Google

Tuesday, December 12, 2006

Application audit

Before auditing any application, the IT auditor needs to understand and determine:-
  • the purpose of the application,
  • who is the users of the system,
  • risk i.e. impact and likelihood of the systems failure on the business proceses.

In general, during the the application audit, the following aspects should be reviewed:-

  • Management / Planning - segregation of duties, policies and procedures, determine whether the systems effectively suports the business process and whether the system is able to cope with any future business expansion exercise. If not, determine whether there is any plan to improve the system
  • Operations - backup and recovery, problems encountered by users, storage utilisation
  • Security - Physical and logical security. Application security, operating system security and database security
  • Support - internal (IT personnel) and external (vendor) support
  • Data / Application control - review of input, processing and output control

An overall conclusion should be made as to whether the controls in place is sufficient to address the risks identified.

Labels:

posted by man at 11:34 PM 0 comments

technorati tags:

Tuesday, December 05, 2006

Auditing the Management of IT

As like any other field, management is the most important aspect. Plan, control, direct and act the the most common management term.

In auditing the management of IT, the following aspects should be reviewed:-
  • Information Systems Strategy - review of the IT short term and long term plan, IT steering committee
  • Policies And Procedures - review of the IT standards, security policy, operation manual
  • Information System (IS) Management Practices - IT budget, personnel management, project management, change management
  • IS Organisational Structure And Responsibilities - review of the IT organisation chart, job descriptions

The level of controls effectiveness should be assessed to determine whether there is any exposure. For example, if the IT Security Policy is last updated 5 years ago, then, the controls in place might not be highly effective as technology keeps on changing. The controls should also be revised and updated accordingly.

Labels: ,

posted by man at 6:29 PM 0 comments

technorati tags: