Auditing Business Application Systems - ITG103


This course provides a top-down, risk-based approach to assess key risks and controls in each stage of the application processing cycle and ways to prioritize the audit approach to achieve optimal results in an effective and efficient manner. It also covers completeness and accuracy of input, processing and output.


Tuition cost


NASBA Certified CPE

24 Credits


Why you should attend

Business application systems play a key role supporting operational needs, and issues can be costly in the short and long terms. Auditors should review these systems to verify their appropriate configuration and operation.

Who should attend

IT, Financial, Operations and Business Applications Auditors; Audit Managers who require an understanding of application controls and audit approaches for business application systems.

What You'll learn

You will learn techniques for identifying, prioritizing, assessing and evaluating application controls and procedures using real-world examples of application control risks, control objectives, key application control assessments and testing techniques.


IT Auditing and Controls - ITG101

Equivalent Experience


Introduction to Business Application Systems:

  • IT Risk Assessment
  • relationship Between IT general & application controls
  • IT control categories
  • objectives of business application audits
  • types of business application audits
  • existing application reviews
  • end user computing
  • systems development audits
  • integrated auditing
  • data vs. information

Business Application Transactions:

  • what is a transaction?
  • transaction-based application auditing
  • transaction life cycle
  • batch and online models
  • application risk assessment factors
  • establishing audit priorities

Top-Down Risk-Based Planning:

  • planning the application audit
  • top-down risk-based planning
  • defining the business environment
  • determining the application’s technical environment
  • performing a business information risk assessment
  • identifying key transactions
  • developing a key transaction process flow
  • evaluating and testing application controls

Executing Integrated Audits:

  • control ownership
  • what is integrated auditing?
  • integrated it / business controls
  • enterprise risk coverage
  • integrated audit scoping
  • integrated audit staffing
  • COSO principle 11 –IT control activities

Business Application Controls:

  • business applications - information objectives
  • business application auditing
  • business application transaction life cycle
  • transaction origination
  • completeness and accuracy of input
  • completeness and accuracy of processing
  • completeness and accuracy of output
  • completeness and accuracy of master files
  • completeness and accuracy of interfaces
  • output retention and disposal
  • data file controls
  • user review, balancing, reconciliation
  • end-user documentation

Testing Business Application Controls:

  • testing business application controls
  • testing automated and manual controls
  • testing alternatives
  • testing sample size
  • sampling terminology
  • negative assurance testing
  • types of audit evidence
  • functional/substantive testing
  • Computer Assisted Audit Techniques (CAATS)
  • data analysis - planning and data verification

Documenting Business Application Controls:

  • evaluating and documenting internal controls
  • internal control questionnaires (ICQ)
  • narratives
  • flowcharts / process flows
  • control matrix

End User Computing:

  • growth of end user computing
  • end user computing risks
  • general IT control risks
  • change control risks
  • purchased application risks
  • spreadsheets - typical errors
  • spreadsheet risk factors
  • practical steps for evaluating spreadsheet controls

Auditing Systems Development Projects:

  • audit objectives
  • SDLC risks
  • primary reasons for problems
  • traditional system development life cycle
  • rapid application development
  • internal audit involvement

Auditing Systems Development Projects

  • audit objectives
  • SDLC risks
  • primary reasons for problems
  • traditional system development life cycle
  • rapid application development
  • internal audit involvement

Web Security:

  • OWASP Top 10
  • Recent Hack Attacks
  • The Layers of Network Security
  • Network Security Policies
  • Firewalls
  • Intrusion Prevention System
  • Anti-Virus Software
  • Identify Access Management
  • Wireless
  • Data Transmission Encryption and Certificate Authorities
  • Encryption of Data-At-Rest
  • Networks Physical Security
  • Conducting Network Penetration Tests
  • If You Were Successfully Hacked, Would You Even Know It?
  • Network Security Resources
  • APIs

Schedule your course

Use the table below to select the time and location that works best for you.

Timezone: America/Chicago

unknown date

No dates found


ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: