Auditing Business Application Systems - ITG103

Auditing Business Application Systems

Auditing Business Application Systems - ITG103
ENROLL IN THIS COURSE

Upcoming Dates & Locations

Auditing Business Application Systems - ITG103

CPE:24


Price: $1833.00


Overview

This course provides a top-down, risk-based approach to assess key risks and controls in each stage of the application processing cycle and ways to prioritize the audit approach to achieve optimal results in an effective and efficient manner. It also covers completeness and accuracy of input, processing and output.


Who Should Attend

IT, Financial, Operations and Business Applications Auditors; Audit Managers who require an understanding of application controls and audit approaches for business application systems.


Prerequisites

  • IT Auditing and Controls - ITG101
  • Equivalent Experience

What You’ll Learn

You will learn techniques for identifying, prioritizing, assessing and evaluating application controls and procedures using real-world examples of application control risks, control objectives, key application control assessments and testing techniques.


Objectives

  • Learn how to assess key aspects of a business application, including input, output and processing, in a web-based environment
    • Determine how to perform a top-down risk-based approach to planning application audits
      • Determine how to identify and test critical high-risk transactions
        • Discuss Integrated Auditing to determine if this strategy is applicable to your audit department
          • Identify the primary risks and controls for end user computing
            • Review audit’s role on application development projects
              • Review the Web-Based OWASP Top 10 Vulnerabilities, and their solutions
                • Determine how to conduct a Network Audit that covers the protections for your public-facing network from outside and inside intrusion
                  • What you should do about your authorized Wireless Network
                    • Demystify encryption and how to audit this technology
                      • APIs. Something you NEED to care about

Agenda

Introduction to Business Application Systems:

  • IT Risk Assessment
  • relationship Between IT general & application controls
  • IT control categories
  • objectives of business application audits
  • types of business application audits
  • existing application reviews
  • end user computing
  • systems development audits
  • integrated auditing
  • data vs. information

Business Application Transactions:

  • what is a transaction?
  • transaction-based application auditing
  • transaction life cycle
  • batch and online models
  • application risk assessment factors
  • establishing audit priorities

Top-Down Risk-Based Planning:

  • planning the application audit
  • top-down risk-based planning
  • defining the business environment
  • determining the application’s technical environment
  • performing a business information risk assessment
  • identifying key transactions
  • developing a key transaction process flow
  • evaluating and testing application controls

Executing Integrated Audits:

  • control ownership
  • what is integrated auditing?
  • integrated it / business controls
  • enterprise risk coverage
  • integrated audit scoping
  • integrated audit staffing
  • COSO principle 11 –IT control activities

Business Application Controls:

  • business applications - information objectives
  • business application auditing
  • business application transaction life cycle
  • transaction origination
  • completeness and accuracy of input
  • completeness and accuracy of processing
  • completeness and accuracy of output
  • completeness and accuracy of master files
  • completeness and accuracy of interfaces
  • output retention and disposal
  • data file controls
  • user review, balancing, reconciliation
  • end-user documentation

Testing Business Application Controls:

  • testing business application controls
  • testing automated and manual controls
  • testing alternatives
  • testing sample size
  • sampling terminology
  • negative assurance testing
  • types of audit evidence
  • functional/substantive testing
  • Computer Assisted Audit Techniques (CAATS)
  • data analysis - planning and data verification

Documenting Business Application Controls:

  • evaluating and documenting internal controls
  • internal control questionnaires (ICQ)
  • narratives
  • flowcharts / process flows
  • control matrix

End User Computing:

  • growth of end user computing
  • end user computing risks
  • general IT control risks
  • change control risks
  • purchased application risks
  • spreadsheets - typical errors
  • spreadsheet risk factors
  • practical steps for evaluating spreadsheet controls

Auditing Systems Development Projects:

  • audit objectives
  • SDLC risks
  • primary reasons for problems
  • traditional system development life cycle
  • rapid application development
  • internal audit involvement
Auditing Systems Development Projects
  • audit objectives
  • SDLC risks
  • primary reasons for problems
  • traditional system development life cycle
  • rapid application development
  • internal audit involvement

Web Security:

  • OWASP Top 10
  • Recent Hack Attacks
  • The Layers of Network Security
  • Network Security Policies
  • Firewalls
  • Intrusion Prevention System
  • Anti-Virus Software
  • Identify Access Management
  • Wireless
  • Data Transmission Encryption and Certificate Authorities
  • Encryption of Data-At-Rest
  • Networks Physical Security
  • Conducting Network Penetration Tests
  • If You Were Successfully Hacked, Would You Even Know It?
  • Network Security Resources
  • APIs

Why You Should Attend

Business application systems play a key role supporting operational needs, and issues can be costly in the short and long terms. Auditors should review these systems to verify their appropriate configuration and operation.

ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.

ENROLL IN THIS COURSE