Why Control Development & Acquisition

Download Report

Transcript Why Control Development & Acquisition

System Development,
Acquisition &
Maintenance
Controls
Why Is Formal SDLC Necessary?
Management
– Avoid costly disasters
– Competitive Advantage
Auditors
– Important element of internal control
– Audit assurance on applications
Why Is Formal SDLC Necessary?
• Allstate - rather than 5yrs - $8 million ended at $100 million
• Oklahoma - $500,000 workmen's comp ended at $4 million
• Blue Cross & Shield - $200 million system
didn't work - $60 million in overpayments lost 35,000 members
Why Is Formal SDLC Necessary?
• Gartner Group survey (J of A, Feb 2001) found:
• 40% of IT projects don’t produce intended results
• Typical project scheduled for 27 weeks
• Cancelled project lasted 14 weeks, costing $1 million on
unsatisfactory results
• Project team members knew they were working on
projects that would fail 6 weeks before cancellation -Mum effect; Deaf effect
Why Is Formal SDLC Necessary?
• Standish Group survey (CACM, April 2001) found:
• 26 % of IT projects delivered on time, on budget and with
promised functionality
• 46% completed over budget and behind schedule, and
with fewer features
• 28% not completed
Common Causes of System Failure
•
•
•
•
•
•
•
•
Lack of user involvement
Inadequate planning and budgeting
Mismanagement of available workers
Poor or incomplete design
Insufficient testing
Undocumented or unenforced development standards
Lack of security over data and programs
No change or project management function
Systems Development Life Cycle
Investigation
Maintenance
Implementation
Requirements Analysis
& Initial Design
Acquisition/
Development
Capability Maturity Model
• Applicable to organizations in software business
• The capability maturity model identifies 5 levels
of software process maturity
• Maturity level is a well-defined evolutionary
plateau toward achieving a mature software
process
Capability Maturity Model
Initial (1)
+ Disciplined process
 Repeatable (2)
+Standard consistent process  Defined (3)
+ Predictable process
 Managed (4)
+ Continuously improving process  Optimizing (5)
Project Management
• Initiation - prelim survey, feasibility study,
prioritization, resource allocation
• Planning - objectives, deliverables, methods,
activities, staff, budget
• Execution - implement plan, manage personnel,
quality control, communication
• Control - monitor activities, controls, quality; report
• Termination - transition
Stages of Development Investigation Phase
• Determine problem and whether a new/modified
system is needed
• Decision needs to be in accordance with policies,
need to determine costs, savings and benefits
• Problem ID and Initiation - have users involved to
reduce semantic gap - different perceptions from
reality, need to manage resultant change
Stages of Development Investigation Phase
• Preliminary survey - assess problem, needs,
alternatives, system costs system benefits
• Feasibility study - documentation of system
review, hardware/software, transaction streams.
Assessment of existing procedures
Stages of Development Requirements Analysis &
Initial Design Phase
• Requirements analysis = Meet User Needs
–
–
–
–
Observe users/functions, documentation
Assess why each step performed
What info used by each user
What else needed
Stages of Development Requirements Analysis &
Initial Design Phase
• Initial Design = Functional Specifications
– Output
– Input
– System processing
Stages of Development Acquisition/Development
• Strategic Decisions
– Make vs Buy
– Outsourcing vs In-House
Stages of Development Acquisition/Development
• Detailed design specifications
–
–
–
–
–
–
–
–
outputs, media and methods,
file content, access methods, retention, back-up
processing steps, modes, functions
data preparation/entry
hardware/software
testing plan
implementation plan
documentation
– control requirements
• completeness, accuracy, authorization, timeliness, audit trail
Stages of Development Acquisition/Development
• Systems/programming standards - approvals and
testing, control over conversion, stages of system
development, required approvals at each stage,
conventions to be used, testing and system
documentation
• Documentation - for clear understanding and
safeguard when turnover occurs
Stages of Development Acquisition/Development
• System testing - not discrete but throughout the process
–
–
–
–
Code inspection
String testing
Performance/load testing
Pilot testing - large volume of test or live data and carefully
check results
– Parallel testing - data processed under new and old systems
– Acceptance testing - hands on by users, system works right,
recoveries of data timely, no lost messages, response times met
Stages of Development Acquisition - Additional Steps
•
•
•
•
•
•
Screen what is available
RFP
Evaluate potential suppliers
Test/evalaute
Negotiate agreement
Install
Stages of Development Implementation
•
•
•
•
•
•
Scheduling conversions
Site preparation
Personnel recruitment and training
File creation or conversion
Implementation
Post-implementation review
Stages of Development Implementation
• Conversion:
– Conversion Plan (steps, responsibilities, timing)
– Verification of:
•
•
•
•
Completeness
Accuracy
Authorization
Cut-off
Stages of Development Maintenance
• More than 50% of a system’s life time cost is
incurred in the “Maintenance” phase
• Need control over subsequent changes
• Emergency changes - segregation of duties to
prevent fraud
Auditor Participation in
Phases of System
Acquisition/Development
• Investigation phase - review economic feasibility
analysis, ensure responsibility for control and
audibility established
• Design phase - correction and reprocessing of
rejected transactions, changes to master file info,
accuracy of programmed accounting procedures
Auditor Participation in
Phases of System
Acquisition/Development
• Development - review progress reports - cradle to
grave test
• Implementation - review pre-implementation
plans monitor conversion procedures
• Maintenance - instill control consciousness adequacy of program change controls
Role of Auditor
Assess Internal Control
•
•
•
•
•
Help everyone understand importance
Look at compliance with procedures
Assess effectiveness
Database administration controls
Assess security
Role of Auditor
Adequacy of Mgmt and Audit Trails
• Make sure information is accessible
• Make sure adequate trail exists
Role of Auditor
• Accounting Principles - new principles could be
adopted - for example a new inventory method
• Link between Mgmt and IS - auditors can be
liaison
• System conversions - concern with data accuracy proper-cutoff
Role of Auditor
Monitoring Compliance with Sys Dev Stds
• Adherence to standards results in controlled
auditable systems
• Assess appropriateness of control practices
• Verify adherence to policies
• Review design, development and implementation
of application controls
Role of Auditor
Post-Implementation Reviews
• Compare system performance to objectives
• Assess reliability and accuracy
• Verify compliance with application controls
• Assess applicability and usefulness of information
Issue of Auditor Independence
• Balancing act - give advice but client makes
decision
• Use 2 different audit teams
• In written report clearly state scope of review
• Standardize the scope and approach of review