CIA 3002 ADVANCED ACCOUNTING INFORMATION SYSTEMS Semester 1,

Session 2021/22
List of Questions for Discussion (Part 1)

1st November 2021 (Groups A & B)

1) What are the four primary elements of the database environment?

A database environment is a collective system of components that comprise and regulates the
group of data, management, and use of data.

a) the users

b) the database management system (DBMS)

c) the database administrator

d) the physical database structures

2) What flat-file data management problems are solved as a result using the database concept?

A. No data redundancy. Each data element is stored only once, thereby eliminating data redundancy and
reducing storage costs.
B. Single update. Because each data element exists only in one place, it requires only a single update
procedure. This reduces the time and cost of keeping the database current.
C. Current values. A change any user makes to the database yields current data values for all other users.
For example, when User 1 records a customer address change, User 3 has immediate access to this current
information.
D. Task-data independence. Users have access to the full domain of data available to the firm. As users’
information needs expand beyond their immediate domain, the new needs can be more easily satisfied
than under the flat-file approach. Only the limitations of the data available to the firm （the entire
database）, and the legitimacy of their need to access it, constrain users.

3) Explain the relationship between the three levels of the data definition language. As a user,
which level would you be most interested in?

The three levels of the data definition language are internal view, conceptual view and user view.
The first level is the conceptual view (schema) which describes the entire database and
represents the database logically. The second level is internal which represents the physical
arrangement of the records which are being described and linkage between files are shown. The
final level is the user view (subschema) which is a set of data that is accessed by a specific user to
achieve his or her tasks. As a user, I would find the user view as the most interesting level which
provides an external view of the database to obtain information.

4) Discuss the potential aggravations you might face as a student because of your university’s
use of a flat-file data management environment.
In the perspective of a student, many issues could arise as a result of the use of flat-file data
management by the university. This includes:
a. The overwhelming number of forms to fill in. Practice of the flat-file data would mean that
different departments within the university (e.g. bursary, registrar) is constrained by the data
that the particular department controls and owns, and not of other department’s. As a result,
students would be required to make sure every department obtain their own copy of the forms,
creating a lot more paperwork for all parties involved and a more lengthy process of getting
things registered and done.
b. Inconsistency in student’s data information. As updates in flat-file data management would
have to be made separately for each users (i.e. students), failure of updates for all users affected
by a change would create inconsistency and confusion between students, as numerous versions
of data are obtained. This can be evidenced in a situation whereby a lecturer has made an update
to their assignment requirement, but the update failed to be made to all students consistently,
which as a result, some students would carry out their assignment as per the older version of
their assignment requirement.
c. A lengthy process to get information changed. For instance, should a student have to make
changes to their home address, the students would again be required to make sure all
departments relevant to the information have to be notified of such change. This would make it
a lengthy process to make sure all departments have the current values of their information.

5) Discuss why control procedures over access to the data resource become more crucial under
the database approach than in the flat-file environment.

As in a flat-file environment, all users have their own database and in the database approach all
data and information are stored in the same database and all of the users are sharing the same
database. Hence control procedures are needed to make sure that the users can only access
information which they are authorised of.

DBMS’s role is to provide control access for the database. It provides a controlled environment
by maintaining all the information of the database usage so that users can effectively manage the
database and the resources. It is programmed to know which data elements each user is
authorized to access. It is done by using different techniques which include data manipulation
language, query language and data definition language. Besides, DBMS has the copy of the
database when any conflicts occur for the database, so it can act as a backup.
8th November 2021 (Groups C & D)

· Discuss and give an example of the following types of associations: (1:0,1), (1:M), and (M:M)

(1:1) - One-to-one relationship : relationship of one entity to only one other entity, and vice versa.

Example: Only one person can sit in one seat at each performance; the relationship between members
of the audience and a seat is therefore one-to-one. Each seat in the concert hall can be sold to one
person only for a particular performance; the relationship between the seat and the member of the
audience with a ticket for that seat is also one-to-one.

Example 2: one employee associates with one spouse

(1:M) - One-to-many relationship :

Example: several members of the orchestra each playing a violin

Examples 2: one department has many employees

(M:M)- Many-to-many relationship: It can be separated into 1 to many

Example: A student can enroll in many classes; a class can have many enrolled students.

· What are the four characteristics of properly designed relational database tables?

1. All attribute values in any column must be of the same class.

2. Each column in a given table must be uniquely named.
3. Tables must conform to the rules of normalization. [free from structural dependencies including
repeating groups, partial dependencies and transitive dependencies]
4. The value of at least one attribute in each occurrence (row) must be unique. This attribute is the
primary key. The values of the other (non key) attributes in the row need not be unique.
 What are the conditions for the third normal form (3NF)?

Third normal form (3NF) is the normalization that occurs by dividing an unnormalized
database into smaller tables until all attributes in the resulting tables are uniquely and wholly
dependent on (explained by) the primary key.

A relation will be in 3NF if it is in 2NF and does not contain any transitive partial dependency.
3NF is used to reduce data duplication. It is also used to achieve data integrity. If there is no
transitive dependency for non-prime attributes, then the relation must be in third normal form

· As an accountant, why would you need to be familiar with data normalization techniques?

Data normalization techniques is a technique for organising data in a database. A database must
be normalised in order to reduce redundancy (duplicate data) and ensure that only related data is
stored in each table. It also prevents any problems caused by database changes like insertions,
deletions, and updates. The update anomaly, for example, can result in contradictory and obsolete
data values where the insertion anomaly can result in unrecorded transactions and incomplete audit
trails and the deletion anomaly can result in the loss of accounting records and the destruction of
audit trails. In order to gain a better understanding of the structure of the database system, as an
accountant we should be familiar with the idea of data normalization techniques. This is because
normalization issues which irregularities can jeopardize the quality of an organization's financial
reports and they must know whether a table is properly normalized or not.

· Discuss the accounting implications of the update, insertion, and deletion anomalies associated
with improperly normalized tables.
Anomalie: The problems that occur due to poor planning and from the databases which are not in
the normalized tables. It weakens the reliability of data due to uneven changes in the data

The accounting implications in performing the operations of insertion, updating and deleting
anomalies in an improperly normalized table are as follow:

Update anomaly: The update anomaly takes place when existing records are to be updated and
results in redundant data creation every time. Thus repetition of data occurs every time.

Insertion anomaly: This takes place when new data is to be inserted to update the database but
cannot be done as the primary key chosen for the table does not allow the new insertion to take
place.

Deletion anomaly: Deletion anomaly occurs when data gets deleted without notice or accidentally
without knowledge,

The insertion and update anomalies would create record-keeping and operational problems for the
firm. However, a flawed database design that prevents the insertion of records, or requires the user
to perform excessive updates, would attract attention quickly.

