Auditing Application Systems Development

IT Audit

Overview

Audits of business application systems development are complicated by the presence of different computer platforms, a myriad of user needs, and diverse technical environments. This course provides an overview of proven audit strategies that will enable participants to efficiently audit and evaluate application systems development in a variety of technical environments. The course covers application development risks, how to overcome them, and what to do to meet the internal control and documentation requirements of Sarbanes Oxley and other regulations. Throughout the course, participants relate concepts, frameworks, regulations, and industry reports from organizations like the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (IC-IF), ISACA’s COBIT, the Information Technology Infrastructure Library (ITIL), Payment Card Industry (PCI) Data Security Standard (DSS), International Standards Organization (ISO), the Center for Internet Security (CIS), and the Federal Information Security Modernization Act (FISMA). Other information reviewed includes guidance from the National Institute of Standards and Technology (NIST), the European Union (EU) General Data Protection Regulation (GDPR), the European Union Agency for Cybersecurity (ENISA), and SSAE 18 System and Organization Controls (SOC) reports. Participants identify key steps for compliance and develop tailored audit programs and recommendations they can use immediately. Learners focus on what they need to know, what they need to do, and when they need to do it.

Here are the topics we'll cover.

  1. Application Systems Development Basics
    • Key components of application systems development 
    • Software applications and coding languages 
    • Differences between interpreters and compilers 
  2. Impact of Technical Environments on Applications Systems Development
    • Mainframe environments and client/server-based applications 
    • Containers: Benefits, orchestration, stacking, and security considerations 
    • Central management of container secrets 
  3. Evolution of Application System Development Methodologies 
    • Types and characteristics of application development methodologies 
    • Software release management 
    • Evolution of various methodologies: Waterfall, Agile, Scrum, DevOps, DevSecOps 
  4. Risk Considerations 
    • Common challenges in application systems development projects 
    • Risk considerations 
  5. Agile and Scrum Methodologies 
    • Agile development benefits, principles, phases, and characteristics 
    • Scrum development advantages and disadvantages 
    • Limitations of Waterfall, Agile, and Scrum 
  6. DevOps and DevSecOps 
    • Definition, benefits, characteristics, and the role of development and operations  
    • Pillars of DevSecOps, critical roles and barriers to success 
    • Key controls for DevOps and the impact of various practices on the security posture 
  7. Software Development and the Cloud 
    • The NIST model of cloud computing 
    • Options for software development in the cloud: SaaS, FaaS, PaaS, IaaS  
    • Software development kits (SDKs) 
    • Audit implications 
  8. Software Development Trends: Cloud Native Development 
    • Current trends in software development 
    • Microservices: Types and their architecture 
    • Cloud native benefits, design principles, and maturity 
  9. Software Development Automation 
    • The automation pipeline 
    • Continuous integration (CI) and continuous delivery (CD) characteristics, requirements, and key controls 
    • Version control, configuration management, monitoring, and key tools 
  10. Application Software Risk Assessments 
    • Cybersecurity and privacy risks 
    • NIST and CIS risk assessment principles, methods, and processes 
  11. Software Development Audit Considerations 
    • Common considerations impacting governance, testing, reporting, and ongoing metrics 
    • Adaptation to in-house, the cloud and other key variables impacting various methodologies 
    • Key controls, assessing application security, and project progress 
  12. Compliance Standards, Regulations, and Frameworks 
    • eDiscovery  
    • Regulatory compliance challenges 
    • Types of security controls  
  13. Security Standards and Frameworks 
    • Review of frameworks and regulations 
  14. Privacy Standards and Frameworks 
    • Review of frameworks and regulations 
  15. Open Web Application Security Project (OWASP) 
    • Review of the framework and its features 
  16. Purchased Application Systems: Risks, Challenges, and Audit Considerations 
    • Risks, challenges, and controls for purchased systems 
    • Vendor contracts, supply chain attacks, and third-party risk management 
    • Audit considerations and key steps 
  17. Planning and Starting the Audit 
    • Maintaining independence 
    • Key resources and documents 
    • Audit steps 
  18. Application Internal Controls 
    • Control considerations 
    • Procedures for reviewing input controls 
  19. Auditing Project Management 
    • Risks associated with project management 
    • Key controls, useful documents, and related audit steps 
  20. Auditing Design Specifications 
    • Risks associated with end-user, design, system, and security specifications 
    • Key controls, useful documents, and related audit steps 
  21. Auditing Coding and Testing 
    • Types and phases of software testing 
    • Coding and testing risks 
    • Key controls, useful documents, and related audit steps 
  22. Auditing Implementation, Change Control, and Training 
    • Risks associated with system implementation and change control 
    • Training risks and controls 
    • Key controls, useful documents, and related audit steps 
  23. Conducting Post-Implementation Reviews 
    • Controls for post-implementation  
    • Key controls, useful documents, and related audit steps 
  24. Metrics 
    • Common metrics and organizational goals

Learning Style

Instructor Led

Level

Entry Level

Who this course is for

Internal auditors, governance, risk management, and governance professionals, regulators, and IT development practitioners.

NASBA Certified CPE

24 credits

Field of Study

Auditing

Length of course

24h

Prerequisites

None

Advanced Preparation

None
Start Learning Today
Stay ahead of the curve and future-proof your business with training programs designed for you.
Contact Sales

Here are the learning objectives we'll cover

  • Describe application systems development methodologies, their features, and characteristics.
  • Recognize the indicators of effective systems development.
  • Identify key risks, controls, and audit techniques.

Attendance policy for on-site and online instructor-led training

Students are expected to arrive on time for classes with the proper materials and attitude. An overall attendance rate of 100% is expected to fully absorb the materials and to complete labs. If you have an expected absence, please email support@acilearning.com or your instructor ahead of time. The number of CPEs awarded will be equivalent to the number of hours attended.

ACI Learning is registered with NASBA

ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: https://www.nasbaregistry.org/