Transcript 3장: development control

Information Systems
Control & Audit(3)
Shin, SooJung
Based on Ron’s book
Chapter 4
System Development Management Control
(1) Approaches to auditing system development
(1)
(2)
(3)
Concurrent audit: auditors are member of the system development team
Postimplementation audit: auditors seek to help an organization learn from its
experiences in the development of a specific application system
General audit: auditors evaluate systems development controls overall.(external audit이
주로 시행)
(2) Normative models of the system development process
SDLC Approach
(1) Feasibility study
Cost-benefit
(2) Information
analysis
requirement
(3) System design
(4) Program
development
(5) Procedure &forms
development
(6) Acceptance
testing
(7) conversion
(8) Operation &
Maintenance
(2) Normative models of the system development process
Sociotechnical Design Approach
Sociotechnical design
Technical
Social
System
Management
Of the change
process
Diagnosis &
entry
System
interaction
Social
System
Design
Adjustment of
coordinating
mechanisms
High task
accomplishment
High quality of
Working life
Implementation
Joint optimization
Task
systems
design
(2) Normative models of the system development process
Political Approach
Start
Historical Analysis to
determine power
structure
No
Will
Proposed system
Change power
Structure?
Yes
Face-to-face
negotiation and
compromise
User
Participation
Continue
(2) Normative models of the system development process
Soft-Systems Approach
Take action to
Improve
situation
Recognize the
Problem situation
Express the
Problem situation
Produce root
Definitions of
Relevant systems
Compare
Conceptual models
With problem
situation
Develop conceptual
Models of
Relevant systems
Identify
Desirable
And feasible
changes
(2) Normative models of the system development process
Prototyping Approach
Elicit user
requirement
Design
Prototype
Implement
Prototype
Use
Prototype
Build
Production
System
(2) Normative models of the system development process
Information Engineering Approach
-
전략정보계획에서부터 출발
분석/설계 중심
1. Information
strategic planning
2. Business Area
modeling
3. Business System
Design
4. Technical Design
5. Construction
6. Transition
7. Production
(2) Normative models of the system development process
Contingency Approach
(1)
(2)
(3)
(4)
(5)
(6)
Social system impact: impact가 크면 behavior issue(직무의 재설계 등에 사용자의 참여 등)
들을 고려하고 그렇지 않을 경우 중요하지 않음.
Task systems impact: 시스템이 직무의 수행이나 효과, 효율성에 중심역할을 한다면 전문적인
개발인력이 참여하고 효과적인 커뮤니케이션과 높은 품질의 개발이 이루어져야 하고, 그렇지 않을
경우는 최종사용자에 의해 개발될 수 있음.
System size: 대형시스템일경우 전문적인 개발인력이 참여하고 효과적인 컴뮤니케이션과 높은
품질의 개발이 이루어져야 하고, 그렇지 않을 경우는 최종사용자에 의해 개발될 수 있음.
Commonality: 시스템이 상대적으로 common하고 요구사항이 잘 이해되고 있다면 패키지를
구입할 수 있음. 시스템이 impact가 작다면 사용자가 구입가능하고, 그렇지 않을 경우 정보시스템
전문가가 구입에 역할을 담당함.
Requirements uncertainty: 요구사항이 분명치 않으면 프로토타이핑이 중요하고, 요구사항이 잘
이해되면 프로토타이핑은 불필요함.
Technology uncertainty: 조직의 경험이 부족한 기술을 사용하여 개발한다면 개발의 주요역할은
정보시스템 전문가에 의해 수행되어야 함.
(3) Evaluating the major phases in systems development process
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)
(13)
Problem/opportunity definition
Management of the change process
Entry and feasibility assessment
Analysis of the existing system
Formulation of strategic requirements
Organizational and job design
Information processing system design
Application software acquisition and development
HW/SW acquisition
Procedure development
Acceptance testing
Conversion
Operation and maintenance
(3) Evaluating the major phases in systems development process
(1)
(1)
(2)
(3)
(4)
Problem/opportunity definition
If possible IS solutions to the problem or opportunity will be material in terms of size or
impact, have formal terms of reference been prepared? If so, have they been approved by a
steering committee or well constituted project committee?
