Abstract
Computer software is ubiquitous and is driven extensively by our information-based
society. However, little consideration is given to the complex task of developing
software, which may involve conflicting objectives.
Developing software that is free from material defects is the ultimate goal for
software developers; however, due to its cost and complexity, it is a goal that is
unlikely to be achieved. As a consequence of the inevitable defects that manifest
within computer software, the task of software patch management becomes a key
focus area for software companies, IT departments, and even end users.
Audit departments, as part of their responsibilities, are required to provide assurance
on the patching process and therefore need to understand the various decisionmaking
factors. The task of patching software to rectify inherent flaws may be a
simple operation on computer systems that are of low significance, but is far more
complex and critical on high-risk systems. Software flaws that exist within computer
systems may put confidential information at risk and may also compromise the
availability of such systems. One of the environments that is extremely susceptible to
software flaws is the South African banking system, where not only is confidentiality
a critical imperative, but also where high system availability is expected by the
banking public.
The study investigated the recommended approaches for the task of software
patching, with a view to balancing the sometimes conflicting requirements of security
and system availability. The reasons for software patching, the discipline of risk
management relating to IT and software patching are also identified as fundamental
to the audit approach for assessing the process.
The study found that there are a number of key aspects that are required to ensure a
successful patching process and that the internal auditors of the ‘big four’ South
African banks considered most of these factors to be important. Despite these
organisations being extremely mature from a risk management perspective, the
auditors believed that the patching process may benefit from an increased focus on
risk management.
M.Com. (Computer Auditing)