due to an absence of controls or to non-compliance should be brought to the attention of the business process owner and to the IS management responsible for the support of the application. Where weaknesses identified during the application systems review are considered to be significant or material, the appropriate level of management should be advised to undertake immediate corrective action.
4.1.2 Since effective computerised application controls are dependent on general IT controls, weaknesses in this area should also be reported. In the event that general IT controls were not reviewed, this fact should be included in the report.
4.1.3 The IS auditor should include appropriate recommendations to strengthen controls in the report.

5. EFFECTIVE DATE

5.1 This guideline is effective for all IS audits beginning on or after 1 November 2001. The guideline has been reviewed and updated effective 1 December 2008.