Let me first say that unless your auditors have a clue about what an AS/400 is, this can be a royal pain in the arse. I work at a US Dept of Justice location and have to deal with application audits all the time.
A strict defination (take a look at <a href=”http://www.sans.org/reading_room/whitepapers/auditing/the_application_audit_process_a_guide_for_information_security_professionals_1534?show=1534.php&cat=auditing”>This white paper</a> for more information) is:
“An application audit is a specific audit of one application.”
“Application Audits can also pertain to a business process that heavily relies on various information
Most of the time with application audits, the auditors want to know about what security measures the application has. Depending on your AS/400 application, it may have none. Some typical legacy RPG apps had maybe menu security based on the user id. Auditors will also want to know that the system that host the application is secure.
The important thing to remember is that the AS/400 operating system provides lots of security – if you implement it correctly. You may want to do a Google search for “Security Best Practices” specifically for AS/400 or iSeries – there are references. NetIQ has a security package for the iSeries that came from a company called “Pentasafe” and I know they published a guide at one time.
Most of the guidelines the auditors work with are based on Windows-based systems. They may have no references to AS/400 or iSeries and you may need to find those “Best Practices” and then demonstrate that your system follows those guidelines.