Professional Documents
Culture Documents
Ch5 - System Development and Program Change Procedures
Ch5 - System Development and Program Change Procedures
Ch5 - System Development and Program Change Procedures
IT Auditing, Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Participants in Systems Development
Systems professionals
End users
Stakeholders
Accountants/ Auditors
Internal
External
Limitations of involvement
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 2
Accountants/ Auditors
Why are accountants/auditors involved?
Experts in financial transaction processes
Quality of AIS is determined in SDLC
How are accountants involved?
Users (e.g., user views and accounting techniques)
Members of SDLC development team
(e.g., Control Risk being minimized)
Auditors (e.g., auditable systems)
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 3
Information Systems Acquisition
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 4
Trends in Commercial Software
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 5
Types of Commercial Systems
Turnkey systems
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 7
Systems Development Life Cycle (SDLC)
New systems
1. Systems planning
2. Systems analysis
3. Conceptual systems design
4. System evaluation and selection
5. Detailed design
6. System programming and testing
7. System implementation
8. System maintenance
SDLC – Figure 5-1
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 8
Preliminary Project
Feasibility Authorization
Systems Project Project
Planning Proposal Schedule
Systems System
Analysis Analysis Rpt
Conceptual DFD
Design (general)
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 10
Systems Planning –Phase I
Level 1: Strategic Systems Planning
Justifications:
1. A changing plan is better than no plan
2. Reduces crises in systems development
3. Provides authorization control for SDLC
4. Cost management
Level 2: Project Planning
Project proposal
Project schedule
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 11
Systems Planning –Phase I
Auditor’s role in systems planning
Auditability
Security
Controls
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 12
Summary of Phase I
Identify user’s needs
Preparing proposals
Evaluating proposals
Prioritizing individual projects
Scheduling work
Project Plan – allocates resources to specific
project
Project Proposal – Go or not
Project Schedule – represents management’s
commitment
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 13
Systems Analysis –Phase II
PURPOSE: Effectively identify and analyze the
needs of the users for the new system.
Survey step
Disadvantages:
Tar pit syndrome
Thinking inside the box
Advantages:
Identify aspects to keep
Forcing analysts to understand the system
Isolating the root of problem symptoms
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 14
Systems Analysis –Phase II
Gathering Facts
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 15
Systems Analysis –Phase II
Fact-gathering techniques
Observation
Task participation
Personal interviews
Reviewing key documents
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 16
Conceptual Systems Design –Phase III
PURPOSE: Develop alternative systems that
satisfy system requirements identified
during system analysis
1. Top-down (structured design)
[see Figure 5-4]
Designs general rather than specific
Enough details for design to demonstrate differences
Example: Figure 5-5
2. Object-oriented approach (OOD)
Reusable objects
Creation of modules (library, inventory of objects)
3. Auditor’s role
special auditability features
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 17
System Evaluation and Selection –Phase IV
PURPOSE: Process that seeks to identify the optimal
solution from the alternatives
1. Perform detailed feasibility study
Technical feasibility [existing IT or new IT?]
Legal feasibility
Operational feasibility
Degree of compatibility between the firm’s
existing procedures and personnel skills, and
requirements of the new system
Schedule feasibility [implementation]
2. Perform a cost-benefit analysis
Identify costs
Identify benefits
Compare the two
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 18
System Evaluation and Selection –Phase IV
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 19
System Evaluation and Selection –Phase IV
Cost-Benefit Analysis: Costs
TANGIBLE: INTANGIBLE 2:
Increased revenues Increased customer satisfaction
Increased sales in Improved employee satisfaction
existing markets More current information
Expansion into new Improved decision making
Faster response to competitors’
markets
actions
Cost Reduction 1
More effective operations
Labor reduction Better internal and external
Operating cost communications
reduction Improved control environment
Supplies
overhead
Reduced inventories
Less expensive eqpt.
