Evaluating programming phase status. The IT Audit Professional should make this evaluation by examining the proper implementation of security and control features and that all of the design specifications are being realized in the final application.
The auditor should compare the work flow with the system development methodology in use. If other deliverables are produced, the auditor should include them as well. When documents are not produced or updated, it is normally indicative of a potential problem in the application design.
Verifying programming phase status. The IT Audit Professional should review the documents being produced to ensure that the appropriate information has been collected, recorded, and is consistent with previous documents. Verification is primarily a quality control responsibility and should normally be performed by the quality assurance specialist or other direct participant in the process.
During the programming and training phase, the auditor must verify new and updated documents. The verification questions that might be used are shown below.
User manual.
Does the user manual:
- Describe the functions sufficiently?
- Indicate when and how it is to be used?
- Explain how to prepare input data and parameters?
- Explain how to interpret output results?
- Provide a full description of the application?
- Explain all user operating procedures?
- Explain user responsibilities related to security, privacy, and internal controls?
- Describe how to correct errors?
- Describe how to recover operations?
Operations Manual.
Does the operations manual:
- Provide operations personnel with a description of the software?
- Provide operations personnel with the instructions necessary to operate the software?
- Provide operations personnel with sections on nonroutine procedures, remote operations, and security requirements?
- Provide operations personnel with error procedures?
- Provide operations personnel with recovery procedures?
- Provide maintenance programmers with the information and source code necessary to understand the programs?
- Provide maintenance programmers with an overview of the architecture and structure of the system?
- Provide maintenance programmers with maintenance guideline procedures?
- Provide maintenance programmers with the design of internal control and security procedures so that they can be individually maintained?
Installation and conversion plan.
Does the installation and conversion plan:
- Explain how to install the software?
- Explain how to activate security procedures?
- Explain how to interconnect the software with other software packages?
- Explain how to install the software onto the operating environment?
- Provide sections in nontechnical language that are directed toward staff personnel?
- Provide sections in suitable terminology that are directed toward operations personnel?
Updated project plan.
Does the project plan:
- Provide a strategy for managing the software?
- Contain goals and activities for all phases and subphases?
- Provide resource estimates that are stated for the duration of the system development process?
- Provide intermediate goals (e.g., management and technical reviews)?
- Contain methods for design, documentation, problem reporting, and change control?
- Contain supporting techniques and tools?
- Reflect changes in strategy occurring during this phase?
- Contain controls to determine whether goals have been accomplished?
- Provide appropriate actions to be taken if goals are not accomplished?
Verification and testing plan.
Does the verification and testing plan:
- Include a plan for testing the software?
- Include detailed specifications, descriptions, and procedures for all system tests?
- Include a test data reduction and evaluation criterion?
- Relate to the system plan?
- Provide assurance that the system plan drives the specifications?
- Include general project background and information on the proposed solution to any mission deficiencies?
- Include validation, verification, and testing requirements, measurement criteria, and constraints?
- Include procedures to be applied during development in general and in each phase?
- Include supporting information for validation, verification, and testing selections made?
- Include appendices that describe project and environmental considerations?
- Include tests of security and internal controls?
- Include appendices that define the testing technique and tool selection information?
- Reflect changes in strategy occurring during this phase?
User and operations manuals.
Do the user and operations manuals:
- Provide procedures to keep the training materials in the manuals up to date?
- Include controls to ensure that training materials based on the manuals are updated as associated information in the manuals is updated?
CONDUCTING INTERVIEWS
The next step is for the IT auditor to interview the programming phase participants. If there are too many participants, the auditor should interview only the individuals needed to ensure that the auditor can satisfy the audit objectives. The questions that the auditor should ask of the responsible participants are listed below.
Senior Management.
- Has the revised project plan been approved?
- Has the revised user manual been approved?
- Have the revised operations and maintenance manual and the installation and conversion plan been approved?
- Has the revised updated system decision paper been approved?
- Have the appropriate user training tasks been initiated?
- Have the validation, verification, and testing plan and specifications been approved?
Project Steering Committee.
- Has the revised project plan been approved?
- Has the revised user manual been approved?
- Have the revised operations and maintenance manual and the installation and conversion plan been approved?
- Has the revised updated system decision paper been approved?
- Have the appropriate user training tasks been initiated?
- Have the validation, verification, and testing plan and specifications been approved?
Project Sponsor/Project Team.
- Has the project plan been updated?
- Have the validation, verification, and testing plan and specifications been revised?
- Has the user manual been developed?
- Has an operations and maintenance manual been developed?
- Has the installation and conversion plan been developed?
- Has it been ensured that appropriate programming was performed?
Security Specialist.
- Has the user manual been reviewed?
- Has the operations and maintenance manual been reviewed?
- Have the installation and conversion plan and the validation, verification, and testing plan and specifications been reviewed?
Quality Assurance Specialist.
- Has the program definition been reviewed for compliance to design and DP standards?
- Has the program code been reviewed for compliance to design and DP standards?
- Has the documentation been reviewed for compliance to design and DP standards?
- Has the training been reviewed for compliance to design and DP standards?