It is a process of setting and developing the application, the computer system, built on the basis on business requirement. As an IS Auditor, the following could be reviewed:
- System Planning & Feasibility Audit: Every application is designed after considering the various areas of feasibility and the factors ranging from Economic, Cost Benefit Analysis, Technical analysis Critical success factor methods, business system planning, etc.
- Development & Design Audit: Development is verified and policies are establishment and various controls are placed. Adherence to benchmark standards and Quality of output is to be ensured.
- System Acceptance Audit: A comprehensive test should be conducted to achieve system planning
- System Maintenance Audit: This is to ensure that the systems are kept abreast and changing needs are considered.
Hardware & Software &Application Audit:
Every system requires varied combinations of hardware and software configuration. Software could be customized or could be off the shelf. Care should be taken to verify the inputs, processing and the output controls governing the applications in addition to its security, network and infrastructure.
Security Audit
- Network data security audit
Network data security audit consists of audit of the network data security infrastructure and its safety management. Amongst the various aspects, the following would be covered:
- Network Architecture
- Client to Server, Peer to Peer
- Network anti-virus technology and safety
- Firewall technology,
- Data encryption technology,
- Authentication technology ranging from use of digital signature, message digests digital certificate, etc
- Authorization and the implementation of those technologies;
- Review and analysis of the security log;
- LAN / Wifi Analysis / VPN Infrastructure
- Review the implementation of relevant laws and regulations, such as “the safety protection regulations of computer information system”.
- Network Access Control Audit
The network access control audit majorly focuses on the access relating to network, the authority control and user authentication. This focuses more on the Authority control audit check mainly on whether there is authority when customer access resources nodes and user nodes. Resource nodes provide service or data, user nodes access resources services provided by the resource nodes.
System Management Audit
The goal is to guarantee the performance of the system and its usability; guarantee the integrity of data and other information resources; system security. The electronic commerce system management can be divided into three aspects:
- The system monitoring, system configuration and system operation management; whether to register and update the hardware and software; whether to schedule and apply job sequencing and job plan, etc.
- The event correlation and automation processing: overall analysis different reasons leading to error report, these reasons may be from network, server system, database or application logic; find the root causes and do corresponding disposal, such as giving a alarm or starting a engine procedures, etc.
- Business impact management is a system management, which can guarantee the business service at a high level, and will connect the business system performance with all the possible influencing factors, which will help the user, find the change of the performance and the reason of these changes.
Internal Controls Audit
Internal control auditing includes two aspects: the audit of general control and the audit of Application control.
The auditor should check the risk of data processing in internal control activities. Namely, check the accuracy, integrity and security of the data, and goes as follows:
- The system and program can’t correctly deal with data, process the incorrect data or two circumstances coexist;
- Whether there is unauthorized access to data, it may lead to modifying or even damaging the data.
- Whether there is unauthorized access phenomenon, which may damage original labor division in the e-commerce system.
- Without authorization, change the main document data.
- Without authorization, the adaption of system or program.
- Cannot do the necessary configuration or modify to programs.
- Inappropriate human intervention.
- May loss data or unable to access data.
DRP & BCP Audit
Disaster recovery and business continuity plan is a plan, which can prevent business behavior from interruption in the case of natural or man-made disasters. The main content of the audit test is: whether this plan has feasibility and validity or not. Confirm the related resources (hardware and software) would have been backup and evaluate its safety; whether the test results meet the expected requirements or not.