Chapter 4: Systems Development & Maintenance Activities

IT Auditing & Assurance, 2e, Hall & Singleton

Chapter 4:Systems Development & Maintenance Activities


PARTICIPANTS Systems professionals End users Stakeholders ACCOUNTANTS

Internal External Limitations of involvement


ACCOUNTANTS/AUDITORS

Why are accountants/auditors involved? Experts in financial transaction processes Quality of AIS is determined in SDLC

How are accountants involved? Users (e.g., user views and accounting

techniques) Members of SDLC development team

(e.g., Control Risk being minimized) Auditors (e.g., auditable systems)


I.S. AQUISITION

In-house development

Purchase commercial systems


TRENDS IN COMMERCIAL SOFTWARE

Trends in commercial software Relatively low cost for general

purpose software Industry-specific vendors Businesses too small to have in-

house IS staff Downsizing & DDP


Turnkey systems General accounting systems

Typically in modules Special-purpose systems

Example banking Office automation systems

Purpose is to improve productivity

Backbone systems (ERP) SAP, Peoplesoft, Baan, Movex

Vendor-supported systems Hybrids

TYPES OF COMMERCIAL SYSTEMS

http://webopedia.internet.com/TERM/E/ERP.html


Advantages Implementation time Cost Reliability

Disadvantages Independence Customization needs Maintenance

COMMERCIAL SYSTEMS


SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC)

New systems1. Systems planning2. Systems analysis3. Conceptual systems design4. System evaluation and selection5. Detailed design6. System programming and testing7. System implementation8. System maintenance

SDLC -- Figure 4-1 [p.141]


PURPOSE: To link individual systems projects to the strategic objectives of the firm.

Link individual projects to strategic objectives of the firm - Figure 4-2 [p.142]

Who does it? Steering committee CEO, CFO, CIO, senior mgmt., auditors, external

parties Ethics and auditing standards limit when auditors

can serve on this committee Long-range planning: 3-5 years Allocation of resources - broad

SYSTEMS PLANNING– PHASE I


SYSTEMS PLANNING-PHASE I

Level 1 = Strategic systems planning Why?

1. A changing plan is better than no plan2. Reduces crises in systems development3. Provides authorization control for SDLC4. It works!

Level 2 = Project planning Project proposal Project schedule


Auditor’s role in systems planning Auditability Security Controls

SYSTEMS PLANNING-PHASE I


Identify user’s needsPreparing proposalsEvaluating proposalsPrioritizing individual projectsScheduling work

Project Plan – allocates resources to specific project

Project Proposal – Go or not Project Schedule – represents mgmt’s

commitment

SYSTEMS PLANNING-PHASE ISUMMARY


PURPOSE: Effectively identify and analyze the needs of the users for the new system.

Survey step Disadvantages:

Tar pit syndrome Thinking inside the box

Advantages:• Identify aspects to keep• Forcing analysts to understand the

system• Isolating the root of problem symptoms

SYSTEMS ANALYSIS-PHASE II


Data sourcesUsersData storesProcessesData flowsControls

Transaction volumesError ratesResource costsBottlenecksRedundant

operations

Gathering facts



Fact-gathering techniques Observation Task participation Personal interviews Reviewing key documents

(see list, p. 147)Systems analysis report

Figure 4-3 (p.148)Auditor’s role

CAATTs (e.g., embedded modules)



PURPOSE: Develop alternative systems that satisfy system requirements identified during system analysis

1. Top-down (structured design)[see Figure 4-4, p.150] Designs general rather than specific Enough details for design to demonstrate differences Example: Figure 4-5, p. 151

2. Object-oriented approach (OOD) Reusable objects Creation of modules (library, inventory of objects)

3. Auditor’s role special auditability features

CONCEPTUAL SYSTEMS DESIGN-PHASE III


PURPOSE: Process that seeks to identify the optimal solution from the alternatives

1. Perform detailed feasibility study Technical feasibility [existing IT or new IT?] Legal feasibility Operational feasibility

Degree of compatibility between the firm’s existing procedures and personnel skills, and requirements of the new system

Schedule feasibility [implementation]

2. Perform a cost-benefit analysis Identify costs Identify benefits Compare the two

SYSTEM EVALUATION & SELECTION–

PHASE IV


ONE-TIME COSTS:• Hardware acquisition• Site preparation• Software acquisition• Systems design• Programming• Testing• Data conversion• Training

RECURRING COSTS:• Hardware maintenance• Software maintenance• Insurance• Supplies• Personnel

• Allocated existing IS

SYSTEM EVALUATION & SELECTION-PHASE IV

Cost-Benefit Analysis: Costs


TANGIBLE:• Increased revenues

• Increased sales in existing markets

• Expansion into new markets

• Cost Reduction 1

• Labor reduction• Operating cost reduction

• Supplies• overhead

• Reduced inventories• Less expensive eqpt.• Reduced eqpt. maint.

INTANGIBLE 2:• Increased customer

satisfaction• Improved employee

satisfaction• More current information• Improved decision making• Faster response to

competitors’ actions• More effective operations• Better internal and external

communications• Improved control

environment

SYSTEM EVALUATON & SELECTION–PHASE IV

Cost-Benefit Analysis: Benefits


NPV 1 [Table 4-4] Payback 2 [Figures 4-7a, 7b] BE

Auditor’s role Managerial accounting techniques 3

• Escapable costs• Reasonable interest rates• Identify one-time and recurring costs• Realistic useful lives for competing projects• Determining financial values for intangible

benefits

Cost-Benefit Analysis: Comparison


PURPOSE: Produce a detailed description of the proposed system that satisfies system requirements identified during systems analysis and is in accordance with conceptual design.