If possible IS solutions will have a major impact on task systems or social systems, what
level of acceptance exists among the stakeholders on the need for change? Do the terms
of reference consider the need for consultation and negotiation ?
If there is a high level of requirements uncertainty or technological uncertainty surrounding
possible solutions to the problem or opportunity, do the terms of reference take into
account strategies that might help alleviate the uncertainty?
Do the stakeholders agree on the definition of the problem or opportunity? If they
disagreed at the outset, what approaches were used to try to reach consensus?
Reach Agreement!
Understand the threat!
(3) Evaluating the major phases in systems development process
(2) Management of the change process
Auditor의 관심: 프로젝트 관리와 변화 과정을 위한 결정의 질을 평가
Project Management
Planning
Analysis
Design
Change facilitation
-unfreezing the organization
-moving the organization
-refreezing the organization
Construction
Implementation
Evaluate quality of decision !
(3) Evaluating the major phases in systems development process
(3) Entry and feasibility assessment
The purpose : is to obtain a commitment to change and to evaluate whether cost-effective
solutions are available to address the problem or opportunity that has been identified.
Auditor의 관심(during): 변화가 사용자들에게 강요되지 않았나?, feasibility 분석이 채택되고 수행되기
위해 적절한 접근이 이루어졌는가?
Auditor의 관심(post): entry 전략과 feasibility assessment의 기법을 선택하기 위해 사용된 프로세스,
entry 전략과 feasibility assessment 이 얼마나 성공적이었는지 평가
Technical
Can the input data be collected for
The system? Output usable?
Is the available technology sufficient to
support the proposed Project?
Operational
What impact ‘ll the system have on
The users’ QWL?
Economic
Behavioral
DO the benefits of the system exceed
the costs?
System development process
(3) Evaluating the major phases in systems development process
(4) Analysis of the existing system
(1)
(2)
history, structure & culture: study를 했는가? 필요한 면이 무엇인가? 어느정도 했는가?
Product & information flow: 조사의 범위와 근원?, 사용한 방법론? CASE Tool의 사용?
OLD SYSTEM
Existing
History, culture
& structure
NEW SYSTEM
Existing
Product & information flow
* 분석방법
- Structured Analysis
- OO Analysis
- SSM
(3) Evaluating the major phases in systems development process
(5) Formulating strategic requirements
(1)
(2)
strategic requirements: the overall goals and objectives the system must accomplish
Auditor: 시스템 설계자가 연속되는 설계작업의 품질을 위해 전략적인 요구사항들을 파악하는
중요성을 이해하고 있는지 파악
(6) Organizational & Job Design
(1)
(2)
-
strategic requirements의 만족을 위해 Organizational & Job redesign필요
Auditor
제안된 시스템이 조직의 구조나 직무에 영향을 줄 경우 시스템 개발팀이 조직의 역사나 실행에
숙련된 전문가로부터 고품질의 어드바이스를 받는지 파악
조직의 구조나 직무설계를 책임지는 인력들이 각 담당자 그룹의 대표를 포함하는지, 설계작업이
어떻게 이행되고 있는지, 갈등이나 불확실성들을 어떻게 해결하는지, 최종적으로 선택되는 설계에
관련된 결론의 레벨이 어느 정도인지를 파악함.