Reduced eqpt. maint.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 20
System Evaluation and Selection –Phase IV
Cost-Benefit Analysis:
Comparison
NPV 1 [Table 5-4]
Payback 2
[Figures 5-7a, 7b]
BE
Auditor’s role
Managerial accounting techniques 3
Escapable costs
Reasonable interest rates
Identify one-time and recurring costs
Realistic useful lives for competing projects
Determining financial values for intangible
benefits
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 21
Detailed Design –Phase V
PURPOSE: Produce a detailed description of
the proposed system that satisfies system
requirements identified during systems
analysis and is in accordance with
conceptual design.
User views
Database tables
Processes
Controls
i.e., a set of “blueprints”
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 22
Detailed Design –Phase V
Quality Assurance
“Walkthrough”
Quality assurance
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 23
Detailed Design –Phase V
Detailed Design Report
Designs for input screens and source
documents
Designs for screen outputs, reports,
operational documents
Normalized database
Database structures and diagrams
Data flow diagrams (DFD’s)
Database models (ER, Relational)
Data dictionary
Processing logic (flow charts)
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 24
SYSTEM PROGRAMMING & TESTING– PHASE VI
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 25
Systems Implementation –Phase VII
PURPOSE: Database structures are created and populated
with data, applications are coded and tested,
equipment is purchased and installed, employees are
trained, the system is documented, and the new system
is installed.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 26
Systems Implementation –Phase VII
Conversion
Converting the databases
Validation
Reconciliation
Backup
Converting the new system
Go live …
Auditor involvement virtually stops!
Cold turkey cutover
Phased cutover
Parallel operation cutover
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 27
Systems Implementation –Phase VII
Post-Implementation Review
Reviewed by independent team to measure
the success of the system
Systems design adequacy
Accuracy of time, cost, and benefit estimates
Auditor’s role
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 28
Systems Implementation –Phase VII
Auditors’ Role
Provide technical expertise
AIS: GAAP, GAAS, SEC, IRS
Legal
Social / behavioral
IS/IT (if capable)
Effective and efficient ways to limit application
testing
Specify documentation standards
Verify control adequacy
COSO – SAS No. 78 – PCAOB Standard #1
Impact on scope of external auditors
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 29
Systems Maintenance –Phase VIII
PURPOSE: Changing systems to accommodate
changes in user needs
80/20 rule 1
Importance of documentation?
Facilitate efficient changes
Facilitate effective changes (at all!)
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 30
Preliminary Project
Feasibility Authorization
Systems Project Project
Planning Proposal Schedule
Systems System
Analysis Analysis Rpt
Conceptual DFD
Design (general)
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 33
Controlling and Auditing the SDLC
Audit Objectives and Procedures
Audit objectives
Verify SDLC activities are applied consistently and in
accordance with management’s policies
Verify original system is free from material errors and
fraud
Verify system necessary and justified
Verify documentation adequate and complete
Audit procedures
How verify SDLC activities applied consistently?
How verify system is free from material errors and fraud?
How verify system is necessary?
How verify system is justified?
How verify documentation is adequate and complete?
See page 208 for a list
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 34
Controlling and Auditing the SDLC
Controlling Systems Maintenance
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 35
Controlling and Auditing the SDLC
Controlling Systems Maintenance
Password control
On a specific program
Separate test libraries
Audit trail and management reports
Describing software changes
Program version numbers
Controlling access to maintenance [SPL]
commands
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 37
Controlling and Auditing the SDLC
Audit Objectives and Procedures
Audit objectives
Detect any unauthorized program
changes
Verify that maintenance procedures
protect applications from
unauthorized changes
Verify applications are free from
material errors
Verify SPL are protected from
unauthorized access
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 38
Controlling and Auditing the SDLC
Audit Objectives and Procedures
Audit procedures
Figure 5-14
Identify unauthorized changes
Reconcile program version numbers
Confirm maintenance authorization
Identify application errors
Reconcile source code [after taking a sample]
Review test results
Retest the program
Testing access to libraries
Review programmer authority tables
Test authority table
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 39