Information Technology Reference
In-Depth Information
The enterprise should have a policy or framework for managing application systems. Since
application systems are the key tools for information processing in the enterprise, guidance
is required on what type of application systems to implement and how they should be man-
aged in order to ensure effective provision of support to business processes.
Where the policy and supporting procedures do not exist, the IS auditor can recommend
establishment of the policy which should be approved by senior management.
The evidence the IS auditor would collect include the policy document and supporting pro-
cedure documents. User procedure manuals will also help to confirm that the policy is be-
ing actively implemented. Interviewing users and system owners would also help to assess
if they understand the requirements of the policy and also its existence. The IS auditor can
review the documents not only to confirm existence of the policy and procedures but to
also assess if the policy meets identified standards or best practice recommendations.
b) Provide a list of key applications used in the enterprise
IT management would normally have an inventory of application systems used in the enter-
prise. The list would in some cases include functions of each application system. The drive
towards using integrated systems such as enterprise resource planning (ERP) systems has
reduced the number of single and non-integrated application systems in many enterprises.
What is common nowadays in many enterprises is existence of a few integrated systems or
a single integrated ERP system supporting all functions in the enterprise.
IS auditors would use the list as evidence of existence of application systems used in the
enterprise. Where such a list is not available, the auditor might request IT management to
prepare one before the end of the audit. The list can be used to select which application
systems to audit if management has not indicated which systems to audit.
c) Provide names and positions of system owners for key application systems used
in the enterprise
System owners are managers in the enterprise responsible for use and administration of ap-
plication systems. It is important to know who the system owners are because they would
provide invaluable information on how the systems are being used and managed. System
owners are normally senior managers with functional responsibilities directly related to the
application system being used by the department.
Information on regular positions or jobs of system owners is also important in that it will
enable the IS auditor to assess the influence they have in the department and how they deal
with internal politics or power play regarding management of information systems.
Management should be able to provide a list of names of system owners who can be in-
terviewed later in order to collect more information on the use and implementation of the
systems. It is common to find a situation where there are no system owners and all systems
Search WWH ::
Custom Search