(3) Evaluating the major phases in systems development process
(7) Information processing system design
(1) Auditor
설계가 전략적 요구조건을 만족하는지
시스템내부에 설계된 control의 신뢰성 평가
System의 auditability
(2) 6 major activities
Elicitation of detailed requirements
Design of the data/information flow
Design of DB
Design of UI
Physical design
Design and acquisition of HW/system SW platform
Requirement
elicitation
UI
Design
Data/information
Flow design
SW
platform
Design
Physical
Design
DB
Design
(3) Evaluating the major phases in systems development process
(8) Application software acquisition& development
(1)
(2)
-
구입시
벤더에게 제공되는 요구 스펙의 충분성
소프트웨어 평가 절차의 품질 (소프트웨어의 품질, 벤더 유지보수 및 지원의 충분성)
개발시
설계, 코딩, 컴파일링, 테스팅, 문서화 단계 동안 수행되는 절차의 평가
Client
RFP
Adequacy of requirement spec?
Proposal
Compliance with requirements?
Quality of documentation?
Vendor stability & support?
Nature of contractual obligations?
Vendor
(3) Evaluating the major phases in systems development process
(9) HW/ System SW Acquisition
(1)
-
Auditor
벤더에게 제공되는 요구 스펙의 충분성(RFP)
평가 절차의 품질
벤더의 viability, ongoing support, the availabilty of source code & maintenance support 등의
파악
(10) Procedures Development
(1)
(2)
(3)
-
이 단계에서 설계자는 사용자가 시스템의 계속적인 운영과 유용한 산출물을 얻기 위해 수행해야 할
activity들을 정의해야 한다.
절차개발
Design of procedures
Testing of procedures
Implementation of procedures
Documentation of procedures
Auditor
절차설계의 품질 평가(minimum spec of procedures)
시스템이 behavioral impact를 가져올경우 절차 설계팀에 관련자 대표 포함
절차를 테스트하는데 사용되는 접근법을 평가함.
절차 문서화의 품질을 평가함.
(3) Evaluating the major phases in systems development process
(11) Acceptance Testing
(1)
The purpose: is to identify as far as possible any errors and deficiencies in the system prior
to its final release into production use
(2) 4 Types of testing
program testing: 개별 프로그램을 개발한 프로그래머가 자신의 프로그램의 정확성, 완전성,
효율성을 테스트함.
System testing: 개발팀의 몇몇 팀원들이 여러 프로그램들과 서브 시스템간의 인터페이스가
정확하게 작동하는지 파악하기 위해 전체 시스템을 테스트
User testing: 사용자가 조직구조설계, 직무설계, 시스템 인터페이스, 프로그램, 절차 등 전체
시스템을 테스트
QA testing: 시스템이 표준을 준수하는지 테스트
(3) Auditor
How was the testing process planned
How were test data designed and developed
What test data were used
What test results were obtained
What actions were taken as a result of errors and deficiencies identified
What subsequent modifications to test data were made
How was control exercised over test data and acceptance testing process
Program
test
User Test
Program
test
Program
test
System Test
QA Test
(3) Evaluating the major phases in systems development process
(12) Conversion
(1)
The conversion phase comprises those activities undertaken to place the new system in
operation.
(2) Conversion activities
Personnel training
Installation of new HW & SW
Conversion of files and programs
Scheduling of operations and test running
(3) Auditor
Disruption의 위험
Conversion시기
Trade-off
Careful planning
old
New
old
New
old
New
(3) Evaluating the major phases in systems development process
(13) Operation & Maintenance
In production
Repair maintenance: logic errors discoved in the system are corrected
Adaptive maintenance: changes in the system environment might necessitate system
modification
Perfective maintenance: changes might be made to improve processing efficiency
- formal change process : to identify and record need for changes to a system and to authorize
and control the implementation of needed changes.
(3) Evaluating the major phases in systems development process
(13) Operation & Maintenance(Source Library control)
Systems
Development
programmers
Systems
maintenance
programmers
System Development
Test library
SPL
Application
program
Application
program
System Maintenance
Test library
Application
program
Compile &
Link edit
SPL Management
System
Application
Load module
Maintenance
request
users
-프로그램 저장
-유지보수를 위해
프로그램 추출
-라이브라리에서
프로그램제거
-프로그램변경 문서화
Program
Listing
Program
Change
report
Documentation
file
Production