An internal audit engagement at a large bank revealed that legacy software code can represent significant risk to an organization. In this engagement, several instances of malicious COBOL source code were discovered through manual inspection and identification. The internal auditors were concerned that more instances of faulty code could be in the production environment, and that manually inspecting over 100 million lines of source code would be infeasible. Under their auspices, I developed the Retrospective Static Source Code Analysis Framework for automatically identifying source code files likely to contain source code faults. We implemented this audit analytic framework in a tool called COBOL Analyzer. Using the tool, the auditors discovered thousands of potential source code files with faults and, using a ranking method, audited the most suspicious ones. The tool was deemed a success and it is undergoing further development by the internal audit team.
All Science Journal Classification (ASJC) codes
- Computer Science Applications
- Audit analytics
- Internal audit
- Legacy code
- Source code analysis