Application Development and Support
The application audit section of the application stack focused on the processes, procedures, and tools related to the development, testing, and deployment of the specific applications supporting the various business functions across the company. Application audits is becoming increasingly complex with the emergence of -
Artificial Intelligence (AI) has dramatically changed the business landscape. The first generation of AI relied on rule-based automation but has evolved and is now can imitate human interaction and learn for transactional activities to refined application decision making. An advance AI algorithm offers far better speed and reliability at a much lower cost as compared to its human counterparts.
Robotic Process Automation (RPA) consists of software robots (bots) to imitate a human worker. RPA bots log into applications, enter data, complete calculations, and complete procedural tasks without human initiation or intervention.
Development and Operations (DevOps) enables formerly siloed roles—development, IT operations, quality engineering, and security—to coordinate and collaborate to produce better, more reliable products. However, traditional segregation of duties can be impacted.
Continuous Improvement/Continuous Development (CI/CD) bridges the gaps between development and operation activities and teams by enforcing automation in building, testing and deployment of applications.
Audit activity within the application section is typically broken down into the following two audits.
Code Management: (Git, Bamboo, Maven, etc.)
Source code management
check-in, check-out, production change management, security of source code elements, etc.
Source code protection – code is a propriety company asset and is secured appropriately
Backup and restore of source code and runtime libraries
Secure code/vulnerability assessment
Application testing and validation
Event, performance, and error management
Development support tool management
Why Engage CTSA?
For each technology audit CTSA personnel will –
Obtain an understanding of the activity being audited. The extent of the knowledge required should be determined by the nature of the enterprise, its environment, areas of risk, and the objectives of the engagement.
Consider subject matter guidance or direction, as afforded through legislation, regulations, rules, directives, and guidelines issued by government or industry.
Perform a risk assessment to provide reasonable assurance that all material items will be adequately covered during the engagement. Audit strategies, materiality levels and resource requirements can then be developed.
Develop the engagement project plan using appropriate project management methodologies to ensure that activities remain on track and within budget.
Include in the plan assignment-specific issues, such as:
Availability of resources with appropriate knowledge, skills, and experience
Identification of tools needed for gathering evidence, performing tests and preparing/summarizing information for reporting
Assessment criteria to be used – Reporting requirements and distribution
Document the technology audit or assurance engagement’s project plan to clearly indicate the:
Objective(s), scope, and timing
Roles and responsibilities
Areas of risk identified and their impact on the engagement plan
Tools and techniques to be employed
Fact-finding interviews to be conducted
Relevant information to be obtained
Procedures verify or validate the information obtained and its use as evidence