User views Database tables Processes Controls i.e., a set of “blueprints”

DETAILED DESIGN–PHASE V


DETAILED DESIGN– PHASE V

Quality Assurance

• “Walkthrough”

• Quality assurance


DETAILED DESIGN – PHASE V

Detailed Design Report Designs for input screens and source documents Designs for screen outputs, reports, operational

documents Normalized database Database structures and diagrams

Data flow diagrams (DFD’s) Database models (ER, Relational)

Data dictionary Processing logic (flow charts)


SYSTEM PROGRAMMING & TESTING– PHASE VI

Program the Application

• Procedural languages• Event-driven languages• OO languages• Programming the system• Test the application {Figure 4-8]

– Testing methodology– Testing offline before deploying online– Test data

• Why?• Can provide valuable future benefits


PURPOSE: Database structures are created and populated with data, applications are coded and tested, equipment is purchased and installed, employees are trained, the system is documented, and the new system is installed.

Testing the entire system Documenting the system

Designer and programmer documentation Operator documentation User documentation

• Novices• Occasional users• Frequent light users• Frequent power users• User handbook• Tutorials• Help features

SYSTEMS IMPLEMENTATION– PHASE VII


Converting the databases Validation Reconciliation Backup

Converting the new systemGo live … Auditor involvement virtually stops! Cold turkey cutover Phased cutover Parallel operation cutover

SYSTEMS IMPLEMENTATION–PHASE VII

Conversion


Reviewed by independent team to measure the success of the system Systems design adequacy [see list p. 170] Accuracy of time, cost, and benefit

estimates [see list p. 170] Auditor’s role

We’re back!! Provide technical expertise Specify documentation standards Verify control adequacy External auditors

SYSTEMS IMPLEMENTATION– PHASE VII

Post-Implementation Review


We’re back!! Provide technical expertise

AIS: GAAP, GAAS, SEC, IRS Legal Social / behavioral IS/IT (if capable)

Effective and efficient ways to limit application testing

Specify documentation standards Verify control adequacy

COSO – SAS No. 78 – PCAOB Standard #1 Impact on scope of external auditors

SYSTEMS IMPLEMENTATION–PHASE VIIAuditors’ Role


PURPOSE: Changing systems to accommodate changes in user needs

80/20 rule 1

Importance of documentation? Facilitate efficient changes Facilitate effective changes (at all!)

SYSTEMS MAINTENANCE–PHASE VIII


PreliminaryFeasibility

ProjectAuthorization

SystemsPlanning

SystemsAnalysis

ConceptualDesign

SystemsSelection

DetailedDesign

SystemImplementation

ProjectProposal

ProjectSchedule

SystemAnalysis Rpt

DFD(general)

ER Diagram

Relational Model

Normalized Data

FeasibilityStudy

Cost-BenefitAnalysis

SystemSelection Rpt

DetailedDesign Rpt

ProgramFlowcharts

Post-Impl.Review Documentation User

Acceptance Rpt

DFD(Detail)


A materially flawed financial application will eventually corrupt financial data, which will then be

incorrectly reported in the financial statements. Therefore, the

accuracy and integrity of the IS directly affects the accuracy of the

client’s financial data.


Systems authorization activities User specification activities Technical design activities

Documentation is evidence of controls Documentation is a control!

Internal audit participation User test and acceptance procedures Audit objectives Audit procedures

CONTROLLING & AUDITING THE SDLC

Controlling New Systems Development


Audit objectives Verify SDLC activities are applied consistently and in

accordance with management’s policies Verify original system is free from material errors and

fraud Verify system necessary and justified Verify documentation adequate and complete

Audit procedures How verify SDLC activities applied consistently? How verify system is free from material errors and fraud? How verify system is necessary? How verify system is justified? How verify documentation is adequate and complete? See page 174 for a list


Audit Objectives & Procedures


Four minimum controls: Formal authorization Technical specifications Retesting Updating the documentation


Controlling Systems Maintenance


Source program library controls Why? What trying to prevent? Unauthorized access Unauthorized program changes SPLMS [Figure 4-13, p. 177]

SPLMS Controls Storing programs on the SPL Retrieving programs for maintenance purposes Detecting obsolete programs Documenting program changes (audit trail)


Controlling Systems Maintenance


Password control On a specific program

Separate test libraries Audit trail and management reports

Describing software changes Program version numbers Controlling access to maintenance [SPL]

commands


Controlled SPL Environment


Audit objectives Detect any unauthorized program

changes Verify that maintenance procedures

protect applications from unauthorized changes

Verify applications are free from material errors

Verify SPL are protected from unauthorized access




Audit procedures Figure 4-14, p.179 Identify unauthorized changes

Reconcile program version numbers Confirm maintenance authorization

Identify application errors Reconcile source code [after taking a sample] Review test results Retest the program

Testing access to libraries Review programmer authority tables Test authority table




Chapter 4:Systems Development & Maintenance Activities

Date post:	15-Mar-2016
Category:	Documents
Upload:	kyra-holland
View:	28 times
Download:	2 times

Chapter 4: Systems Development & Maintenance Activities

Documents