Course Information
Auditing Business Application Systems (0FFERED Virtually)
Course Description
OFFERED VIRTUALLY
This two-day seminar is designed for financial, operational and information technology auditors who need to perform business application audits. Focusing on a top-down, risk-based approach you will learn how to assess key risks and controls in each stage of the application processing cycle and how to prioritize your audit approach to achieve optimal results in an effective and efficient manner. Discussions will include all aspects of a business application, including completeness and accuracy of input, processing and output.
You will learn techniques for identifying, prioritizing, assessing and evaluating application controls and procedures. You will leave the seminar with real-world examples of application control risks, control objectives, key application control assessments and testing techniques.
Course Objectives
Upon completion of this course, participants will be able to:
-
Identify types of business applications and transactions and associated risk
-
Use tools to perform business application audits
-
Recognize key risks and controls in the states of the application processing cycle
-
Test and document application controls
Introduction to Business Application Systems
• types of business applications
• objectives of an application audit
• application control ownership
• integrated auditing
• data vs. information
Business Application Transactions
• transaction-based application auditing
• application risk assessment factors
• establishing audit priorities
Top-Down Risk-Based Planning
• planning the business application audit
• defining the business environment
• determining the application technical environment
• performing a business information risk assessment
• identifying key transactions
• developing a key transaction process flow
• evaluating and testing application controls
Application Controls
• business application audit objectives
• application transaction life cycle
• transaction origination
• completeness and accuracy of input, processing, output
• output retention and disposal
• user review, balancing, reconciliation
Testing Application Controls
• testing automated and manual controls
• testing alternatives
• sample size
• negative assurance testing
• types of audit evidence
• CAATs & data analysis
Documenting Application Controls
• evaluating and documenting internal controls
• internal control questionnaires
• narratives
• flowcharts / process flows
• risk / control matrix
End-User Computing
• end user computing risks
• practical steps for evaluating spreadsheet controls
Auditing System Development Projects
• identifying business risks
• audit’s primary objectives
• traditional system development life cycle
• rapid application development
• managing audit involvement
Instructors
Richard Tarr is an audit and information systems consultant and President of Richard Tarr and Associates, a consulting practice that specializes in application and general control reviews and networks including the development and training of integrated internal auditing functions; quality assurance reviews; strategic planning; business continuation planning; and project management.
Mr. Tarr has more than 20 years in audit and information systems, with additional experience in the design and implementation of large financial and operational systems, includes hotel management and reservations systems and networks. He has managed complex development projects as well as participated in the design and acquisition of software and hardware architectures for both centralized and distributed environments. In addition he has had extensive experience in the development, training, and evaluation of internal audit departments in both government and industry.
Previously with the Walt Disney Company, he initiated and developed the information systems audit function, and served as the Corporate Information Systems Audit Manager. Mr. Tarr was a senior systems engineer with Electronic Data Systems (EDS), where he designed and implemented applications for financial industry clients. He has started and managed corporate audit functions, managed information systems development project teams and has supervised programming staffs in both government and industry. He was the Manager of Quality Assurance Review for the Institute of Internal Auditors (IIA) and is the author of the IIA’s publication Establishing an Internal Audit Function.
Among the seminars Mr. Tarr teaches for MIS are Sarbanes-Oxley for IT Auditors, Using COBIT in Your IT Audits, Auditing IT Governance, Sarbanes-Oxley: A Roadmap to Compliance, IT Audit School; IT Auditing and Controls, How to Audit Automated Business Applications, and How to Perform a General Controls Review. He also teaches Fundamentals of Internal Auditing, Advanced Auditing for In-Charge Auditors, and Data Driven Auditing: A Business Approach.
Additional Information
TAC Rule 523.142(g) requires the CPE Sponsor to monitor individual attendance and assign the correct number of CPE credits. Participants will be asked to document their time of arrival and departure in compliance with this Rule. Additionally, attendance will be monitored throughout the day and CPE certificates will reflect actual attendance of each participant.