IS AUDITING GUIDELINE APPLICATION SYSTEMS REVIEW Document G14 Introduction The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits, require standards that apply specifically to IS auditing. One goal of the Information Systems Audit and Control Association, Inc. (ISACA) is therefore to advance globally applicable standards to meet this need. The development and dissemination of IS auditing standards are a cornerstone of the ISACA professional contribution to the audit community. Objectives The objectives of the ISACA Standards for IS Auditing are to inform  IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the Code of Professional Ethics for IS auditors  Management and other interested parties of the profession’s expectations concerning the work of practitioners The objective of IS Auditing Guidelines is to provide further information on how to comply with the IS auditing standards. Scope and Authority of IS Auditing Standards The framework for the ISACA IS auditing standards provides for multiple levels of standards, as follows:  Standards define mandatory requirements for IS auditing and reporting.  Guidelines provide guidance in applying IS auditing standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure. The words audit and review are used interchangeably.  Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The ISACA Code of Professional Ethics requires members of the ISACA and holders of the Certified Information Systems Auditor (CISA) designation to comply with IS auditing standards adopted by the ISACA. Failure to comply with these may result in an investigation into the member's or CISA holder's conduct by the ISACA Board or appropriate ISACA committee and ultimately in disciplinary action. Development of Standards, Guidelines and Procedures The ISACA Standards Board is committed to wide consultation in the preparation of IS auditing standards, guidelines and procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The Standards Board has an ongoing development programme and would welcome the input of members of the ISACA and holders of the CISA designation, as well as other interested parties, to identify emerging issues requiring new standards products. Any suggestions should be e-mailed ([email protected]), faxed (+1.847.253.1443) or mailed (address at the end of the guideline) to ISACA International Office, for the attention of the Director of Research, Standards and Academic Relations. This material was issued on 1 July 2001. Information Systems Audit And Control Association 2000 2001 STANDARDS BOARD Chair, Stephen W. Head, CISA, CPA, CPCU, CMA, CFE, CISSP, CBCP Royal & SunAlliance, USA Claudio Cilli, Ph.D., CISA KPMG, Italy Sergio Fleginsky CISA PricewaterhouseCoopers, Uruguay Fred Lilly, CISA, CPA Fred L. Lilly, CPA, USA Andrew J. MacLeod, CISA, FCPA, MACS, PCP, MIIA Brisbane City Council, Australia Peter Niblett, CISA, CA, ASA, MIIA Day Neilson, Australia George H. Tucker, CISA, CPA Ernst & Young, USA Venkatakrishnan Vatsaraman, CISA, ACA, AICWA Emirates Airlines, United Arab Emirates Sander S. Wechsler, CISA, CPA Ernst & Young, USA Corresponding Member Svein Erik Dovran, CISA The Banking Insurance and Securities Commission of NorwayPage 2 of 4 Application Systems Review Guideline Version I 1.0 1. BACKGROUND 1.1 Linkage to Standards 1.1.1 Standard S6 Performance of Audit Work states “During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.” 1.2 Need for Guideline 1.2.1 The purpose of this guideline is to describe the recommended practices in performing an application systems review. 1.2.2 The purpose of an application systems review is to identify, document, test and evaluate the controls over an application that are implemented by an organization to achieve relevant control objectives. These control objectives can be categorized into control objectives over the system and the related data. 2. PLANNING 2.1 Planning Considerations 2.1.1 An integral part of planning is understanding the organisation’s information system environment to a sufficient extent for the IS auditor to determine the size and complexity of the systems and the extent of the organisation’s dependence on information systems. The IS auditor should gain an understanding of the organisation’s mission and business objectives, the level and manner in which information technology and information systems are used to support the organisation, and the risks and exposures associated with the organisation’s objectives and its information systems. Also, an understanding of the organisational structure including roles and responsibilities of key IS staff and the business process owner of the application system should be obtained. 2.1.2 A primary objective of planning is to identify the application level risks. The relative level of risk influences the level of audit evidence required. 0.0.0 Application level risks at the system and data level include such things as:  System availability risks relating to the lack of system operational capability  System security risks relating to unauthorised access to systems and/or data  System integrity risks relating to the incomplete, inaccurate, untimely, or unauthorised processing of data  System maintainability risks relating to the inability to update the system when required in a manner that continues to provide for system availability, security, and