A framework for legacy source code audit analytics

Research output: Contribution to journalArticlepeer-review

1 Scopus citations


An internal audit engagement at a large bank revealed that legacy software code can represent significant risk to an organization. In this engagement, several instances of malicious COBOL source code were discovered through manual inspection and identification. The internal auditors were concerned that more instances of faulty code could be in the production environment, and that manually inspecting over 100 million lines of source code would be infeasible. Under their auspices, I developed the Retrospective Static Source Code Analysis Framework for automatically identifying source code files likely to contain source code faults. We implemented this audit analytic framework in a tool called COBOL Analyzer. Using the tool, the auditors discovered thousands of potential source code files with faults and, using a ranking method, audited the most suspicious ones. The tool was deemed a success and it is undergoing further development by the internal audit team.

Original languageEnglish (US)
Pages (from-to)67-75
Number of pages9
JournalJournal of Emerging Technologies in Accounting
Issue number2
StatePublished - Sep 2018

All Science Journal Classification (ASJC) codes

  • Accounting
  • Computer Science Applications


  • Audit analytics
  • Internal audit
  • Legacy code
  • Source code analysis


Dive into the research topics of 'A framework for legacy source code audit analytics'. Together they form a unique fingerprint.

Cite this