Working with Applications
Modern audit teams agree on the need to review applications whilst they are still under development. Such audits are often seen as subjects for IT Auditors, and as they are in limited supply, a backlog of work for the IT Auditor or poor audit coverage by a non-specialist may be the end result.
This course provides insight and enough key skills knowledge to enable a non-technical auditor to deal with most application-under-development reviews.
Suitability and duration
Suitability: Beginner - Intermediate
Duration: 2 days
Who should attend
This course is open to all-comers. The core of the course lies in the understanding of application risks, and how these can be designed out of an application during the systems development process. The course uses real-world examples and practical exercises to ensure participants spend most of their time consolidating their skills.
Benefits
Skills
After completion of this course, you will be able to:
- Describe the interface between applications and systems infrastructures
- Explain how risk arises in the provision of applications to meet organisational objectives
- Understand the types of risk that arise from high, intermediate and low level application process flows
- Define and audit the roles of end-users in respect of applications
- Understand a typical software development life cycle
- Plan for reviews, throughout the software development life cycle, of significant applications being developed
- Audit, throughout the software development life cycle, applications under development
- Review, after implementation, the control effectiveness of a completed application
Support Materials
This course is accompanied by a substantial manual that includes full briefing notes, explanations, illustrations and a work programme for reviewing applications.
Programme
Information systems and application interfaces
- Hardware and Software
- Introducing the infrastructure
- Best practice delivery and support functions
Application risk in an enterprise setting
- Business objectives linking to application requirements
- Applications meeting strategic, operational, reporting, legal and regulatory requirements
Common risks and controls associated with applications
- High level data flow risks
- Intermediate level data flow risks
- Low level data flow risks
- The audit review
- Application Key Controls Checklist
End users
- Roles & responsibilities
- Reviewing systems under development – the systems development life cycle
- Development strategy (build/buy)
Initiation
- Users and user requirements specifications (URS)
- Feasibility and analysis
- Impact on other systems and interfaces
Design
- Better Detailed user requirements specification (detailed URS)
- Analysis and Design
- Control framework – linkage to enterprise risk
- Performance and capacity
Development
- Tools and methodologies
- Change control
- Security of development environment
- Documentation
Testing
- Test plans
- Testing functionality – acceptance testing
- Control testing
- Test strategies
- Security of test environment and data
Implementation and post implementation
- User training
- Operational documentation
- Data conversion and absorption of legacy data
- Implementation strategies - parallel running / cut-over
- Backup and maintenance procedures
- Effectiveness of systems implementation
