It's time for an audit of the application controls for every business system throughout your organization, from enterprise resource planning to e-mail programs, document imaging systems and product design software. As a CIO, are you prepared?
If you've upgraded or modified applications since the last application controls audit, you'd be smart to check out a forthcoming 33-page guide on applications controls to be released July 9 by the Institute of Internal Auditors (IIA). The eighth in the institute's Global Technology Audit Guide (GTAG) series, "Auditing Application Controls" will be available for free to the institute's 130,000 members in 160 countries, as well as to nonmembers via the group's Web site at www.theiia.org.
Although the GTAG guidance is not mandatory, the auditing and testing of software controls on a periodic basis is considered a best practice by the IIA. The GTAG guide includes an eight-page section listing a series of controls and tests that companies can perform to make sure controls are correct and working properly. "These controls and suggested tests are generic and should apply to all systems," says Heriot Prentice, director of technology practices at the IIA in Altamonte Springs, Fla.
There are plenty of reasons software controls need to be periodically audited and tested. For one, all transactional systems such as ERP and financial systemsas well as support applications such as e-mail programs and design softwarepose risks stemming from how they are configured, managed and used by employees.
Another reason for regular audits and tests of software controls is that any configuration changes or modifications to business applications can introduce additional risk. For instance, tolerance levels can be manipulated to disable controls. Likewise, purchase approval controls can be altered without requiring any changes in the underlying code.
For this reason, the GTAG guidance recommends that auditors should be part of any software implementation or upgrade team to ensure controls are in place and working. "Your auditors need to identify the controls that need to be built into that application," Prentice says.