Almost every organisation uses some form of User Developed Applications (UDAs) such as spreadsheets and databases. They can be easily developed, cost effective to produce, and changed with relative ease. However, risks such as data integrity, availability, and confidentiality can pose threats to an organisation and internal auditors may consider auditing UDAs.
To address this growing risk, The Institute of Internal Auditors is releasing two new issues of its ongoing Global Technology Audit Guide (GTAG) series – both aimed at helping internal auditors and their management learn about and assess technology related risks.
The New GTAG 14, Auditing User-developed Applications, explores, among other topics, how best to risk rate and scope a UDA audit. The 32-page GTAG also proffers a sample audit program, best practices for implementing controls over UDAs, and advice on how internal auditors can work in a consulting role to help management develop an effective UDA control framework
“In most organisations, selected staff members are permitted as a matter of business necessity to extract, manipulate, analyse, and report on enterprise data using spreadsheets, databases, or other user-developed applications (UDAs). This practice gives rise to risks concerning data integrity, availability, and confidentiality,” says IIA Director of Standards and Guidance Lisa Hirtzinger, CIA.
Standard 2110.A2 of The IIA’s International Standards for the Professional Practice of Internal Auditing requires the internal audit activity to assess whether the organisation’s information systems sustains and supports agreed-upon strategies and objectives.
The New 28-page GTAG 15, Information Security Governance (ISG), explores internal auditing’s roles in and responsibilities for overseeing IT security. It assists organisations in incorporating an audit of ISG into the audit plan, focusing on whether the organisation’s ISG activity delivers the correct behaviors, practices, and execution of information services.
“IT failures, especially information security (IS) breaches, can place the organization at risk for reputation damage, diminished competitiveness, noncompliance with laws and regulations, and other adverse consequences,” adds Hirtzinger. “These impacts should not be underestimated.”
GTAGs, which address timely issues in IT management, control, and security, are strongly recommended, but not mandatory, guidance under The IIA’s International Professional Practices Framework.