The presence of the deletion anomaly is less conspicuous, but potentially more serious from an
accounting perspective. Because the deletion anomaly may go undetected, the user may be unaware
of the loss of important data until it is too late. This anomaly can result in the unintentional loss of
critical accounting records and the destruction of the audit trail.
• Discuss and give an example of the following types of associations: (1:0,1), (1:M),
and (M:M).

1:1 - zero or one instance of entity A can be associated with zero or one instance of entity B,
and zero or one instance of entity B can be associated with zero or one instance of entity A.

Example -> each employee have their own employee id

1:M - for one instance of entity A, there exists zero, one, or many instances of entity B; but
for one instance of entity B, there exists zero or one instance of entity A.

Example -> one customer might have more than one order

M:M - for one instance of entity A, there exists zero, one, or many instances of entity B; and
for one instance of entity B, there exists zero, one, or many instances of entity A.

Example -> one order might consist of many types of products, one product might appear in
many orders

• What are the four characteristics of properly designed relational database tables?
1. All attribute values in any column must be of the same class.
2. Each column in a given table must be uniquely named.
3. Tables must conform to the rules of normalization.
4. The value of at least one attribute in each occurrence (row) must be unique. This
attribute is the primary key. The values of the other (non key) attributes in the row need
not be unique.

Jialong i think this is what dr asked

The relational data model: https://opentextbc.ca/dbdesign01/chapter/chapter-7-the-relational-

data-model/
What is a relational database: https://phoenixnap.com/kb/what-is-a-relational-database
Characteristics of database tables: https://www.relationaldbdesign.com/database-
analysis/module2/characteristics-database-tables.php

• What are the conditions for third normal form (3NF)?

Conditions:
1. The relation must be in second normal form (2NF).
2. All transitive dependencies must be removed.

Normalization: https://opentextbc.ca/dbdesign01/chapter/chapter-12-normalization/
Third normal form: https://www.studytonight.com/dbms/third-normal-form.php
What is an attribute: https://afteracademy.com/blog/what-is-an-attribute

• As an accountant, why would you need to be familiar with data normalization

techniques?

What is data normalization: https://www.bmc.com/blogs/data-normalization/

What is data normalization and why it is important: https://www.import.io/post/what-is-data-
normalization-and-why-is-it-important/
Data normalization- a technique of organizing the data into multiple related table to reduce data
redundancy. In this case, a standardized information entry are able to produced. For instance,
data normalization applies to codes, internet URL’s are recorded.

Why need to be familiar?

- First of all, an accountant should be familiar with data normalization techniques in order
to get a clear understanding of the structure of the database system. The normalized
techniques adhere to follow standards that will improve the functionalities of the
database user. Normalization is a general process for defining the contained fields that
belong to the tables in a relational database.
- Besides, there are some benefits that an accountant able to obtain if they had familiar with
data normalization techniques which are:
• Clear understanding of data
• Effective and efficient structure of database
 • Easy to manage and maintain the database
• Elimination of redundancy

• Discuss the accounting implications of the update, insertion, and deletion

anomalies associated with improperly normalized tables.

Redundancy is a concern for databases since it makes it difficult to maintain data consistency.
In the insertion and update anomalies, the accounting implications would be the record keeping.
This is due to an action of inserting inconsistent information and partially updating information
into a table. It can also cause problems in the operation of the firm.

The deletion anomaly might cause major consequences because it is less obvious. Due to the
trickiness to detect the deletion anomaly, it may cause a company to lose important data.

Database design: https://opentextbc.ca/dbdesign01/chapter/chapter-10-er-modelling/

15 November 2021 (Groups E & F)

1. What is an REA diagram?

Capturing accounting performance in triple accounting way which show change in

shareholder wealth

REA diagram is a documentation technique and a unique version of entity relationship diagram
(ER diagram) consist of three entity types resource, events and agents and set of association
which link them with each other

REA model can be represented with relational or object oriented databases but mostly with
relational because it is a more common business application. REA allows both accounting and
non-accounting data to be stored in the database.

Additional information about REA Model:

Elements of REA Model:

There are certain elements that are involved in REA model. These elements are described as
below:
• Resources: Economic resources are the things in an organization which has some economic
value. These are assets of organization.
Ie. inventories, cash, equipment, property
• Events: It has two classes of events, Economic events and Support Events Economic events
are those which effect change in resource (increase or decrease) in an organization, while support
event include control and planning as well as management but not directly affect change in
resource
Ie. sales, cash receipts, purchases, cash disbursements
• Agents: An economic agent is a decision maker in a model. An economic agent is a decision
maker in a model
Ie. employees, customers, clients, suppliers, vendors
They represent the category of those people and departments that are involved in events such
as the economic events and support event. Economic events consist of two common type agents,
one internal and other external

Relationship between the three elements:

Duality is an economic exchange represented by a give event and corresponding receive event.
Economic events have dual nature - duality, because it always involves give and receive.
Up-Flow is associated with give event. Whereas in-flow is associated with receive events
the specific example of give events are pay cash, includes the purchasing inventory, obtaining
employee time such as paying the salary for the employee or buying plant and equipment.

the receive events are receive the inventory, the employee time, the working hours of the
employee as well as the plant and equipment that we have purchased.

the give event of the exchange decreases the economic resource, eg cash decreases. And
the receive event of the exchange increases the economic resources are represented by
an inflow association. (inventory increases).

Example: In an economic event - sales transaction where it has dual nature, ie duality,

the customers (external agent) buying products from the company and paying with cash:
It is an economic event as it causes the resources to change where the inventory decreases when
the customers buy it, cash increases when the staff receives the cash from the customers.
The decrease in inventory represent the give event where the increase in cash represent the
receive event

Example from youtube:

We have A wanted to buy a book from B. So what happens is when B sells A the book B passes
his inventory to A. .
The book is the resource, sale is the event, B a the internal agent participating in the sale and A
a external agents participating in sale

On the other hand, A pays money to B. This time the event is cash receipt, B a the internal agent
participating in the event by accepting cash and A an external agent participating in the event by
paying the money. B will then deposit it to the bank. Cash in bank accounts are resource that
increases due to cash receipt event.

2. Distinguish between economic events and support events, with examples of each.

Economic events are phenomena that affect changes; it could be increases or decreases
in resources as represented by the stock flow relation.

Example: The result from activities such as sales of product to customer(inventory

decrease when the product is shipped), receipt of cash from customer (cash increase)
and purchases of raw material from vendor(inventory increase, cash decrease when we
pay the supplier).

Whereas support events include control planning, and management activities that are
related to the economy event, but they do not directly affect a change in resources.
 Some examples of support events include determining inventory availability for a customer
prior to making a sale, verifying supporting information prior to disbursing cash to a vendor
or checking customer credit before processing a sale.

Additional Example:
verify availability - once we ensure or confirm product is available, then only we take
orders. After we take orders we ship the product. Once we ship the product that we will
receive cash for the product

The Verify availability is a support event because it does not directly increase or decrease
resources. It is just like a checking process.

take order could be either economic or support event because taking an order typically
involves only a commitment on the part of the seller to sell goods to the customer, it may
even adjusting something like decreasing the inventory available for sale to prevent it from
being sold or promised to other customer; means to reserve, once you have taken the
order, you will reserve this particular item for the customer.

Ship product is an economic event because it is the give event of the economic exchange
where it reduces the inventory resource directly. already shipped Product A means
Product A is no longer in my inventory.

receiving cash is an economic event. This is the receive event of the exchange that
increases cash results. So when we receive the cash, it increases our resource which is
cash.

In the revenue cycle, economic events change only two resources.

Those are inventory and cash. For example, the ship product even reduce inventory,
taking orders may reduce inventory that the order is taken or captured, we probably put
aside this particular product or item that has been ordered by the customer.

Verifying availability does not change the inventory resources, it is just a support event.

3. Explain the relationship between cardinality and association.

Association - the relationship among record types

- describes the nature of the functional connection between two entities in a relation (it
means that A and B are related in some way and how it is related will be measure using
cardinality to show their relation)
- in ERP diagram it is represented by lines drawn between different entities involved in the
relation
 Cardinality - the numerical mapping between entity instances
- degree of association between two entities.
- describes the number of possible occurrences in one table that is associated with a single
occurrence in a related table.
o 4 basic forms: zero or one (0,1), one and only one (1,1), zero or many (0,M), and one or
many (1,M).

Relationship between cardinality and association

-
- Student ID & student courses has association
- The degree of association between Student ID and courses is presented in the form of
one to many. one student may have many courses
- each student can involved in no courses or many courses depending if he or she
withdrawn the semester or not
Sales example (cash receipt also)
- We are having a sale as our event, buyer as the external agent. The buyer could have
involved in minimum of 0 sales and maximum of many sales. (assuming the buyer exist in
our database before participating in sales)
- Oppositely, each sale is made to a minimum of 1 buyer and a maximum of 1 buyer. (each
sale can involve only one buyer)
- Assuming that each sale is handled by one employer. The employer would involve in
minimum of 0 sales and maximum of many sales. Each sale required one employee to
process
- In the sales event, we have books as our resource. Each sale involves a minimum of 1
and maximum of many books. Each book is involved in minimum of 0 sales and maximum
of many sales.

4. Explain how REA databases can support financial statement reporting when they do
not employ journals and ledgers.

Journals, ledgers, and double-entry bookkeeping are the traditional mechanisms for formatting
and transmitting accounting data, but they are not essential elements of an accounting database.
REA systems capture the essence of what accountants account for by modeling the underlying
economic phenomena directly. Organizations employing REA can thus produce financial
statements, journals, ledgers, and double-entry accounting reports directly from event database
tables via user views.

Example: If an REA database was used in a previous merchandising company I used to work at,
data for the financial statements would be extracted from the REA tables. For instance, the total
sales would be calculated from the sum of the invoice amount attribute in the ship product table
for all the items that were shipped before the end of the year. All the data necessary for the
financial statements would be extracted and calculated from the REA tables that are compiled
from the entire event data entered in the system.

Not captured by snapshot approach.

REA show flow of the economic activities clearly
Show board we did a lot

5. Describe the minimum number and type of events that an REA (Resources, Entities,
and Agents) diagram must include.

An REA model must, as a minimum, include the two economic events that constitute the give
and receive activities that reduce and increase economic resources in the exchange.

Can also include support event which may not change the resources

Example of give activities- Ship Product is an economic event. This is the give half of an
economic exchange and reduces the inventory resource directly.

Example of receive activities- Receive Cash event is an economic event. This is the receive half
of the exchange that increases the cash resource

Difference with normal double accounting:

- .REA: can merge all the REA diagrams e.g purchase and cash procedures + payroll
procedures
1. What is an REA diagram?

Answer: An REA diagram is an Entity-Relationship diagram that is designed using the

REA data model to identify the three basic kinds of entities relevant to transaction
processing systems:
● the resources controlled by the organizations,
● the events (business activities) that managers want to plan, control, and evaluate,
and
● the agents who participate in those events.

2. Distinguish between economic events and support events, with examples of each.

Ans: Economic events are occurrences that affect resource changes (increase or
decrease). OR
Something that’s going to have an immediate effect on financial statements.

Example: Sales of items to customers, receipt of cash from customers, and purchases of
raw materials from vendors.
It is a critical information element of the accounting system and must be captured in as
disaggregated (highly detailed) form as possible to provide a rich database.

Support events include control, planning, and management actions that are related to
economic events but do not directly affect a change in resources.
Example:
1) identifying product availability for a customer prior to sale
2) confirming supporting information (doing a three-way-match) prior to disbursing cash to
a vendor
3) evaluating customer credit before processing a sale.

Giving credit - E.E

Assessing debit - S.E

3. Explain the relationship between cardinality and association.

Ans:

Association simply describes the connection between entities, the nature of relationship that
exists between two entities. It describes how different entities are related to each other and
how they interact with each other. It is represented by lines drawn between different entities
involved in the relation.
Cardinality indicates the number of possible occurrences that one entity has relative to
another/ associated with a single occurrence in a related entity. You define the cardinality for
each association link between the association and the entity.

As we have learned in previous weeks, the four basic forms of cardinality

1. Zero or One

2. One and Only One

3. Zero or Many

4. One or Many

The relationship between cardinality and association can be explained as association linking
the entities and representing the connection between entities while cardinality shows the
number of possible occurrences that are associated with the related entities.

4. Explain how REA databases can support financial statement reporting when they do not
employ journals and ledgers.

Ans:

Journals, ledgers, and double-entry bookkeeping are the traditional mechanisms for
formatting and transmitting accounting data, but they are not essential elements of an
accounting database.

The REA system is a system that is able to support all information needed by all users by
modeling an organization’s critical resources, events and agents, as well as the
relationship between them. Therefore, for accounting purposes, REA systems capture the
essence of what accountants account for by modeling the underlying economic
phenomena directly and thus produce financial statements, journals, ledgers, and
double-entry accounting reports directly from event database tables via user views.

5. Describe the minimum number and type of events that an REA diagram must include.
Ans:
At the minimum, an REA diagram must include 2 types of economic events, which are
“give” economic events and “receive” economic events. In addition, REA diagrams may
also include support events which do not directly change the resources.
 A give event is an economic event mirrored by another event in the opposite direction,
which involves the outflow of economic resources, while a receive event involves the
inflow of economic resources to external or internal agents.
For example, paying cash for raw material inventory. Paying cash is a type of give event,
while purchasing raw material inventory is a type of receive event. Let’s look into another
example, we use the raw material inventory purchased to produce finished products, using
raw material inventory is a give event, while producing finished products is a receive event.
These dual events constitute the give and receive event of an economic exchange.

