The IIA’s Standards and Professional Knowledge department has released a new Global Technology Audit Guide (GTAG), “Auditing Business Applications,” to help internal auditors provide assurance and consulting services related to business applications. The GTAG describes how to identify and assess the risks and standardized and system-specific controls relevant to business applications.
This practice guide helps internal auditors:
- Gain a working knowledge of the systems development life cycle, service delivery, and information security processes relevant to business applications.
- Understand key risks and controls that may be present during the planning, development, support, and security of business applications.
- Plan engagements to provide assurance and consulting services related to business applications based on relevant risks and opportunities.
- Become familiar with relevant guidance from three widely used control frameworks.
Because applications are essential enablers of business processes, a risk-based audit plan should include audit engagements that evaluate standardized and system-specific controls to ensure significant risks are covered.