IT AUDIT - Systems Development and Maintenance Activites
-
Upload
saxworship -
Category
Documents
-
view
1.563 -
download
3
description
Transcript of IT AUDIT - Systems Development and Maintenance Activites
![Page 1: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/1.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 4:Systems Development & Maintenance Activities
![Page 2: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/2.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
PARTICIPANTS Systems professionals End users Stakeholders ACCOUNTANTS
Internal External Limitations of involvement
![Page 3: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/3.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
ACCOUNTANTS/AUDITORS
Why are accountants/auditors involved? Experts in financial transaction processes Quality of AIS is determined in SDLC
How are accountants involved? Users (e.g., user views and accounting
techniques) Members of SDLC development team
(e.g., Control Risk being minimized) Auditors (e.g., auditable systems)
![Page 4: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/4.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
I.S. AQUISITION
In-house development
Purchase commercial systems
![Page 5: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/5.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
TRENDS IN COMMERCIAL SOFTWARE
Trends in commercial software Relatively low cost for general
purpose software Industry-specific vendors Businesses too small to have in-
house IS staff Downsizing & DDP
![Page 6: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/6.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Turnkey systems
General accounting systems Typically in modules
Special-purpose systems Example banking
Office automation systems Purpose is to improve productivity
Backbone systems (ERP) SAP, Peoplesoft, Baan, Movex
Vendor-supported systems Hybrids
TYPES OF COMMERCIAL SYSTEMS
![Page 7: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/7.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Advantages Implementation time Cost Reliability
Disadvantages Independence Customization needs Maintenance
COMMERCIAL SYSTEMS
![Page 8: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/8.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC)
New systems1. Systems planning2. Systems analysis3. Conceptual systems design4. System evaluation and selection5. Detailed design6. System programming and testing7. System implementation8. System maintenance
SDLC -- Figure 4-1 [p.141]
![Page 9: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/9.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
PURPOSE: To link individual systems projects to the strategic objectives of the firm.
Link individual projects to strategic objectives of the firm - Figure 4-2 [p.142]
Who does it? Steering committee CEO, CFO, CIO, senior mgmt., auditors, external
parties Ethics and auditing standards limit when auditors
can serve on this committee Long-range planning: 3-5 years Allocation of resources - broad
SYSTEMS PLANNING– PHASE I
![Page 10: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/10.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
SYSTEMS PLANNING-PHASE I
Level 1 = Strategic systems planning Why?
1. A changing plan is better than no plan2. Reduces crises in systems development3. Provides authorization control for SDLC4. It works!
Level 2 = Project planning Project proposal Project schedule
![Page 11: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/11.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Auditor’s role in systems planning Auditability Security Controls
SYSTEMS PLANNING-PHASE I
![Page 12: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/12.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Identify user’s needsPreparing proposalsEvaluating proposalsPrioritizing individual projectsScheduling work
Project Plan – allocates resources to specific project
Project Proposal – Go or not Project Schedule – represents mgmt’s
commitment
SYSTEMS PLANNING-PHASE ISUMMARY
![Page 13: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/13.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
PURPOSE: Effectively identify and analyze the needs of the users for the new system.
