03 - System and Infrastructure Life Cycle Management

8/3/2019 03 - System and Infrastructure Life Cycle Management

http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 1/15

System and InfrastructureSystem and InfrastructureLifeLife--Cycle ManagementCycle Management

1



Learning ObjectivesLearning Objectives

1. System Development Management Control

and IS Audit

2. Audit OS & DB Controls

3. GAS: Efficient and Effective Tool

4. Auditing Application Controls

5. Auditing System Development, Acquisition

and Maintenance

2



System Development Life CycleSystem Development Life Cycle

1. Systems planning

2. Systems analysis

3.Conceptual design

4. Systems evaluation and selection

5. Detailed design

6. Programming and testing systems7. Systems implementation

8. Systems maintenance

3



Auditing OS and Database ControlsAuditing OS and Database Controls

y Information needs to be secured to control specific risks

y Data physically reside on a hard disk

y Operating system envelops the hardware and primary link

between the software and the physical data

y The store keeper logs into a menu that allows receipt of

goods or issue of stocks

y User does not need to know what OS is being used, and the

user's only interaction is with the application software

4




-- Auditing OSAuditing OS --

y Evaluating whether the security features have been enabled and

parameters have been set to values consistent

y Some of the most common security parameters that can be

evaluated are password rules, such as minimum passwordlength, password history, password required, compulsory

password aging, lock-out on unsuccessful logins, login station,

and time restrictions.

y Ascertain whether access privileges given to various users are

appropriate

y Obtain the list of user IDs in the system and map these with

actual users 5




-- Auditing DatabaseAuditing Database --

y Frequent use of a database

y The data in the DBMS can be manipulated directly,

without the application. This can be done by using

DBMS utilities and features, such as SQL

(Structured Query Language)³if the user can gain

access to the DBMS

y Review security in the DBMS through a review of

user IDs, the privileges associated

6



Generalized Audit SoftwareGeneralized Audit Software

-- Effective and Efficient Tool for Today's IT AuditsEffective and Efficient Tool for Today's IT Audits --

y Experts say that generalized audit software (GAS) is the most

common computer-assisted audit tool (CAAT) used in recent years

y IT auditors of the profitable return on learning and using GAS

y Computerized antifraud audit procedures that are run regularly

against organizational databases

y GAS can be useful in testing internal controls embedded in

information systems

y Demands on IT and internal auditors are increasing

y

More efficient to fulfill all of the responsibilities 7



Benefits of Using a GASBenefits of Using a GAS

y auditor does not review a sample of the

data, but rather reviews or examines 100

percent of the data and transactions

y Using ACL to analyze transactions, or data

mine

y The data in ACL are locked down as read-

onlyy The commands in ACL are auditor-

friendly

8



Auditing Application ControlsAuditing Application Controlsy IS auditor·s tasks :

Identifying the significant application

Identifying the application control strengths

and evaluating the impact of the control

weaknesses

Reviewing application system documentation

to provide an understanding of the

functionality of the application 9



Data Integrity TestingData Integrity Testing

y Set of substantive tests that examines accuracy,

completeness, consistency and authorization of

data

y Will indicate failures in input or processing

controls

y Controls for ensuring the integrity of

accumulated data in a file can be exercised by

regularly checking data in the file

10



Data Integrity in Online TPSData Integrity in Online TPS

y Atomicity ³From a user perspective, a transaction is

either completed in its entirety (i.e., all relevant

database tables are updated) or not at all. If an error or

interruption occurs, all changes made up to that point

are backed out.

y Consistency ³All integrity conditions in the database

are maintained with each transaction, taking the

database from one consistent state into anotherconsistent state.

11



Data Integrity in Online TPSData Integrity in Online TPS

y Isolation ³Each transaction is isolated from other

transactions and hence each transaction only accesses

data that are part of a consistent database state.

y Dur ability ³If a transaction has been reported back to

a user as complete, the resulting changes to the

database survive subsequent hardware or software

failures.

12



Auditing System Development,Auditing System Development,

Acquisition and MaintenanceAcquisition and Maintenancey IS auditor·s tasks :

Meet with key systems development and user project

team members

Discuss to determine and rank the major risks

Identify controls to mitigate the risks

Evaluate the design of the system and implementation of

controls

13





Periodically meet to monitor the systems development

process

Post implementation reviews

Review appropriate documentation

Discuss and examine supporting records to test

system

14





Analyze test results and other audit evidence to evaluate

the system maintenance process to determine whether

control objectives were achieved.

Identify and test existing controls to determine the

adequacy of production library security to ensure the

integrity of the production resources

15

03 - System and Infrastructure Life Cycle Management

Documents

Transcript of 03 - System and Infrastructure Life Cycle Management