Other Types of Threat and Exploitation › Application Programmers

Application Programmers

Exploitation by a deceptive application programmer can occur during application development and maintenance. Programs must be compared against object code or programs in active storage itself.

Inspect code for:

Trap doors

Allow special functions to be performed using a special code or userid.

Trojan horses

Allow for special processing after a certain date.

Bombs

Cause data set damage after a certain date, such as employee termination.

The auditor must be involved in all stages of a program's life, especially during the design stage. Ensure that personnel who develop a program are not the individuals who test it. Fraud is more likely if only one person develops, tests, and implements a program. Fraud can also occur if a conspiracy exists among the developers, testers, and implementers. Separating function minimizes the risk.

In auditing applications already in use, determine if:

• Transactions and inputs are complete and no data is missing
• Input data is accurate and, if inaccurate, procedures exist to correct mistakes
• Every transaction is processed completely and data in files is changed accordingly
• All changes to files are correct
• Changes were properly authorized and that authorization and security are guaranteed
• File integrity is maintained after changes are processed
• Unauthorized changes are detectable
• Proper procedures are documented and available.