IT audit guide launched to mitigate risk around application controls

The Institute of Internal Auditors (IIA) today launched a Global Technology Audit Guide (GTAG) to fill a gap when it comes to auditing application controls.

Titled "Auditing Application Controls" the guide will help internal audit practitioners, C-level executives, and boards of directors understand the risks associated with application controls and how internal auditing can help mitigate those risks.

Application controls are applied to individual business processes or IT application systems such as data edits, separation of business functions, transaction logging, and error reporting.

Failure to audit application controls can leave an organisation exposed to risks that affect the integrity, timeliness, and availability of financial or operational data.

IIA-Australia president, Gary Anderson, said most internal auditors and company managers think of application controls as a mysterious black box and do not know how to make sure they're working the way they should.

"Scarce resources and time within the internal audit can also lead to an inadequate review of application controls," he said.

"It's crucial that internal auditors have the skills to determine if an application's controls are properly designed and operating effectively to manage financial, operational, or regulatory compliance risks and equally crucial that other company officers appreciate the value of this type of audit."

The eighth in a series of Global Technology Audit Guides produced by IIA, GTAG 8 clearly defines application controls, their benefits, provides some common examples, describes the role of internal auditors in reviewing application controls, provides guidance on scoping and performing risk assessments in this area and provides suggested application review approaches, sample tests, and a sample review program.

Anderson said there are very real benefits from relying on application controls including reliability.

He said application controls are more reliable than manual controls when evaluating the potential for control errors due to human intervention.

"So once an application control is established, the organisation can rely on it until a change occurs," Anderson added.

"Another benefit is benchmarking. If an internal auditor verifies that the application control has not changed since it was last tested, it may be deemed effective.

"However, as the frequency of code change increases, the opportunity to rely a on benchmarking strategy decreases.."

Finally, Anderson said there are significant time and cost savings as application controls typically take less time to test than manual controls.

For a free copy of GTAG 8 "Auditing Application Controls", visit

Established in 1952, the IIA has chapters across Australia. Globally, the Institute of Internal Auditors serves more than 150,000 members in internal auditing, governance and internal control, IT audit, education and security from more than 160 countries.

- with Sandra Rossi

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Black Box Network ServicesIIA

Show Comments