A business application may be a single software program or a collection of hardware, firmware, and software applications operating as an integrated system to enable the organization’s processes. Common examples of business applications include enterprise resource planning systems, point-of-sale systems, industrial control systems, and customer relationship management and billing systems. Key features that distinguish a business application from a simpler program — often called a tool — include (1) whether the software has been programmed to perform specific business processes and (2) whether user accounts have differentiated permissions.
Typically, the organization’s IT department administers business applications; however, it is not uncommon for shadow IT functions to exist within other business units, especially as vendor-managed and cloud-based applications become more prevalent. Regardless of the department performing system administration and oversight, the business unit personnel that benefit from the applications have roles to play in defining business needs, executing authorization controls, and providing feedback on system performance.
This self-study course, which is based largely on the Global Technology Audit Guide (GTAG) “Auditing Business Applications,” will help internal auditors gain a deeper understanding of business application controls and how to audit business applications.