While for support events, it does not involve any inflow or outflow of economic
resources, such as confirming the availability of goods, taking orders etc.

Additional material:
Steps to Create an Individual REA Diagram
Step 1: Identify the event entities
Step 2: Identify the resource entities (Each events will be associated to inflow and outflow of
economic resources
Step 3: Identify the agent entities (Each economic event entity is associated with at least 2 agent
entities - internal -> employees, or external -> can be customers or vendors)
Step 4: Determine associations and cardinalities between entities
*Associations -> Relationship among all record types
*Cardinalities -> Numerical mapping between entity instances

Verifiability -> Take order -> Ship products -> Receive cash

Outflow = associated with GIVE EVENT

Inflow = associated with RECEIVE EVENT
22nd November 2021 (Group G & H)

● What are the five stages of the system development life cycle (SDLC) and the role of
accountants in it?

SDLC aims to produce a high quality system that meets or exceeds customer expectations,
works
effectively and efficiently in the current and planned information technology
infrastructure, and is inexpensive to maintain and cost effective to enhance.

The SDLC has five phases: planning, analysis, design, implementation, maintenance

Planning: Obtain approval for project, Initiate, Assess feasibility, plan, schedule

Feasibility Study or Planning

● Define the problem and scope of existing system.

● Overview the new system and determine its objectives.
● Confirm project feasibility and produce the project Schedule.
● During this phase, threats, constraints, integration and security of system are also
considered.
● A feasibility report for the entire project is created at the end of this phase.

Analysis: Understand business needs and processing needs

Analysis and Specification

● Gather, analyze, and validate the information.

● Define the requirements and prototypes for new system.
● Evaluate the alternatives and prioritize the requirements.
● Examine the information needs of end-user and enhances the system goal.
● A Software Requirement Specification (SRS) document, which specifies the software,
hardware, functional, and network requirements of the system is prepared at the end of
this phase.

Design: Define solution system based on requirement and analysis decision

System Design

● Includes the design of application, network, databases, user interfaces, and system
interfaces.
● Transform the SRS document into logical structure, which contains detailed and
complete set of specifications that can be implemented in a programming language.
● Create a contingency, training, maintenance, and operation plan.
● Review the proposed design. Ensure that the final design must meet the requirements
stated in SRS document.
● Finally, prepare a design document which will be used during next phases.
Implementation: Construct, test, train users, install new system
system
Implementation

● Implement the design into source code through coding.

● Combine all the modules together into training environment that detects errors and
defects.
● A test report which contains errors is prepared through test plan that includes test related
tasks such as test case generation, testing criteria, and resource allocation for testing.
● Integrate the information system into its environment and install the new system.
Maintenance: Keep system healthy and improve

Maintenance/Support

● Include all the activities such as phone support or physical on-site support for users that
is required once the system is installing.
● Implement the changes that software might undergo over a period of time, or implement
any new requirements after the software is deployed at the customer location.
● It also includes handling the residual errors and resolve any issues that may exist in the
system even after the testing phase.
● Maintenance and support may be needed for a longer time for large systems and for a
short time for smaller systems.
Accountant is responsible for every output of software development lifecycle process.
Economy of an organization is based on the accountant. Accountant is proficient in budget
assessment and analysis. Accountant is a good designer and expert in data processing.
They are also involved in a system development as auditor to examine the development
process in a continual interval.

The accountant's responsibility:

- ensure that the systems apply proper accounting conventions and rules and possess
adequate controls
- provide a clear picture of their problems and needs
- act as members of the development team
- act as auditors, to ensure that the system is designed with appropriate computer audit
technique.

Accountants’ role in system planning:

- provide expertise in evaluating the feasibility of projects during the planning
process
- examine the systems planning phase of the SDLC, ensuring that careful systems
planning are done to help to prevent unnecessary development costs. A careful
system planning is a cost-effective activity in reducing the risk of a) creating
unneeded, unwanted, inefficient and ineffective systems. Both internal and external
auditors have vested interests in this outcome.

Accountants’ role in system analysis:

- Set up a guideline on good well-controlled system – Internal control standards, audit
trail requirements, external reporting requirements & double entry system.

Accountant’s role in system design:

 - make sure that the current system’s weak points are eliminated while preserving its
strengths.
- Check whether any accounting considerations are overlooked that will expose the
organization to potential loss.

Accountant’s role in system implementation:

- conducting follow up studies, acquiring resources for the new system, and training new
or existing employees to use it.
- conduct follow up studies on an ongoing basis in order to determine whether the new
system is successful
- identify any new problems with it.

Accountant’s role in system operation:

- verify whether the new system is able to meet the company objectives
- Report if there are any areas that require modification.
- Conduct periodic review on the internal control standards and maintenance of system.
- use & test the system, give feedbacks

● Discuss the various feasibility measures that should be considered with example for
each. Who should be included in the group of evaluators?
A feasibility analysis
- assesses the project’s likelihood of success; hence, perceived objectivity is a significant aspect
of the study’s credibility for possible investors and financing institutions
- assess the viability of a project, such as ensuring a project is legally and technically feasible
as well as economically reasonable.
- informs us if a project is worth the effort, in some case scenarios, a project may not be doable.

Technical Feasibility

This assessment focuses on the organization’s technological resources.

- assists companies in determining whether technical resources are enough and whether the
technical team is capable of translating ideas into workable systems.
- includes an assessment of the proposed system’s hardware, software, and other technological
needs.
- The technical requirements are then compared to the technical capability of the organization. The
systems project is considered technically feasible if the internal technical capability is sufficient to
support the project requirements.

- The analyst must find out whether current technical resources can be upgraded or added to in a
manner that fulfills the request under consideration

The essential questions that help in testing the operational feasibility of a system:
∙ Is the project feasible within the limits of current technology?
∙ Does the technology exist at all?
∙ Is it available within given resource constraints?
∙ Is it a practical proposition?
∙ Manpower- programmers, testers & debuggers
 ∙ Software and hardware
∙ Are the current technical resources sufficient for the new system?
∙ Can they be upgraded to provide to provide the level of technology necessary for the
new system?
∙ Do we possess the necessary technical expertise, and is the schedule reasonable?
∙ Can the technology be easily applied to current problems?
∙ Does the technology have the capacity to handle the solution?
∙ Do we currently possess the necessary technology?

Economic Feasibility
- This evaluation often includes a cost/benefit analysis of the project, which assists
businesses in determining the viability, cost, and advantages of a project before
allocating financial resources.

- functions as an impartial project evaluation and enhances project credibility by

assisting decision-makers in determining the positive economic advantages that the
proposed project would give to the business.
- the most frequently used method for evaluating the effectiveness of a new system.

