chapter 18 development, acquisition, and maintenance of info sys
Chapter 20
Software development
Auditor’s Role in Software Development
Project management is adequate
Delivered as required
Benefits are realized by the organization
Controls are built-in
Objective and separate from team
Review phase deliverables
Report to senior management during the development process Systems Development Controls
Project management
SDLC methodology
Staff hiring policies
Training
Technical review
Management review and approval
Audit participation
Testing
Post-implementation review
Checklists
Documentation
Software Development Methods
Waterfall
Cleanroom
Iterative Development
Prototyping(Reuse)
Modified Prototype Method (MPM)
Rapid Application Development (RAD)
Joint Analysis Development (JAD)
Extreme Programming
Systems Development Life Cycle (SDLC)
Project Initiation & Planning
Functional Requirements
Systems Design
Development
Acceptance
Implementation
Operations Support
Enhancements
Controls at System Level
Peer reviews
Operating procedures
Job and system documentation
Restart and recovery procedures
Logging
Controlled library Controls at Application Level
Edit controls
Completeness
Range checks
Data types
Data integrity
Reporting of erroneous data Change Management
Formal procedure so that only authorized changes are placed in production
Cannot breach security policies
Separation of functions when placing changes in production
Fully tested and documented
Lifecycle management chapter 21 audit & control of purchased packages
Purchased Package Lifecycle
Review needs and requirements
Acquire software
Modify or customize
Acquire interface
User testing and acceptance
Maintenance and mods
Lifecycle management chapter 22 audit Role in Feasibility & Conversion
Auditor Involvement in Feasibility Study
Strategy is effective
Vendor selection is unbiased
Requirements are complete and stated clearly
Architecture supports new system
Time, resource, and cost budget are complete and accurate
Project management plan
Feasibility Study Pitfalls
Expensive system
Does not meet user needs
Competitive advantage in the marketplace
Risk was not properly assessed
Lifecycle management
chapter 23 application controls
Application Control
Input
Processing
Output
Programs
Availability
Computer Assisted Audit Tools (CAATs) for auditors
Source code review
Confirmation of results
Test data
Integrated test facility
Snapshot
Sampling
Parallel simulation
Application Control Objectives
Accuracy
Completeness
Validity
Integrity
Confidentiality
Availability
Input Objectives and Controls
Complete
Control total reconciliation
Activity logging
Accurate
Data validation
Document scanning
Entered only once
Pre-numbered documents
Document cancellation Processing Objectives and Controls
Complete
Control totals
Errors are reported
Exception reports
Error logs
Processed only once
Accurate
Reasonableness tests
Controlled
Restricted access
Segregation of duties
Output Objectives and Controls
Complete
Transaction (audit) trails
Page numbers (1 of x)
Appropriately distributed
Restricted access
Distribution log
Program Control Objectives
Integrity of programs
Controlled changes to programs (ch 15)
Changed are tested
Changes are approved
Integrity of processing
Errors messages when jobs terminate unsuccessfully
It service delivery & support Technical Infrastructure
Chapter 24
Configuration Management
Requires 4 specific functions:
Identification à Mapping of the IT environment;
Control à Control over changes to your IT components;
Status à Act of monitoring of operational status, versions, patches and configurations;
Verification à Validating status of your IT components.
Computer Operations – Risks (Exposures)
Human error, hardware / software failure
Computer Operations – Controls
Operations – predefined processes or measures to address the exposures
Ex: using predefined run schedules; supervision when running critical operations / tasks;
Personnel – segregating critical