Where is the head and tail?

[WALI <hkhasgiwale () gmail com>]

So, I have been asked to undertake security auditing of a financial 
application, whose source code we have recently acquired. The application 
is written in D2K with oracle backend.

As I understand it, boss wants security procedures laid out before we start 
to implement this application across our branches in various countries. 
Also, he doesn't want any haphazard development to start whenever any 
changes are asked by accounts dept.

How should I start? Well, I can start to outline Change Management 
procedures that would be followed. Segregation of duties between various 
levels of developers, quality assurance, app admin etc. That's generic.

Then what? I am a novice when it comes to accounting and finance. Should I 
define workflows within dept. of accounting? Should I sit with accountants 
and other users and get deep into various things they do and then look 
deeply inside each module of this finance application in order to study 
General Ledgers, Journal Vuchers, Accounts recievables/payables etc. That 
would take months!!

Is there any set checklist for such kind of application auditing?
Any/all inputs would be highly appreciated. Please take some time out to 
enlighen me!!


---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse.  Arm your 
enterprise with BigFix, the single converged IT security and operations 
engine. BigFix enables continuous discovery, assessment, remediation, 
and enforcement for complex and distributed IT environments in real-time 
from a single console.
Think what's next. Think BigFix. 

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------