- Determine the benefits and savings that are expected from a candidate system and
compare them with costs. If benefits outweigh costs, then the decision is made to design
and implement the system. An entrepreneur must accurately weigh the cost versus
benefits before taking an action.

Possible questions raised in economic analysis are:

∙ Is the system cost effective?
∙ Do benefits outweigh costs?
∙ The cost of doing full system study
∙ The cost of business employee time
∙ Estimated cost of hardware
∙ Estimated cost of software/software development
∙ Is the project possible, given the resource constraints?
∙ What are the savings that will result from the system?
∙ Cost of employees' time for study
∙ Cost of packaged software/software development
∙ Selection among alternative financing arrangements (rent/lease/purchase)

Operational Feasibility

- This evaluation entails researching to establish whether—and how well the

organization’s needs can be addressed by finishing the project.

- look at how a project plan meets the criteria specified during the system
development requirements analysis phase.

- Operational feasibility is a measure of how well a proposed system solves the problems,
and takes advantage of the opportunities identified during scope definition and how it
 satisfies the requirements identified in the requirements analysis phase of system
development.

- Reviews the willingness of the organization to support the proposed system.

- To determine this feasibility, it is important to understand the management commitment

to the proposed project. If the request was initiated by management, it is likely that there
is management support and the system will be accepted and used. However, it is also
important that the employee base will be accepting of the change.
-
- The essential questions that help in testing the operational feasibility:
∙ Does current mode of operation provide adequate throughput and response time?
∙ Does current mode provide end users and managers with timely, pertinent, accurate and
useful formatted information?
∙ Does current mode of operation provide cost-effective information services to the
business?
∙ Could there be a reduction in cost and or an increase in benefits?
∙ Does current mode of operation offer effective controls to protect against fraud and to
guarantee accuracy and security of data and information?
∙ Does current mode of operation make maximum use of available resources, including
people, time, and flow of forms?
∙ Does current mode of operation provide reliable services
∙ Are the services flexible and expandable?
∙ Are the current work practices and procedures adequate to support the new system?
∙ If the system is developed, will it be used?
∙ Does management support the project?
∙ Are the users not happy with current business practices?
∙ Will it reduce the time (operation) considerably?
∙ Have the users been involved in the planning and development of the project?
∙ Will the proposed system really benefit the organization?
∙ Does the overall response increase?
∙ Will accessibility of information be lost?
∙ Will the system affect the customers in considerable way?
∙ How do the end-users feel about their role in the new system?
∙ What end-users or managers may resist or not use the system?
∙ How will the working environment of the end-user change?
∙ Can or will end-users and management adapt to the change?

Legal Feasibility

- Looks at if any component of the planned project violates any regulations, such as
zoning regulations, data protection legislation, or social media legislation.

- Assume a company wishes to develop a new office building in a specified area.

- A feasibility study may discover that the desired site for the company is not
designated for that sort of business. That organization has just saved a lot of time
and effort by discovering that their project was not possible from the start.
 - Does this system comply with the current law & regulations?
- Is there any possible legal impacts of this implementation would cause?

Scheduling Feasibility
- It is the most critical assessment for project success; after all, a project will fail if it
is not completed on time.

- An organization predicts the length of time it will take to finish a project in

scheduling feasibility.

- When all of these areas have been thoroughly investigated, the feasibility study may
assist identify any obstacles that the proposed project may encounter, such as:
● Internal Project Constraints: Technical, technological, financial, and resource
constraints, among others.
● Financial, marketing, export, and other internal corporate constraints
● External limitations include logistics, the environment, laws and regulations, and so
on.

Who should be the evaluators?

● Intended owner of business or services

● Internal auditors
● Qualified consultants.
● Someone with prior opinion about what decision should be taken. He/She should be
neutral and fair
● Someone whose previous work experience should have proof in the conduct of
feasibility study.

If an operation or project is already existing and a feasibility study is to be conducted to i,prove

on the existing structure, it is important that all necessary information/data are collected so that
the best decision can be made. If the services of a consultant is necessary, the relevant
section/department to be improved upon will need to be involved in hiring the consultant and
also in the entire study development process. The section or department will be required to
provide most of the operational data needed to assess the current operational situation,
including the information about costs, staffing and so on.

- feasibility study should be conducted by a qualified consultant, who is independent with

a recognized experience in the type of operation to be examined. It is very necessary that
the analyst should be a firm with a proprietary interest in the project, a vendor, or any
other party with interest or vested interest in the outcome of the study.

● Do you think that communication skills, both oral and written, are crucial for
proper execution of the SDLC?
Yes.
To develop a project or System, the following needs are to be found out.
• What is the requirement of an organization?
 • What would be the output of System?
• How much fund is invested for the System?
Accountants are responsible for finding these things. After getting the basic ideas the
accountants should communicate with the developers who develop the project.
They communicate both orally and in written about the development of the project. So that if
the developer needs any resource for developing the system then that can be provided and can
check whether proper infrastructure is there to create a project or not. So before creating any
project communication between the accountant with team member is must.
Hence there is need for incorporating communication skills for proper SDLC execution.
You might have seen this getting circulated for a long time now in the IT industry. This looks
funny but there is a lot in it if you analyze it properly.

- Relay Communication:

- If the communication among the project stakeholders happen in a relay model

following the organizational or project ownership hierarchy, the results like this
are more likely to happen.

- For example, Project Managers talks to the Customer and understands the
requirements and “relay” his analysis and decisions to the Tech Lead/Design Lead,
who will do the same “relay”, passes to his Module Leads and so on. With each
“relay” pass, there is a high possibility that some of the requirements are
misunderstood, some of the requirements are dropped out and not to forget some
new requirements (which the customer never really needed) gets added to.

- “Division of Responsibilities” should not be implemented with “Relay

Communication” model. Rather, “Division of Responsibilities” should happen on a
platform of “Shared Communication” where everyone knows their pie of
ownership and more importantly where and how their pie goes in the whole
project.

Misunderstanding of SPOC (Single Point Of Contact) role for communication:

- As a common practice, SPOCs are assigned for different tasks/roles in a project.

This is indeed a good practice as you will have one person who is worried about
and held accountable for that piece. This doesn’t mean that all the communication
on that aspect of the project should be relayed and shared only with that SPOC
and hidden from other stakeholders.

- While SPOCs are held responsible for different activities like planning, estimation
and execution for their assigned roles, contribution from other peers should be
encouraged as a practice for the project execution to produce desired results.
Transparent Communication comes of a greater importance here. And with the
same rule, a SPOC can be a very active contributor in other activities for which he
is not the owner.

(Unwanted and Self-Constructed) Barriers of Communication:

 - “For any clarification on this task, you should talk to me and talk to me only”. ☺ I
think you got this right and need no explanation further. If you impose this practice
in the implementation team– you are definitely making a great mistake inviting
poor quality into your project by adding poor and harmful communication
strategies.

