SYSTEM AND APPLICATION AUDIT: AVOID RISKING YOUR BUSINESS
- September 20, 2018
- Posted by: Veronica Pierola
- Category: Technology
Austin, Texas – In today’s business environment, the information technology (IT) system is an integral element in the proper company functioning. An incident or weakness in the organization’s IT system security can heavily threaten confidentiality, integrity, availability, and reliability. For instance, an authorized person uses another person’s username and password to access in the payroll process. The payroll process, which involves various databases, servers, applications, and operating systems is being manipulated in an unauthorized manner. To avoid a headache this neglect will cause, the organization should have a System and Application Audit (SAA), at least once a year. The SAA will verify the business IT system and applications are appropriate, efficient, and adequately controlled.
The SAA is a type of IT audit that focuses on business process-centric and IT system. The SAA secures a valid, reliable, and timely input, processing, and outputs at all levels of the system’s activity. The SAA’s purpose is to recognize weak areas in the system and application that are restraining the company’s IT plan. The audit offers options to implement in the plan and address deficiencies. In short, it ensures the organization’s technology functions and meets its purpose. The importance to have an IT professional auditor performing the SAA is that facilitates the good practices and management within the organization. This type of audit is commonly required in the financial and healthcare industries.
To start with the evaluation of a targeted system, the auditor needs to possess a complete understanding of the technology supporting the application in the business. This technology includes software, hardware, operating system, networks, database management systems, and security controls. The basic SAA process consists of sampling log files and configuration to later conduct face-to-face interviews with key organization’s members. However, the process also evaluates and tests other components that are part of the system, including the following areas:
- System Architecture,
- Business Process Mapping,
- User Identity Management (e.g. password standards),
- Anti-virus/Anti-malware controls,
- Logging and Auditing Systems and Processes,
- IT Privileged Access Control (e.g. system administrator),
- Backup/Restore Procedures.
Some benefits the organization will obtain by conducting an SAA is related to security. Knowing the current state of the business IT system and the application can create security awareness among the organization’s members. Employees’ behavior regarding technology use will improve ensuring the security of the computer system, information assets, and compliance with regulations. The audit will also create awareness in the use of information system and will help to avoid future errors, fraud, and omission situations. The organization is responsible for regularly schedule an internal or external audit that ensures awareness in the use of the information system.
Inputs, Processing, Outputs
By examining all levels of the system’s activity, the SAA final outcomes is to ensure a reliable, valid, timely, and secure input, processing, and outputs. The IT professional being audited should have wide evidence that input controls, error processing, and output validation are designed into the application. This means that the auditor will review if the input device properly sends information to a system for processing (e.g. the keyboard to the computer); and if the output device reproduces or displays the results of the processing (e.g. the computer to the printer).
Therefore, it is crucial to show evidence that the manual input is complete and authorized before the processing. During the process, an auditor can request a sample of source documents and ensure they are appropriately secured and retained. Also, the auditor will test the processing stage, in which he or she will validate whether the processing is accurate and complete. In the output stage, the auditor will seek for hard-copied documents produced by the application and that prove the proper function of the system’s activity. Finally, the auditor request a list of all system generated reports to determine the owner and business use. The reports will validate the need and effectiveness of current reports.
In conclusion, the System and Application Audit is a process whose main objective is to ensure the IT system and applications are appropriate and adequately controlled. To determine the efficiency, the auditor will evaluate the input, processing, and output at all level of the system’s activity. The audit will bring benefits to the organization such as awareness of the information system use, avoid fraud, and improve employees’ behavior toward technology. It is necessary the IT department/professionals and the auditor work together in the SAA within the organization. Both parties can better understand the risks, control, and facilitate that the business objectives are appropriately met.
If you think your company’s information system is being compromised give us a call (512)-910-2974 or email us at firstname.lastname@example.org . We are here to help you.