Tommie W. Singleton, Ph.D.,
CISA, CgeI T, CITP, CPA, is
an associate professor of
information systems (IS) at
Columbus State University
(Columbus, Georgia, USA).
Prior to obtaining his
doctorate in accountancy from
the University of Mississippi
(USA) in 1995, Singleton was
president of a small, value-
added dealer of accounting
Singleton is also a scholar-
in-residence for IT audit
and forensic accounting at
Carr Riggs & Ingram, a large
regional public accounting
firm in the southeastern US. In
1999, the Alabama Society of
CPAs awarded Singleton the
1998–1999 Innovative User of
Technology Award. His articles
on fraud, IT/IS, I T auditing and
IT governance have appeared
in numerous publications.
Auditing Applications, Part 1
Auditing applications is a common type of audit
for medium and large companies, especially when
some of the applications are developed in-house.
There are some basic principles of auditing
applications that IT auditors need to know and
understand. This two-part article describes one
framework for performing effective audits of
Consideration of Purpose
One of the key drivers of an application audit
throughout the process is the conditions or
circumstances by which the audit arose. That
is, what is driving the need for the audit? Is
it a regular audit plan? Is it an ad hoc audit?
The need is usually directly associated with the
primary objective of the audit. For example, if
management wants to gain assurance that a new
application is performing as designed, that fact
will drive the audit objectives and plan.
Do you have something
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
A FrAme WOrK
A process-oriented framework includes steps
similar to the following:
• Plan the audit.
• Determine audit objectives.
• Map systems and data flows.
• Identify key controls.
• Understand application’s functionality.
• Perform applicable tests.
• Avoid/consider complications.
• Include financial assertions.
• Consider beneficial tools.
• Complete the report.
Some of the steps, such as mapping systems
and data flows, are comprehensive. While mapping
should occur near the beginning of the audit, it has
a role in most of the other steps. Others, such as
financial assertions, may or
may not apply. However, the
noted framework represents a
fair body of steps that should
allow for the effective audit of
The remainder of this
article details the first three
steps: planning, determining objectives and
mapping. The remaining steps will be detailed in
this space in volume 4, 2012.
Consideration of Risk
A second key factor and driver is consideration
of risk associated with a particular audit, given
the purpose of the audit that was determined
previously. The IT auditor, or the audit team, needs
to identify risk associated with the application and
its associated data, sources, infrastructure and
systems. To follow the previous example, possible
risk scenarios include a lack of functionality
(i.e., does not actually meet the information
requirements), errors and/or bugs, an inability to
properly integrate/interface with other applications
or systems, data errors, and other similar risk.
Naturally, once the risk scenarios are properly
identified, the IT auditor
needs to assess the impact
on the audit objectives, audit
plan, audit scope and audit
procedures. For instance,
if lack of functionality
is a risk, the IT auditor
should examine the original
information requirements, review tests, review a
user acceptance document (if one exists), test the
application and perform other similar procedures.
“The noted framework represents a fair body of steps that should allow for the effective
audit of applications.
PLAn THe AuDIT
Planning the audit includes the consideration of all
the relevant factors that frame the purpose of the
audit. This consideration is necessary to properly
plan the audit.
Consideration of the Control Environment
Usually, the audit plan should take into account the
control environment surrounding the application,
within the context of the audit purpose. If the
primary purpose of the audit is auditing proper