- Upward communication and cross-functional/cross-team communication should

always be encouraged – be it formal or informal communication.

Delay in communication:

- “Communicate the right thing at right time” – This is something that the
stakeholders at all levels need to understand and stick to.

- Don’t keep your questions or suggestions to yourself waiting for the next formal
meeting to happen. If you smell something is seriously wrong, raise the alarm now.
If you find something more interesting and benefit the team or the customer, ring
the bell now.

In summary, Communication plays a key role attributing to the Quality of the Software. Both
formal and informal communications have to be weighed equally. Most of the times, informal
communication (fights at the desk, discussions over a coffee ) would produce more
benefits than the formal communication means and sometimes these informal
communications help you catch those missing requirements too – be it business or technical.

So, “Communicate the Importance of Communication” to your team. Good communication

skills wouldn’t just mean professional class English speaking and writing skills but also
“communicating the right thing at the right time”.

● Discuss the independence issue when audit firms also provide consulting input
into the development and selection of new systems.

The ones consulting must have vested interest e.g. consultant, internal auditors

Audit firms cannot because they does not act in the interest of the organisation. There
will be self-interest & self-review threat if audit firms were to provide consulting input in
the development and selections of new systems.

Self-review – reviewing their own work or work done by others in the firm after
consulting the clients , esp in development phase
Self- interest – Recommend or implement solutions that affect the financial controls or
accounting processes or recommending any product or service that the audit firm will
receive a commission or referral fee. There might be a conflict of interest

The audit firms should act independently and do not represent the interest of the client.
The results of the study show that the chief audit executives do not perceive
independence as a critical objective for systems development audits, while they do
believe that internal auditor should act as consultants. Such findings are consistent with
the Institute of Internal Auditor‟s standards regarding consulting services but are
inconsistent with the independence standards. Except for testing the accuracy of the
systems, the respondents‟ perceptions of the of the role of internal audit is either
moderate or indifferent regarding the planning, design, development, and
implementation phases of systems development projects. Chief audit executives clearly
believe that internal audit should not be involved with the maintenance phase. The
findings show that actual involvement in systems development projects parallel the
perception findings with one exception. While the respondents don’t believe internal
audit should be involved in the development phase of a systems development project,
the findings suggest that internal audit departments are actually involved (moderate to
little) in such projects.
Q1.
2. The five aspects are briefly explained with an example as follows :
(a)Technical feasibility : The firms decide whether the system development can be performed
with the existing technology or if new technology is required. It is the willingness of the firm to
adopt to available technology that are advanced than the existing technology on which the firm
runs its systems.

(b)Economic feasibility : Under this study, a review of the management's available funds that
can be allocated towards the proposed system development project is studied. Further the
funds available have a direct impact on the scope and operational nature of the business.

(c)Legal feasibility : Here compliances with various laws such as SOX, regulations related to
invasion of privacy and laws on confidentiality of store information have to be considered before
identifying the right system.

(d)Operational feasibility : Here the skill set and available resources have to be considered
and checked if these can be revamped to accommodate the new system.
(e)Schedule feasibility : the time frame involved in implementing the system is analyzed.

● The development team must communicate with clients, understand their

requirements, and analyze the system throughout this phase.

3.
-communication is needed to find out the requirements of the organization, the output of the
system and how much funds are invested for the system as there is the important part to
develop a system.
- accountants should communicate with the developers who develop the project or system.
-The communication both orally and in written about the development of the project is important
as if the developer needs any resource for developing the system then that can be provided and
can check whether proper infrastructure is there to create a project or not.
- Therefore, before creating any project communication between accountants with team
members is a must to prevent any mistakes due to lack of communication such as coding
mistakes.
- Hence, there is a need for incorporating communication skills for proper SDLC execution.

4.
The issue of independence can be discussed as:
- The accounting information system must have the feature of being audible. Several
techniques and features must be designed into the system. Audit firms are part of the
system development team along with system professional end users and skateholders.
- Audit firms are the stakeholders as they are not the end users but are interested in the
formation of the organization. The auditors must involve in early phases of design
because they have stake in the system
- If the audit firm also provides consulting input into the development and selection of new
systems, it is a violation of the Sarbanes-Oxley Act. Having a system audited by the
consulting firm that initially proposed it may produce a bias on the consulting firm’s part
to view the system in a positive light.

5.
● The main reason for the underestimation of the cost and time requirements of SDLC is
because of the hurry in selection and implementation of the project and therefore important
facts are ignored or not analysed completely. The unchecked areas may create a
bottleneck in SDLC and increase the costs and time.
● To improve this,
○ Perform a Detailed Feasibility Study
■ Technical feasibility is the determination of whether the system can be
developed under existing technology or if new technology is required.
■ Economic feasibility pertains to the availability of funds to complete the
project.
■ Legal feasibility ensures that the proposed system is not in conflict with the
company’s ability to discharge its legal responsibilities.
○ Perform a Cost-Benefit Analysis
■ Identify cost
■ Identify benefits: Tangible benefits fall into two categories: those that
increase revenue and those that reduce costs. Intangible benefits improve
customer satisfaction. They cannot be easily measured and quantified.
 GROUP I

QUESTION 1 - Discuss briefly the six systems development controls and two
systems maintenance controls.

ANSWER:

Six systems development

1. System analysis

a. Determine the problem and the achievable solution for the problem

2. System design

a. Overall plan about the system to meet the entire requirement needed.

3. Programming

a. Translating all the system require into coding

4. Testing

a. Ensuring that the system that had been produced is the right one.

b. Three type of testing: unit, system and acceptance testing

5. Conversion

a. Changes the old system to the new system to ensure that the system
had achieved the requirement.

6. Production and maintenance.

a. Production is the effect after the system has been applied. Meanwhile,
if there is any change in the system, it can be called maintenance.
6 systems development controls
● System authorization activities- this process need to be done to avoid any
unauthorised access to the system data
● User specification activities- this system must ensure that users must actively
take part in order to describe their needs
● Technical design activities/ conceptual design- the needs specified by the
users are translated into technical design in order to meet them. The conceptual
design objective is to produce several alternative conceptual systems that satisfy
the system requirements identified during system analysis.
● Involvement of internal audit- internal audit must take part to examine the
needs of the users and control required.
● Program testing- it is a necessary process to compare the outcomes with
predefined standards. Programmer will prepare a test transaction, test master
files and expected results.
● User test and acceptance process- Necessary to formally document and
analyse the result of the test. The test will help in deciding whether to implement
the program or not

Two systems maintenance controls:

System maintenance is an ongoing activity, which covers a wide variety of activities,

including removing program and design errors, updating documentation and test data
and updating user support.

