Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, June 08, 2007

CIOs, Auditors To Get New Software Controls Guide on July 9

The Institute of Internal Auditors’ forthcoming guide lists tests that companies can perform to make sure their controls are correct and working properly.  It’s time for an audit of the application controls for every business system throughout your organization, from enterprise resource planning to e-mail programs, document imaging systems and product design software.  If you’ve upgraded or modified applications since the last application controls audit, you’d be smart to check out a forthcoming 33-page guide on applications controls to be released July 9 by the Institute of Internal Auditors (IIA).  The eighth in the institute’s Global Technology Audit Guide (GTAG) series, “Auditing Application Controls” will be available for free to the institute’s 130,000 members in 160 countries, as well as to nonmembers via the group’s Web site at

“These controls and suggested tests are generic and should apply to all systems,” says Heriot Prentice, director of technology practices at the IIA in Altamonte Springs, Fla.

For one, all transactional systems such as ERP and financial systems—as well as support applications such as e-mail programs and design software—pose risks stemming from how they are configured, managed and used by employees.  Another reason for regular audits and tests of software controls is that any configuration changes or modifications to business applications can introduce additional risk.  For instance, tolerance levels can be manipulated to disable controls. 

For this reason, the GTAG guidance recommends that auditors should be part of any software-implementation or upgrade team to ensure controls are in place and working.  Prentice recommends that companies make their software-control audits a joint effort involving the chief internal auditor, the CFO and the CIO.  “One of the biggest issues I’ve found when it comes to I.T. is that the chief audit officer or the CFO in many cases may not understand the technology, while at the same time, the CIO may not understand the auditors’ needs,” he says.

Software controls are used to monitor a variety of aspects of the application, including input, processing, output and data integrity, as well as data storage and retrieval.  Some controls are embedded into transactional and support applications, such as an automated accounts-payable match of invoice with purchase order and notice of receipt of shipment.  Other controls are configurable, such as an accounts-payable system’s limit on the amount of an invoice that can be processed without certain approvals.

Management trail—-Processing-history controls, often called an audit trail, allow management to identify the transactions and events they record by tracking each transaction from the source to the output and by tracing backward.,1397,2143482,00.asp?kc=BARSS02129TX1K0000533

Posted on 06/08