Application Systems IT Audit Program.docx

1、Application Systems IT Audit ProgramINTERNAL AUDIT PROGRAM Application IT Systems AuditBusiness Application Control Objectives:The major control objectives associated with any business application are as follows: Security and confidentiality of application information is appropriate. Integrity of th

2、e data processed ensures accurate and complete management reporting. Availability of information for business users is consistent with Service Level Agreement (SLA) requirements. Effective and efficient processing of application systems. System documentation is adequately maintained.Application Risk

3、s1. The application may be inefficient or ineffective because manual controls are needed to compensate for inadequate built-in controls.2. Inaccurate and/or corrupted data may lead to erroneous management decisions.3. The lack of written procedures could result in a failure to comply with corporate

4、policies and guidelines, as well as, regulatory agency (e.g., FFIEC) requirements.4. Business applications may not be adequately protected from unauthorized access due to ineffective security procedures.5. Customer information may be lost, manipulated or stolen.Audit ProgramAudit ProceduresW/P Ref.I

5、nit/DateCommentsIA UseA.PRELIMINARY AUDIT A.1.Ascertain whether a prior audit has been performed (e.g., pre-implementation, financial audit, Corporate Audit, IT Audit). Obtain prior workpapers and determine what information can be pulled forward for the current audit. A.2.If a prior audit has been p

6、erformed, obtain a copy of the audit report. For each audit issue/finding/control weakness, perform the following steps:a. Obtain and document the current status of each audit issue (include the name of the individuals you met, date of the interviews, and status of each issue).b. Note the dispositio

7、n of each issue (Corrected/Still Open).c. If the issue still exists, carry it forward to the current audit report. Note in the follow-up workpaper that it was brought forward into the current audit report. A.3.Request the following documentation from the application and operational managers: List of

8、 ENS staff and their responsibilities for maintaining the application. List of Business Units that utilize functions or output of the application. Organization Charts from both the business units that utilize the system and the ENS staff. List of Major Changes made to this application since the last

9、 time audited. List of Major Changes planned to be made to this application over the next 12 months. Copy of the Application System User and Security Manuals. Note that this may be an online document. Copy of the System Documentation (e.g., overview system flowcharts, system narratives) relating to

10、this application. Note this may be an online document. Vendor Contracts Copy of the User Security Administration procedures for this application. Service Level Agreement from ENS. Contingency/Disaster Recovery Plans for this application. Backup, Restart and Recovery Plan from Computer Operations. A.

11、4.Interview the application and business unit owners to gain an understanding of how the application operates and identify any critical control points, including:a. Key concerns relating to this application systemb. Owner roles in defining, prioritizing, testing and approving system changesc. Partic

12、ipation on key system projectsPrepare a brief narrative to document your understanding. A.5.Review the Vendor contract supporting the application, ensuring that the following areas are addressed:a. Your Co. Responsibilitiesb. Vendor Responsibilitiesc. Ownership and location of the application/source

13、 code.d. Release/upgrade testing and installation responsibilities.e. Maintenance agreements and termsf. If accessing our data, privacy clauses.g. SAS70Document the inclusion of the contract in the central Contract Management Spreadsheet maintained by ENS in Bowling Green.B.APPLICATION CONTROLS B.1.

14、Review system documentation obtained from the Preliminary Audit Steps to verify that it contains a description of:a. Transaction types processedb. System interfacesc. Critical program names and processing functionsd. Batch job schedule (tasks) and critical processing performede. Security Administrat

15、ion and access control procedures B.2.Obtain from the Preliminary Audit Steps or develop an overview system flowchart/narrative showing major input sources (e.g., system names/file names) and output types (e.g., report names/system names/file names/business user areas/IT areas).INPUT CONTROLS B.3.Ob

16、tain from the Preliminary Audit Steps or develop a flow of critical online input transactions. Identify the screen names and function types where the transactions are processed. B.4.Describe the edit and validation controls for critical input transactions. Review input screens to see that they are d

17、esigned to prevent the omission of data and the acceptance of invalid data. Ensure that significant input is verified by an associate other than the person inputting the data. B.5.If the application uses batch processing, determine through test and observation that controls over input (e.g. control

18、totals, reconciliations) are effective. PROCESSING CONTROLS B.6.Review system documentation to determine that key computations are fully documented. Test a sample of key computations using a manual recalculation process. B.7.Determine and document the process to ensure that rejected transactions are

19、 corrected and re-entered promptly, and that corrected transactions are subject to the same edit and balancing controls as the original transactions. B.8.Verify that a reconciliation process is performed daily for all interfaces and any outstanding items are aged and resolved timely. Ensure that the

20、 reconciliation activities are adequately separated from input activities. B.9.Determine that rejected items are logged, tracked, aged, and resolved timely. Review reject items reports to determine that:a. Reports are produced and distributed to the business user area.b. Reports evidence that they a

21、re reviewed daily by appropriate business user staff (e.g., user initials and review date).c. Rejects are resolved accurately and timely (e.g., request reject follow-up procedures).OUTPUT CONTROLS B.10.Verify that controls are in place to ensure that output confidentiality is maintained (when necess

22、ary). Obtain a list of reports indicating their frequency, purpose, and the identity of the recipient. B.11.Review reports produced by the application. Provide an opinion on the adequacy of the reports to satisfy the requirements of management. These requirements should have been gathered in the Pre

23、liminary Audit Steps. B.12.Determine that a review of critical transactions is performed. This should be performed by someone other than the person who input data from the source documents. C.LOGICAL ACCESS CONTROLS C.1.Review the User Security Administrator Procedures to ensure that:a. Procedures a

24、re in place for issuing, approving and monitoring application access.b. Application access procedures comply with the policy of “minimum access”.c. User access control reports are periodically reviewed for accuracy and completeness by user management. C.2.Ensure that User Security Administration pro

25、cedures are defined for the timely deletion/disabling of user Ids (e.g., hires, terminations, changes in responsibility). C.3.Verify that User Security Administration procedures exist to ensure that unique user Ids are assigned to system users. In cases where the access control system prevents indiv

26、idual accountability, compensating controls must exist. C.4.Obtain a sample of access request forms for 10 users of the application. Ensure that the forms evidence proper approvals for the requested access. C.5.Obtain a copy of the system generated user access report that identifies all users and th

27、eir assigned authority levels and determine that:a. Only current employees have access to the application.b. All users are uniquely identified on the access control report.c. Passwords are not displayed on the report.d. Each user is granted an access level that is commensurate with their job respons

28、ibility.e. Management periodically reviews and approves users who have access to the application. The review should be performed independently of the C.6.Obtain a copy of the current Password Management/Access Control Policy (See Intranet Central) and determine that this application complies with gu

29、idelines for:a. Character componentsb. Lengthc. Password change frequencyd. Invalid password attemptse. Password storage C.7.Obtain a job description for the Application Security Administrator function. Ensure that the reporting lines and responsibilities for this function do not compromise security

30、 policies. C.8.Identify the other responsibilities assigned to data security-related personnel besides security administration. Evaluate if a separation of duties deficiency may exist. C.9.Determine whether there are designated back-up security administrators. Ensure that the responsibilities of the

31、 back-up security administrators do not cause separation of duties deficiencies. C.10.Obtain copies of the security violation reports and verify that they evidence documented management review. Verify that questionable activity can be identified and is appropriately addressed. C.11.Determine that a review of the security administrators maintenance activity is periodically performed by someone other than the User