1. Corrective Maintenance

a. Removing errors in a program

b. Errors occurred because of faulty design or wrong assumptions.

c. Processing or performance failures are repaired

2. Adaptive Maintenance

a. Program functions are changed

b. To satisfy the information needs of the user.

c. E.g. Change in the organizational procedures

3. Perfective Maintenance

a. adding new programs or modifying the existing programs

b. to respond to user’s additional needs

c. Due to the changes within or outside of the organization.

1. Testing the system/ system implementation- phase of the systems

development process, database structures are created and populated with data,
equipment is purchased and installed, employees are trained, the system is
documented and the new system is installed
2. Formal authorizations- control techniques and procedures reduce the risk of individuals
gaining unauthorized access to the system in order to maintain system integrity.
QUESTION 2 - Distinguish auditing around the computer and auditing through the
computer?

ANSWER:

Auditing around the Aspect Auditing through the

computer computer

To evaluate client’s Definition To evaluate client’s software

computer controls and hardware

To determine the to Explanation To determine the reliability of

determine the reliability of operations that hard to see via
existence human eyes

Verify the corresponding Example Access control

output with the inputs by
picking up randomly the
source documents.
QUESTION 3 - What types of output would be considered extremely sensitive in a
university setting? Give three examples and explain why the information would
be considered sensitive. Discuss who should and should not have access to each
type of information.

ANSWER:

Type of output that can be considered extremely sensitive in a university setting is the
data of the students and the lecturer and also the staff.

Three examples are personal details of the students, lecturer and staff. Besides that,
financial data of students, lecturers and staff are also extremely sensitive data. Lastly, a
student's university record is important in a university setting.

This information is important because it will give advantages to others if they got the
data. It can harm the users because with the information, many things can be obtained
such as money and bank details.

Only the authorized person like the relevant administrative department in the university
can access the data of the lecturers, students and staff. This is because these people
had been appointed by the management of the university to keep this information
private and confidential.
QUESTION 4 - Why is computer waste disposal a potential internal control issue?
How to remedy this issue?

ANSWER:

Computer waste disposal may lead to breach of security of confidential data of the
entity. Even if data is deleted from the system it can be retrieved by the experts and
hence lead to huge security breaches.

In order to remedy this issue, the government needs to do recycling towards this
computer waste disposal. This can be achieved by informing and teaching all the people
about how important it is to waste the computer efficiently to get rid of the internal
control issues.
QUESTION 5 - Why are auditors responsible for evaluating the controls in the
SDLC’s process? Do you think the current auditors are able to do so?

ANSWER:

Software Development Life Cycle (SDLC) is a process used by the software industry to
design, develop and test high quality software.

Auditors responsible for evaluating the controls in the SDLC’s process because to
ensure the controls are implemented to mitigate the risks of developing application
systems throughout the SDLC.

Current auditors are able to do so because current auditors are responsible to express
an opinion on the financial statement when they are auditing the financial statement.
Auditors also will identify the risk that may occur. This can help to reduce the risk if the
current auditor auditing the SDLC.
29th November 2021 (Groups I & J)

1. Discuss briefly the six systems development controls and two systems maintenance controls.
6 systems development controls
● System authorization activities- this process need to be done to avoid any unauthorised
access to the system data
● User specification activities- this system must ensure that users must actively take part in
order to describe their needs
● Technical design activities/ conceptual design- the needs specified by the users are
translated into technical design in order to meet them. The conceptual design objective is
to produce several alternative conceptual systems that satisfy the system requirements
identified during system analysis.
● Involvement of internal audit- internal audit must take part to examine the needs of the users
and control required.
● Program testing- it is a necessary process to compare the outcomes with predefined
standards. Programmer will prepare a test transaction, test master files and expected
results.
● User test and acceptance process- Necessary to formally document and analyse the result
of the test. The test will help in deciding whether to implement the program or not

2 systems maintenance controls

● Testing the system/ system implementation- phase of the systems development process,
database structures are created and populated with data, equipment is purchased and
installed, employees are trained, the system is documented and the new system is installed
● Source program library controls- control techniques and procedures reduce the risk of
individuals gaining unauthorized access to the system in order to maintain system integrity.

You all can read this website to explore more about the maintenance control
(http://www.engineering-bachelors-degree.com/business-information-
management/uncategorized/systems-developmentprogram-changes-and-application-
controlssystems-development-controls/ )
2. Distinguish auditing around the computer and auditing through the computer?

Auditing Around the Computer
Traditional method
Auditors randomly select source documents
that have been input into the system and
manually summarise them to see if they match
with output of computer processing.
Auditing Through the Computer
Modern method
Various steps taken by auditors to evaluate
client’s software and hardware to determine the
reliability of operations that are hard for
human eyes to view and also test the
operating effectiveness of related computer
controls, e.g., access control.
Commented [1]: 1) processing done by the computer
system needs not to be audited as auditor expects that
sufficient appropriate audit evidence can be obtained by
reconciling inputs with outputs. In simple words
evidence is drawn and conclusions are reached without
considering how inputs are being processed to provide
outputs.

Assume the percentages of accurate output
data verify the proper processing operation of
the company.. Review of computer programs
or operations are unnecessary. Pay no
attention to control procedure within IT
environment
Check the controls like processing controls,
output controls, input controls, separation of
controls, etc. Able to know the effectiveness
and reasonableness of the client’s internal
control

Not an effective approach to audit Not an effective approach to audit

computerised environment computerised environment

Lower cost needed Higher cost needed

3. What type of output would be considered extremely sensitive in a university setting? (faris)
Data that relates with the student data and information related to transactions, staff data,
university personal information.

Give 3 examples and explain why the information would be considered sensitive. Discuss who
should and should have access to each type of information.

Examples sensitive Who should have access Who should not have
information to information access to information

1) Financial data or University’s financial Lecturer’s, College

information of an lecturer or controller/ Treasurer administration, other staff
student only. who not related with
financial information
Financial data or information
Accountant
related to the family members
financially. The family members'
wealth and salaries are
important. It is sensitive to avoid
any circumstances such as
taking advantage of students
who have better wealth.

2) Students university record Lecturer and faculty College management,

(academic/non-academic) management unrelated staff, accountants,
Some students might not
perform well compared to other
students. Some students are
able to achieve high scores while
other students are unable. If the
data is being leaked, this will
embarrass the students who
cannot perform well in their
academic programme. This also
considers checking students'
examination papers that are
rarely being protected.

