1

RESPONDING TO PROPOSAL
FOR IS AUDIT OF APPLICATION
SOFTWARE

Case study 2Case study details

You are CA in practice with the ISA Certification.
Your firm has received an inquiry from a Public Sector
Bank for submitting a proposal for IS Audit.

Key highlights of the details provided by the client

covering scope and objectives of IS Audit are provided in
the case study.Software Packages to be

audited
Category A: Developed In-house (Standalone)
Bills
Remittance
Vostro Accounts

 Preventive Monitoring System

Category B: (Outsourced)
Cash Management Services

Centralised Banking SolutionII.

Scope of Audit

Evaluation of Effectiveness & Effectiveness of the

package vis-a-vis business process and requirements

 Application Security & Controls review

Database Security and Integrity review

Review of Interface Controls with other applications

Review of Network & Communications controls of the
application package

Above scope shall includes following

1. Whether design of the software conforms to the
Requirements Specification.
2. Objectives of the application: whether these have been
fulfilled/ likely to be fulfilled by implementation.
3. Whether banks systems & procedures are being
followed in the application.
4. What are the controls built in the application? Whether
these take care of banks systems and procedures.

5. What are the security features available / built into the

application package and whether these are sufficient
to take care of the risks in a financial transaction.

Above scope includes following

6. What is the relative efficiency of the application in
conduct of transactions vis-a-vis the performance in
similar packages?
7. Testing robustness of the application package by
running a specified number of transactions on int.
8. Assessment of the Risk component in the package.

9. To test and verify for any bugs in the application

package.
To specify clearly methodology to be adopted in carrying
out each of the above steps.

Discuss these in your group and prepare

presentation covering
1. Additional information required for submitting
the proposal and the methodology of getting
the information.

2. Prepare detailed step-by-step methodology,

which will be adopted by you for carrying out
the assignment.
3. Identify skill-sets of audit team and estimated
time for completing the assignment.
4. List the standards and guidelines to be used
for the assignment and explain how these how
these would be adopted and used.

List the desired deliverables and proposed draft formats of the IS

Audit report.Model Answer

Note: This model answer is indicative in

nature and is provided for guidance.Additional
information required for submitting the proposal
and methodology of getting the information
1. Technology platform of the software such as Operating
system, Database and platform in which software is
developed.
2. Type of application software: single-user or multi-user
and if multi-user, approximate no. of user of each
application software.
3. List of features and functionalities of software.
4. Details of vendor in case of outsourced software.

5. List of documentation available for both software.

6. List of references where such software is deployed.
7. Facility for having walk-through of software with related
documentation.
8. Current status of application software - deployed or
proposed to be deployed and brief details of proposed
deployment.

Any other information which may be relevant.Step-by-step

methodology which will be

adopted by you for carrying out the assignment
1. Discussions with the IT department, users and other
stakeholders as required.
2. Review of documentation of System software
such as operation system and database
3. Examination of OS and database access rights

4. Review of Application Software user manuals

5. Observation of the Users and the systems in operation

Review of Application Software in detail by walking through each of

the functionsStep-by-step methodology which will be

adopted by you for carrying out the assignment

6.

Testing of all key parameters such as user access profiles

7.

Testing of software by using test data in a test environment

for testing validations, processing and reporting.

8.

Use CAATs as required for testing processing

9.

Identifying areas of control weakness and discuss with auditee

management to confirm findings and agree on proposed
recommendations

10. Preparation of report with executive summary with risk rating of

findings into high, medium and low risk.

Presentation of audit findings and recommendations to management.Identify

skill-sets of audit team

1. Audit team to be finalised after detailed review of
documentation and walk-through of software.
2. Audit team will consist of experts from:
1.
2.

IT with expertise in OS/Database

Functional experts with domain in specific application software

Assurance professional with knowledge of using CAATs and application software

audit.Estimated time for completing the assignment

1. Estimated time to be finalised after detailed review of

documentation and walk-through of software.
2. Estimated time will include specific man days of each of
the members of the audit team as identified.

Audit plan will be finalised with estimated time and will include
estimated plan for audit plan, performance and
reporting.Standards and guidelines to be used for the

assignment
ISACA and ICAI standards applicable of audit, internal
audit and IS Audit as applicable.
Best practices of security and control such as COBIT

Best practices of IS security such as ISO 27001

 Technology best practices as applicable

Guidelines and circulars issued by regulatory agencies

Policies and guidelines issued by bank as applicable. How the

standards and best practices would be

adopted and used
Identified standards, guidelines and best practices would
be extracted and customised as per requirements of
assignment.
Detailed audit program and procedures would be
prepared based on these best practices.
Audit program and procedures would be shared in
advance with auditee department for their feedback.

These would be further updated as required during execution of

assignment.Proposed deliverables
Draft IS Audit report with list of control weaknesses
covering each of the software with specific
recommendations for mitigating risks.
Final IS Audit report for each of the software as per
scope with executive summary for senior management.

Presentation to senior management covering key points and

highlights of audits with specific recommendations for follow up
plan for implementation of recommendations as agreed. Sample

Format of draft report

1.

Issue (area of control weakness)

> Ranked based on information criteria as relevant.

2.

Implications (effect)
> Highlighting IT Resources impacted as relevant. Critical
Success Factors of relevant IT process

3.

Cause: identifying the probably cause

4.

Recommendations
> Using the best practices of COBIT and other best
practices as adapted for business requirement \ IT
deployment of software auditee.

5.

Management Comment:

> As provided by auditee based on discussionSample

format of final

report

Outline for each finding: (area of control

weakness or area of improvement:
Issue:
anked based on criticality (high, medium
or ow)
Implications (effect):
With highlight of IT Resources impacted as
relevant identify probability and quantify
risk based on business impact.

Cause:

 Identifying probable cause(s) for issuePrepare final

report
Recommendation:
Based on best practices as adapted as per specific
business requirement \IT deployment of software
audited.
Management Comment:

Feedback from management and identifying issues of

disagreement which need escalation.

Implementation Time-frame as provided by auditeee

management.Thankyou!