application management


what kind of things are included in an application management audit?

We have an app security and management audit of our payroll app coming up, security side of things I can make an educated guess on what will be involved. On the management side would it be things like change control, i..e this is fat client app so roll out of new software based on new versions goes through CC?

Any other issues?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dear pma111,

An application management audit (as any IT audit), serve to validate the value (quality 1-3 below, fiduciary 4-5 below and security requirements 6-7 below) of the information in the application.

7 related information criteria are defined as follows (the organization requires that the information is) which constitutes the value of the information:
1. Effectiveness: Information being relevant, delivered in a timely, correct, consistent and usable manner.
2. Efficiency: Information provided through the optiomal (most productive and economical) use of resources.
3. Confidentiality: Protection of sensitive information from unauthorized disclosure.
4. Integrity: Accuracy, completeness and validity of information.
5. Availability: Information is available with needed. Safeguarding of necessary resources and associated capabilities.
6. Compliance: Complying with laws, regulations and contractual arrangements for information.
7. Reliability: Provision of appropriate information to operation the entity and exercise its fiduciary and governance responsibilities.

Applications management audit validate that systems and applications are appropriate to the entity's needs, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a applications activity.

The application management audit is approached from 5 different perspectives:
a. Security (confidentiality, integrity and availability)
b. Quality (effectiveness and efficiency)
c. Fiduciary (compliance and reliability)
d. Service
e. Capacity

Some of the techniques for gathering evidence as part of the audit a.o. include:
I. Reviewing IS organizational structures (segregation of duties).
II. Reviewing IS policies and procedures (which are in place, are they understood and are they being followed/enforced and is it measured).
III. Reviewing IS standards (which are in place, are they understood and are they being followed/enforced and is it measured).
IV. Reviewing IS documentation (which is in place, is it understood and being followed/enforced, is it measured and is it kept up-to-date).
V. Interviewing appropriate personnel (in any way associated with the application management).
VI. Observing processes and employees performing duties (in any way associated with the application management).

Last but not least, the presence/absence of a completed BIA would serve as input in the audit.

Kind regards,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Security I am pretty ok with.

Bit can you give perhaps 3 examples of controls for:

b. Quality (effectiveness and efficiency)
c. Fiduciary (compliance and reliability)
d. Service
e. Capacity
btanExec ConsultantCommented:
Another add on is to follow tbrough the aplication lifecycle which focus more of the change mgmt such as patch mgmt, frequency of patches, version control, role and responsibility and workflow involved. Primarily is to ensure a sound and accountable execution standard and procedures.

I was also thinking of the maintenance of appl but I leave it as the change process mgmt cycle. The secure appl development is another area if security is one key chapter. I more towards the regularity of vulnerability verification, security posture validation through penetration test and proper security review instead. The BSIMM framework tells abouth these well define phases and checks.
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

pma111Author Commented:
Are you an IT auditor breadtan/slemmesmi? Or IT security professional?
Dear pma111,

Neither; I am senior system engineer with strong IT Governance awareness and CISA exam passed.

Examples of controls for (COBIT based, and I am sure you can map those to ITIL):

b. Quality (effectiveness and efficiency)
Create and maintain corporate/enterprise information model.
Create and maintain corporate data dictionary(ies).
Establish and maintain a data classification scheme.
Provide data owners with procedures and tools for classifying information systems.
Utilise the information model, data dictionary and classification scheme to plan optimised business systems.
Establish IT organisational structure, including committees and linkages to the stakeholders and vendors.
Design an IT process framework.
Identify system owners.
Identify data owners.
Establish and implement IT roles and responsibilities, including supervision and segregation of duties.

c. Fiduciary (compliance and reliability)
See 'b' above, plus:
Identify fiduciary requirements.
Identify legal requirements, ownership and reporting.

d. Service
Create a framework for defining IT services.
Build an IT service catalogue.
Define SLAs for critical IT services.
Define OLAs for meeting SLAs.
Monitor and report end-to-end service level performance.
Review SLAs and UCs.
Review and update IT service catalogue.
Create service improvement plan.

e. Capacity
Establish a planning process for the review of performance and capacity of IT resources.
Review current IT resources’ performance and capacity.
Conduct IT resources’ performance and capacity forecasting.
Conduct gap analysis to identify IT resources mismatches.
Conduct contingency planning for potential IT resources unavailability (again BIA!!!!!)
Continuously monitor and report the availability, performance and capacity of IT resources.

Kind regards,
btanExec ConsultantCommented:
IT Professional primary focus is cyber security.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.