GTAG 14: Auditing User-developed Applications

Download (members only, PDF)

Purchase from the IIA Research Foundation Bookstore

Download a PPT presentation covering this GTAG (members only).

Almost every organization uses some form of UDAs because they can be more easily developed, are less costly to produce, and can typically be changed with relative ease versus programs and reports developed by IT personnel.  However, once end users are given freedom to extract, manipulate, summarize, and analyze their UDA data without assistance from IT personnel, end users inherit risks once controlled by IT. These risks include data integrity, availability, and confidentiality. Because management relies on UDAs, which can be a significant part of financial reporting and operational processes, as well as related decision making; the internal auditor must determine and review UDA risks and build an audit of UDAs into the annual internal audit plan as appropriate.

GTAG-14 Auditing User-developed Applications provides:

·         Direction on how to scope an internal audit of UDAs.

·         Guidance for how the internal auditor’s role as a consultant can be leveraged to assist management with developing an effective UDA control framework.

·         Considerations that internal auditors should address when performing UDA audits.

·         A sample UDA process flow as well as a UDA internal audit program and supporting worksheets to help internal auditors organize and execute an audit.

TABLE OF CONTENTS

1. Executive Summary

2. Introduction

2.1. Defining User-developed Applications2

2.2. Benefits of User-developed Applications

2.3. Risks Associated With User-developed Applications

2.4. Differences Between User-developed Applications and IT-developed and Supported Applications

2.5. Compliance Challenges

2.6. Internal Auditing’s Role

3. Scoping a User-developed Application Audit

3.1. Defining What Constitutes a Key User-developed Application

3.2. Determining and Defining the User-developed Application Population

3.3. Defining Risk Factors

3.4. Risk Ranking

4. Considerations in Performing User-developed Application Audits

4.1. Tool Attributes and Capabilities

4.2  Best Practices for Controls Over User-developed Applications

5. Developing the Audit Program

5.1. Sample Audit Program

6. Summary

7. Appendix: Sample User-developed Application Process Flow

8. References and Resources

9. Authors and reviewers

 Authors

Christine A. Bellino

Douglas Ochab, CISA

Jeffery S. Rowland, CIA, CISA

Questions about this GTAG? Email guidance@theiia.org