Survey step Disadvantages:
Tar pit syndrome Thinking inside the box
Advantages:• Identify aspects to keep• Forcing analysts to understand the
system• Isolating the root of problem symptoms
SYSTEMS ANALYSIS-PHASE II
![Page 14: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/14.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Data sourcesUsersData storesProcessesData flowsControls
Transaction volumesError ratesResource costsBottlenecksRedundant
operations
Gathering facts
SYSTEMS ANALYSIS-PHASE II
![Page 15: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/15.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Fact-gathering techniques Observation Task participation Personal interviews Reviewing key documents
(see list, p. 147)
Systems analysis report Figure 4-3 (p.148)
Auditor’s role CAATTs (e.g., embedded modules)
SYSTEMS ANALYSIS-PHASE II
![Page 16: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/16.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
PURPOSE: Develop alternative systems that satisfy system requirements identified during system analysis
1. Top-down (structured design)[see Figure 4-4, p.150] Designs general rather than specific Enough details for design to demonstrate differences Example: Figure 4-5, p. 151
2. Object-oriented approach (OOD) Reusable objects Creation of modules (library, inventory of objects)
3. Auditor’s role special auditability features
CONCEPTUAL SYSTEMS DESIGN-PHASE III
![Page 17: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/17.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
PURPOSE: Process that seeks to identify the optimal solution from the alternatives
1. Perform detailed feasibility study Technical feasibility [existing IT or new IT?] Legal feasibility Operational feasibility
Degree of compatibility between the firm’s existing procedures and personnel skills, and requirements of the new system
Schedule feasibility [implementation]
2. Perform a cost-benefit analysis Identify costs Identify benefits Compare the two
SYSTEM EVALUATION & SELECTION–
PHASE IV
![Page 18: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/18.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
ONE-TIME COSTS:• Hardware acquisition• Site preparation• Software acquisition• Systems design• Programming• Testing• Data conversion• Training
RECURRING COSTS:• Hardware maintenance• Software maintenance• Insurance• Supplies• Personnel
• Allocated existing IS
SYSTEM EVALUATION & SELECTION-PHASE IV
Cost-Benefit Analysis: Costs
![Page 19: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/19.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
TANGIBLE:• Increased revenues
• Increased sales in existing markets
• Expansion into new markets
• Cost Reduction 1
• Labor reduction• Operating cost reduction
• Supplies• overhead
• Reduced inventories• Less expensive eqpt.• Reduced eqpt. maint.
INTANGIBLE 2:• Increased customer
satisfaction• Improved employee
satisfaction• More current information• Improved decision making• Faster response to
competitors’ actions• More effective operations• Better internal and external
communications• Improved control
environment
SYSTEM EVALUATON & SELECTION–PHASE IV
Cost-Benefit Analysis: Benefits
![Page 20: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/20.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
NPV 1 [Table 4-4]
Payback 2 [Figures 4-7a, 7b]
BE
Auditor’s role Managerial accounting techniques 3
• Escapable costs• Reasonable interest rates• Identify one-time and recurring costs• Realistic useful lives for competing projects• Determining financial values for intangible
benefits
Cost-Benefit Analysis: Comparison
![Page 21: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/21.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
PURPOSE: Produce a detailed description of the proposed system that satisfies system requirements identified during systems analysis and is in accordance with conceptual design.
User views Database tables Processes Controls i.e., a set of “blueprints”
DETAILED DESIGN–PHASE V
![Page 22: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/22.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
DETAILED DESIGN– PHASE V
Quality Assurance
• “Walkthrough”
• Quality assurance
![Page 23: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/23.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
DETAILED DESIGN – PHASE V
Detailed Design Report
Designs for input screens and source documents
Designs for screen outputs, reports, operational documents
Normalized database Database structures and diagrams
Data flow diagrams (DFD’s) Database models (ER, Relational)
Data dictionary Processing logic (flow charts)
![Page 24: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/24.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
SYSTEM PROGRAMMING & TESTING– PHASE VI
Program the Application
• Procedural languages• Event-driven languages• OO languages• Programming the system• Test the application {Figure 4-8]
– Testing methodology– Testing offline before deploying online– Test data
• Why?• Can provide valuable future benefits
![Page 25: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/25.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
PURPOSE: Database structures are created and populated with data, applications are coded and tested, equipment is purchased and installed, employees are trained, the system is documented, and the new system is installed.
Testing the entire system Documenting the system
Designer and programmer documentation Operator documentation User documentation
• Novices• Occasional users• Frequent light users• Frequent power users• User handbook• Tutorials• Help features
SYSTEMS IMPLEMENTATION– PHASE VII
![Page 26: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/26.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Converting the databases Validation Reconciliation Backup
Converting the new systemGo live … Auditor involvement virtually stops! Cold turkey cutover Phased cutover Parallel operation cutover
SYSTEMS IMPLEMENTATION–PHASE VII
Conversion
![Page 27: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/27.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Reviewed by independent team to measure the success of the system Systems design adequacy [see list p. 170] Accuracy of time, cost, and benefit
estimates [see list p. 170] Auditor’s role
We’re back!! Provide technical expertise Specify documentation standards Verify control adequacy External auditors
SYSTEMS IMPLEMENTATION– PHASE VII
Post-Implementation Review
![Page 28: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/28.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
We’re back!! Provide technical expertise
AIS: GAAP, GAAS, SEC, IRS Legal Social / behavioral IS/IT (if capable)
Effective and efficient ways to limit application testing
Specify documentation standards Verify control adequacy
COSO – SAS No. 78 – PCAOB Standard #1 Impact on scope of external auditors
SYSTEMS IMPLEMENTATION–PHASE VIIAuditors’ Role
![Page 29: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/29.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
PURPOSE: Changing systems to accommodate changes in user needs
80/20 rule 1
Importance of documentation? Facilitate efficient changes Facilitate effective changes (at all!)
