An Information Technology (IT) Auditor and Information Security (Info Sec) Professional are really both pursuing the same goals but through different terminology. The IT auditor evaluates for the presence of controls whereas Info Sec professional pursues the implementation of security. It is essential that both end users and IT professionals understand the process of IT Audit and the concepts of risk and control associated with critical business applications, those applications essential to the daily operational functionality of the enterprise. The IT Auditor is looking for assurance that the application provides an adequate degree of control over the data being processed. The level of control expected for a particular application is dependent on the degree of risk involved in the incorrect or unauthorized processing of those data. Most generalized IT security audits and the tools used to perform these audits, focus on networks and servers. However, applications are often vulnerable to attacks that will not be detected by network and server security controls, and could compromise not only the application and its data, but the network and servers as well.
The primary focus of this seminar is on the process of auditing critical business applications, the associated IT infrastructure that supports these applications and the auditor's role in assessing the internal control environment in which these applications are designed to function.
- Identify application controls and their benefits.
- Recognize the critical role of internal auditors in the assessment and evaluation of application controls.
- Determine that application input data is accurate, complete, authorized, and correct.
- Evaluate whether application data are processed as intended within an acceptable time period.
- Assess application output and stored data for accuracy and completeness.
- Establish if a record is maintained to track data processing from input to storage to output.
- Understand how to perform a risk assessment related to auditing applications
- Apply application control review scoping.
- Determine application review approaches.
- Specify common application controls.
- Propose suggested tests to substantiate internal control findings within the application under review.
- Develop a sample review program.