3) Personal details of the Accountant lecturers , students,

lecturers or students unrelated staff
This is a privacy concern.
Leaking of this information will
harm one’s life. It includes family
members' information, financial
data.
4. Why is computer waste disposal a potential internal control issue? How to remedy this
issue?
Computer waste disposal may lead to breach of security of confidential data of the entity.
Computer waste is also a source of passwords that a perpetrator may use to access the firm’s
computer system. Even if data is deleted from the system it can be retrieved by the experts,
misused and hence lead to huge security breaches. In sum, e-waste poses serious and data
security threats.
There are internal control issues whereby informal methods of transporting and storing devices
marked for disposal by employees. Information contained on the electronic devices is sometimes
leaked, stolen or lost on the way to recycling centers.
Getting tied to damages caused by e-waste or compromise of sensitive data can even create a
public relations nightmare, and expose a firm to the financial and reputational risks of litigation.

How to remedy this issue?

● Get the best physical data destruction. Relying on electronic waste disposal plans
managed by employees and staff alone for physical data destruction may not be effective in
this area. Instead, consider relying on a responsible recycling company with specific
measures in place, such as high-efficiency shredders, to handle the proper removal of
sensitive data before the recycling process is complete. Ensure all sensitive computer output
is passed through a paper shredder.
● Avoid long-term storage of end-of-life devices. Long-term storage can increase the risk
of loss or theft, which leads to serious data breaches. In fact, many recent data breach cases
were the result of computers left to sit in off-site storage facilities with little or no regulation
or supervision of the information contained on hard drives and storage devices.

Rather than choosing to place end-of-life devices in storage, creating an electronic waste
disposal plan may be a better choice. The plan should ensure that storage time is minimal
or completely eliminated, thereby decreasing the risk of theft, loss or inadvertent exposure
of sensitive information.

● Invest in software-based data destruction

A means of wiping hard drives or storage devices so that no information remains on a device
marked for disposal. This is an effective way of ensuring that thefts and data breaches
attempted after the device is sent for recycling do not risk the loss of valuable information.
It also is a much better solution than simply erasing files, a method that is easily thwarted
by hackers with the ability to recover files or restructure data from hard drives.
5. Why are auditors responsible for evaluating the controls in the SDLC’s process? (yanyi)
System development life cycle (SDLC) is a process used by the software industry to design,
develop and test high quality softwares. The SDLC aims to produce a high-quality software that
meets or exceeds customer expectations, reaches completion within times and cost estimates.

SDLC is a framework defining tasks performed at each step in the software development process.

ISO/IEC 12207 is an international standard for software life-cycle processes. It aims to be the
standard that defines all the tasks required for developing and maintaining software.

SDLC is a process followed for a software project, within a software organization. It consists of a
detailed plan describing how to develop, maintain, replace and alter or enhance specific software.
The life cycle defines a methodology for improving the quality of software and the overall
development process.

7 Stages of SDLC
A typical Software Development Life Cycle consists of the following stages −
System planning, system analysis, conceptual design, evaluation & selection, cost-benefits
analysis, detailed design, implementation and system maintenance.
(can refer to the slides to each stages)

Reason 1
The need to ensure that SDLC processes and deliverables are aligned with best practices
based on global standards (GAAP, SEC regulations etc.). There is not an overarching
procedures document which explains the SDLC process and the related documents. In addition,
the basic elements of SDLC are not identified in SDLC processes and deliverables, and therefore
may not be consistent among projects. Also, there are not links to templates for the activities related
to integration, including the system test plan, which is stated to address integration testing.
Management has stated that SDLC processes and deliverable templates, including those related
to integration, will be reviewed and revised to ensure that they are complete and effective. In
addition, an overarching document which explains the SDLC process and the related documents
will be created and published.

Reason 2
The need to ensure that SDLC is applied to projects which meet the SDLC criteria. In
assessing the application of the SDLC process, we noted that it was not consistently applied to all
relevant development initiatives. As a result, these projects did not conform to organizational
defined development requirements which include standard deliverables that should be considered.
Management has stated that the project intake process was changed effective January 1, 2016 to
ensure all new projects are brought to the IT Governance Committee (ITGC) to determine the need
for SDLC Compliance. This process improvement will ensure that all projects are assessed with
regards to the need to comply with SDLC. A report that shows the status of SDLC compliance on
projects will be produced and reviewed at the ITGC meetings.

Reason 3
The need to ensure that SDLC checklists are properly prepared and kept updated as
activities are completed. Our assessment of projects that followed the defined SDLC process
revealed that the SDLC checklist which is used to ensure that the process is followed, was not
consistently created or maintained and supporting deliverables were not linked to the projects. As
a result, these projects were not in compliance with the company policy and could have been at
risk of requiring additional re-work subsequent to project completion. Management has stated that
a quality assurance process will be developed to ensure that SDLC checklists are updated as
activities are completed, including links to supporting documents.

Do you think the current auditors are able to do so? (yanyi)

Yes, current auditors are able to evaluate the controls in the SDLC’s process. (I think is to talk of
about test of control conduct some test to evaluate the controls in SDLC process. Maybe can
elaborate through this...)
- IT auditors which focus on auditing the IT system. Have particular steps to evaluate & audit
the IT system

Focus of IT auditor on SDLC process

- Report to senior management independently & inform about the system development
process.
- Whether the controls have been embedded to the system development process itself [it is
important that the controls have been embedded to the time the system has been built]
- Each phases need to be evaluate to match the objective of the system

- To check whether that developing a new system is the best way to handle to current
problem.
- Cost-benefits analysis, develop by ourselves or outsourcing OR do we really need the
system?
- In this situation, auditors are able to give advice to the management
- Communicate with the users (survey)
- Get enough inputs from users, look at/ analysis their responses
- Receive proper approval from management
- Formal testing and user acceptance considered by many auditors to be the most important
control over the SDLC.
- SDLC activities are applied consistently and in accordance with management’s policies.
- Original system free from material errors and fraud.
- System was judged necessary and justified.
- Documentation is adequate and complete.

3. What type of output would be considered extremely sensitive in a university setting? (faris)
Data that relates with the student data and information related to transactions, staff data,
university personal information.

Give 3 examples and explain why the information would be considered sensitive. Discuss who
should and should have access to each type of information.
Examples sensitive Who should have access to Who should not have
information information access to information

1) Financial data or University’s financial Lecturer’s, College

information of an lecturer or controller/ Treasurer only. administration, other staff
student who not related with
Accountant financial information
Financial data or information
related to the family members
financially. The family
members' wealth and salaries
are important. It is sensitive to
avoid any circumstances such
as taking advantage of
students who have better
wealth.

2) Students university Lecturer and faculty College management,

record (academic/non- management unrelated staff,
academic) accountants,
Some students might not
perform well compared to
other students. Some
students are able to achieve
high scores while other
students are unable. If the
data is being leaked, this will
embarrass the students who
cannot perform well in their
academic programme. This
also considers checking
students' examination papers
that are rarely being
protected.

3) Personal details of the Accountant lecturers , students,

lecturers or students unrelated staff
This is a privacy concern.
Leaking of this information will
harm one’s life. It includes
family members' information,
financial data.