SYSTEMS MAINTENANCE–PHASE VIII
![Page 30: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/30.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
PreliminaryFeasibility
ProjectAuthorization
SystemsPlanning
SystemsAnalysis
ConceptualDesign
SystemsSelection
DetailedDesign
SystemImplementation
ProjectProposal
ProjectSchedule
SystemAnalysis Rpt
DFD(general)
ER Diagram
Relational Model
Normalized Data
FeasibilityStudy
Cost-BenefitAnalysis
SystemSelection Rpt
DetailedDesign Rpt
ProgramFlowcharts
Post-Impl.Review
DocumentationUser
Acceptance Rpt
DFD(Detail)
![Page 31: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/31.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
A materially flawed financial application will eventually corrupt financial data, which will then be
incorrectly reported in the financial statements. Therefore, the
accuracy and integrity of the IS directly affects the accuracy of the
client’s financial data.
![Page 32: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/32.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Systems authorization activities User specification activities Technical design activities
Documentation is evidence of controls Documentation is a control!
Internal audit participation User test and acceptance procedures Audit objectives Audit procedures
CONTROLLING & AUDITING THE SDLC
Controlling New Systems Development
![Page 33: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/33.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Audit objectives Verify SDLC activities are applied consistently and in
accordance with management’s policies Verify original system is free from material errors and
fraud Verify system necessary and justified Verify documentation adequate and complete
Audit procedures How verify SDLC activities applied consistently? How verify system is free from material errors and fraud? How verify system is necessary? How verify system is justified? How verify documentation is adequate and complete? See page 174 for a list
CONTROLLING & AUDITING THE SDLC
Audit Objectives & Procedures
![Page 34: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/34.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Four minimum controls: Formal authorization Technical specifications Retesting Updating the documentation
CONTROLLING & AUDITING THE SDLC
Controlling Systems Maintenance
![Page 35: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/35.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Source program library controls Why? What trying to prevent? Unauthorized access Unauthorized program changes SPLMS [Figure 4-13, p. 177]
SPLMS Controls Storing programs on the SPL Retrieving programs for maintenance purposes Detecting obsolete programs Documenting program changes (audit trail)
CONTROLLING & AUDITING THE SDLC
Controlling Systems Maintenance
![Page 36: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/36.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Password control On a specific program
Separate test libraries Audit trail and management reports
Describing software changes Program version numbers Controlling access to maintenance [SPL]
commands
CONTROLLING & AUDITING THE SDLC
Controlled SPL Environment
![Page 37: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/37.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Audit objectives Detect any unauthorized program
changes Verify that maintenance procedures
protect applications from unauthorized changes
Verify applications are free from material errors
Verify SPL are protected from unauthorized access
CONTROLLING & AUDITING THE SDLC
Audit Objectives & Procedures
![Page 38: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/38.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Audit procedures Figure 4-14, p.179 Identify unauthorized changes
Reconcile program version numbers Confirm maintenance authorization
Identify application errors Reconcile source code [after taking a sample] Review test results Retest the program
Testing access to libraries Review programmer authority tables Test authority table
CONTROLLING & AUDITING THE SDLC
Audit Objectives & Procedures
![Page 39: IT AUDIT - Systems Development and Maintenance Activites](https://reader033.fdocuments.net/reader033/viewer/2022061119/546b0a6bb4af9f6b2c8b49c5/html5/thumbnails/39.jpg)
IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 4:Systems Development & Maintenance Activities