Audit and Assurance

Expand all | Collapse all

Auditing a non documented apps.

  • 1.  Auditing a non documented apps.

    Posted 15 Mar, 2020 00:01
    Hi,

    Am assigned a task to perform an audit for on of legacy applications, it is core business supporting and very complicated. a 15 years old and has many modules.
    problem is there is no documentation allows understanding the application logic, integrations, etc..
    only verbal explanations from developers and a testing / audit account created for me.
    assuming owasp testing guide v4 is my assessment approach, it's too difficult to go through the task with out proper documentation.
    any tips, has any one faced the same and can tell his experience.


    ------------------------------
    Ahmed Tamer
    Information Systems Audit Specialist
    ------------------------------


  • 2.  RE: Auditing a non documented apps.

    Posted 15 Mar, 2020 12:26
    looks like audit finding number 1 is 'no documentation'...  suggest take a step back and consider the objectives of the audit. What does the system need to do? Who has defined this?  and then ask them, how do _they_ get assurance it is working as per requirements, as that will form the 'controls' you can test.  my guess is that there are no clearly defined current requirements... in which case there is a risk that expectations are not met - your real challenge will be to quantify those in a manner that allows the overall owner/customer of the system to decide how much they want to spend to fix the problem (i.e. to reduce the likelihood of an undesired outcome occurring).
    to be clear, my view is 'testing the logic' is not the job you should be doing....​

    ------------------------------
    David Wilkey
    Managing Director
    Hamilton Advisory Ltd
    ------------------------------



  • 3.  RE: Auditing a non documented apps.

    Posted 16 Mar, 2020 04:16
    Thanks David for the input. in many circumstances audit scope limitations undermine the audit task and cause a less value.

    in some past audits I could obtain better visualization to application use from analyzing the webserver logs by webanalyzer tools. I agree with you testing logic is not a standard but am looking for tips/ tools / techniques allow building the logic easier so that task produce better value in less time and resources.
    interviewing developers and servers administrators is really time draining and now a days risky

    ------------------------------
    Ahmed Tamer Mohamed Ali
    Information Systems Audit Specialist
    ------------------------------



  • 4.  RE: Auditing a non documented apps.

    Posted 19 Apr, 2020 07:27
    Hello, if it is a legacy application ask to see the processes supported by this app. Ask as well to discuss with application users and owners and do a walkthrough of the operations linked to your scope. I often found myself formalizing a document for the app just to make sure i understood correctly bu ti definitely stress out the fact that the legacy app if of high risk for the documentation.
    Check as well if there is a BCP/DRP linked to this app, you can find valuable information there

    ------------------------------
    Zineb Gridda
    Senior IT Auditor
    ------------------------------