CHAPTER 22 Reviewing Application and Software Management Controls

IT applications drive many if not most of today’s enterprise processes. These applications range from the relatively simple, such as an accounts payable system to pay vendor invoices, to the highly complex, such as enterprise resource planning (ERP) database applications to control virtually all enterprise business processes. While these applications were once based primarily on enterprise central IT systems, today they may be based on client-server, tablet, and even linked smartphone systems. Many if not most IT applications today are based on software purchased from vendors, and an increasing number come from Web-based services. Some IT applications today are still developed by in-house teams, but many others may be based on spreadsheet or database desktop applications. While the IT general control procedures discussed in Chapter 19 cover best practices over all IT operations, specific control processes are also associated with each installed application. In order to perform internal control reviews in specific areas such as accounting, distribution, or engineering, internal auditors must have the skills to understand, evaluate, and test the controls over the supporting IT applications. Reviews of specific application controls can often be more critical to achieving overall audit objectives than reviews of general IT controls.

Even though an internal audit review may find good general IT systems controls, each ...

Get Brink's Modern Internal Auditing now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.