Application Development and Support

 
Application Audits.jpg

The application audit section of the application stack focused on the processes, procedures, and tools related to the development, testing, and deployment of the specific applications supporting the various business functions across the company.  Application audits is becoming increasingly complex with the emergence of -

  1. Artificial Intelligence (AI) has dramatically changed the business landscape.  The first generation of AI relied on rule-based automation but has evolved and is now can imitate human interaction and learn for transactional activities to refined application decision making. An advance AI algorithm offers far better speed and reliability at a much lower cost as compared to its human counterparts.

  2. Robotic Process Automation (RPA) consists of software robots (bots) to imitate a human worker.  RPA bots log into applications, enter data, complete calculations, and complete procedural tasks without human initiation or intervention.

  3. Development and Operations (DevOps) enables formerly siloed roles—development, IT operations, quality engineering, and security—to coordinate and collaborate to produce better, more reliable products. However, traditional segregation of duties can be impacted.

  4. Continuous Improvement/Continuous Development (CI/CD) bridges the gaps between development and operation activities and teams by enforcing automation in building, testing and deployment of applications.


​Audit activity within the application section is typically broken down into the following two audits.

 
App Stack - App.jpg
 


Code Management:  (Git, Bamboo, Maven, etc.)

  • Source code management

    • check-in, check-out, production change management, security of source code elements, etc. 

  • Source code protection – code is a propriety company asset and is secured appropriately

  • Backup and restore of source code and runtime libraries


Applications: 

  • Software engineering

    • Development activities

    • Secure code/vulnerability assessment

    • Application testing and validation

    • ​Event, performance, and error management​

  • Development support tool management

    • Software licensing

    • Code/component currency

    • Asset management

 

Why Engage CTSA?

For each technology audit CTSA personnel will –  

  • Obtain an understanding of the activity being audited. The extent of the knowledge required should be determined by the nature of the enterprise, its environment, areas of risk, and the objectives of the engagement.

  • Consider subject matter guidance or direction, as afforded through legislation, regulations, rules, directives, and guidelines issued by government or industry.

  • Perform a risk assessment to provide reasonable assurance that all material items will be adequately covered during the engagement. Audit strategies, materiality levels and resource requirements can then be developed.

  • Develop the engagement project plan using appropriate project management methodologies to ensure that activities remain on track and within budget.

  • Include in the plan assignment-specific issues, such as:

    • Availability of resources with appropriate knowledge, skills, and experience

    • Identification of tools needed for gathering evidence, performing tests and preparing/summarizing information for reporting

    • Assessment criteria to be used – Reporting requirements and distribution

  • Document the technology audit or assurance engagement’s project plan to clearly indicate the:

    • Objective(s), scope, and timing

    • Resources

    • Roles and responsibilities

    • Areas of risk identified and their impact on the engagement plan

    • Tools and techniques to be employed

    • Fact-finding interviews to be conducted

    • Relevant information to be obtained

    • Procedures verify or validate the information obtained and its use as evidence