Auditing Application Systems Development
Overview
Audits of business application systems development are complicated by the presence of different computer platforms, a myriad of user needs, and diverse technical environments. This course provides an overview of proven audit strategies that will enable participants to efficiently audit and evaluate application systems development in a variety of technical environments. The course covers application development risks, how to overcome them, and what to do to meet the internal control and documentation requirements of Sarbanes Oxley and other regulations. Throughout the course, participants relate concepts, frameworks, regulations, and industry reports from organizations like the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (IC-IF), ISACA’s COBIT, the Information Technology Infrastructure Library (ITIL), Payment Card Industry (PCI) Data Security Standard (DSS), International Standards Organization (ISO), the Center for Internet Security (CIS), and the Federal Information Security Modernization Act (FISMA). Other information reviewed includes guidance from the National Institute of Standards and Technology (NIST), the European Union (EU) General Data Protection Regulation (GDPR), the European Union Agency for Cybersecurity (ENISA), and SSAE 18 System and Organization Controls (SOC) reports. Participants identify key steps for compliance and develop tailored audit programs and recommendations they can use immediately. Learners focus on what they need to know, what they need to do, and when they need to do it.
Here are the topics we'll cover.
- Application Systems Development Basics
- Key components of application systems development
- Software applications and coding languages
- Differences between interpreters and compilers
- Impact of Technical Environments on Applications Systems Development
- Mainframe environments and client/server-based applications
- Containers: Benefits, orchestration, stacking, and security considerations
- Central management of container secrets
- Evolution of Application System Development Methodologies
- Types and characteristics of application development methodologies
- Software release management
- Evolution of various methodologies: Waterfall, Agile, Scrum, DevOps, DevSecOps
- Risk Considerations
- Common challenges in application systems development projects
- Risk considerations
- Agile and Scrum Methodologies
- Agile development benefits, principles, phases, and characteristics
- Scrum development advantages and disadvantages
- Limitations of Waterfall, Agile, and Scrum
- DevOps and DevSecOps
- Definition, benefits, characteristics, and the role of development and operations
- Pillars of DevSecOps, critical roles and barriers to success
- Key controls for DevOps and the impact of various practices on the security posture
- Software Development and the Cloud
- The NIST model of cloud computing
- Options for software development in the cloud: SaaS, FaaS, PaaS, IaaS
- Software development kits (SDKs)
- Audit implications
- Software Development Trends: Cloud Native Development
- Current trends in software development
- Microservices: Types and their architecture
- Cloud native benefits, design principles, and maturity
- Software Development Automation
- The automation pipeline
- Continuous integration (CI) and continuous delivery (CD) characteristics, requirements, and key controls
- Version control, configuration management, monitoring, and key tools
- Application Software Risk Assessments
- Cybersecurity and privacy risks
- NIST and CIS risk assessment principles, methods, and processes
- Software Development Audit Considerations
- Common considerations impacting governance, testing, reporting, and ongoing metrics
- Adaptation to in-house, the cloud and other key variables impacting various methodologies
- Key controls, assessing application security, and project progress
- Compliance Standards, Regulations, and Frameworks
- eDiscovery
- Regulatory compliance challenges
- Types of security controls
- Security Standards and Frameworks
- Review of frameworks and regulations
- Privacy Standards and Frameworks
- Review of frameworks and regulations
- Open Web Application Security Project (OWASP)
- Review of the framework and its features
- Purchased Application Systems: Risks, Challenges, and Audit Considerations
- Risks, challenges, and controls for purchased systems
- Vendor contracts, supply chain attacks, and third-party risk management
- Audit considerations and key steps
- Planning and Starting the Audit
- Maintaining independence
- Key resources and documents
- Audit steps
- Application Internal Controls
- Control considerations
- Procedures for reviewing input controls
- Auditing Project Management
- Risks associated with project management
- Key controls, useful documents, and related audit steps
- Auditing Design Specifications
- Risks associated with end-user, design, system, and security specifications
- Key controls, useful documents, and related audit steps
- Auditing Coding and Testing
- Types and phases of software testing
- Coding and testing risks
- Key controls, useful documents, and related audit steps
- Auditing Implementation, Change Control, and Training
- Risks associated with system implementation and change control
- Training risks and controls
- Key controls, useful documents, and related audit steps
- Conducting Post-Implementation Reviews
- Controls for post-implementation
- Key controls, useful documents, and related audit steps
- Metrics
- Common metrics and organizational goals
Learning Style
Level
Who this course is for
NASBA Certified CPE
Field of Study
Length of course
Prerequisites
Advanced Preparation
Here are the learning objectives we'll cover
- Describe application systems development methodologies, their features, and characteristics.
- Recognize the indicators of effective systems development.
- Identify key risks, controls, and audit techniques.