Appendix B. Audit Program for Application Systems Auditing
The business system is an integral element of the business function. Therefore the application and functional risks and the related controls must be considered together.
The approach selected to review business systems must address all relevant risks, management and general controls, and manual controls that are part of the business function under review.
There is a definite trend toward the migration of controls from the application to the general environment. For example, the database management system features may be used to restrict access to critical functions across applications.
An audit of general IS control functions provides information on the reliability of the control structure, which could significantly impact the level of testing required during application system audits.
Auditors need to have a full understanding of the technology platform that supports the application: database management systems, networks, security provisions, hardware, software, and operating systems.
To determine the effectiveness of access controls, the auditor should understand the capabilities and characteristics of the software; the manner in which the software is implemented from a technical point of view; the interrelationship of the application with other applications; systems software in use and conditions that allow overrides of controls; and the administrative controls related to the use of the access control software.