Previous Table of Contents Next


DETAILED AUDIT TESTING

The IT auditor should select the deliverables, portions of deliverables, and other elements that appeared to make a significant contribution to the decision to either proceed with the project or to discontinue it. These items should be tested to the extent necessary for the IT auditor to form an opinion on the reasonableness of the decision taken related to the application under review.

The Audit Test. The IT auditor should develop an audit program that indicates the audit objectives and identifies the key controls to be evaluated in the initiation phase. For each audit objective and indicator, there are one or more audit tests to be performed. When appropriate, tools and techniques are listed to assist the auditor in performing these tests.

In some instances, the audit tool or technique consists of a general description; and in other instances, the program refers to a specific product or document containing a specific audit approach for the indicated test.

Verification. The IT auditor has two verification tasks to perform. The auditor should first determine which of the forms, worksheets, and documents specified by the life cycle methodology have been prepared. The auditor should then attempt to evaluate the accuracy of the information on the documents.

The extent of these tests depends on the specific audit objectives selected. The IT auditor should attempt to avoid being cast into the role of verifying the decision support information. The auditor’s role is more appropriate if confirming that a verification was done by someone directly involved in the process, or in evaluating the veracity of the information.

The auditor may also evaluate the deliverables, and not just the information or message they contain. The auditor should not simply attempt to confirm that the deliverables have been prepared, as the deliverables alone have little value to the organization.

The Needs Statement. This deliverable should include an expression of the need in terms of a company mission, deficiencies in existing capabilities, new or changed program requirements, opportunities for increasing economy and efficiency of user operation, the internal control and security needed for the system, and alternative solutions for meeting the need.

The Feasibility Study. This should include an analysis of the objectives, requirements, and system concepts, an evaluation of alternative approaches for reasonably achieving the objectives, and a description of the proposed approach. This information should be sufficient to provide the decision-makers with the information required to make a decision.

The information provided should be adequate so that the decision-makers have at least two alternatives. There are always two alternatives: support the application or determine it is not needed. There may be additional alternatives, with a direct positive correlation between the number of alternatives and the quality and quantity of information required to support the decision.

The Risk Analysis. The IT auditor should find that this deliverable includes the identification of internal control and security vulnerabilities, the nature and magnitude of associated threats to data and assets covered by the proposed system, recommended safeguards to be included in the design to address the identified risks, and a detailed review of all data and assets to be processed or accessed by the system.

The Cost/Benefit Analysis. This deliverable should include the cost to build the system, the benefits to be derived from the system, an assessment of the impact of the system on security, privacy, and internal control requirements, an analysis and evaluation of alternative approaches proposed in meeting the mission deficiencies, and a detailed cost/benefit analysis of the proposed alternatives.

AUDIT RESULTS AND REPORTING

The IT Audit Professional should begin this activity by creating a list of all the potential errors or opportunities. The auditor should then evaluate the potential impact of the variance before deciding to propose a recommendation related to it. The items having sufficient potential impact should be included in draft recommendations.

The IT Audit Professional should review these draft recommendations with all of the appropriate personnel and require them to provide responses to be included in the audit report summarizing that particular review and findings. This step gives the auditor a chance to confirm the findings, as it is possible to make a mistake during an audit, or to have complete information, or to not have developed the best recommendation for change.

The IT Audit Professional should attempt to guarantee that either the report or its contents are available to the decision-makers prior to their deadline for making a decision. If this is not done, then one of the most important impacts of the audit may be lost.

The IT auditor should clearly state the objectives of the initiation phase review in the report. The following two objectives are normally included in almost every review: to identify errors or deficiencies, and to identify missed opportunities.

Any such items, assuming they have the requisite significance, should be included in the report, along with related recommendations. Although specific deficiencies will vary between situations, certain deficiencies are more common than others. The following list of problems can be used as a basis for comparison against deficiencies identified in the review.

  The needs statement is incomplete, and thus the possibility exists that the implemented system will not meet the true needs of the user.
  A reasonable set of alternatives has not been considered, and thus the alternative selected might not be the best alternative.
  The appropriate individuals from user or executive management did not become involved in the initiation phase, resulting in a potentially suboptimal decision. This is more likely to occur when two or more departments or locations are involved in the same application project.
  All vulnerabilities have not been identified, or the magnitude of those vulnerabilities has not been determined, which could result in extensive additional costs or significant failures of the application to meet the indicated need.
  The cost/benefit analysis did not identify all of the costs or benefits, or else misstated the costs and benefits that were included, which could call into question the decision taken.

The IT Audit Professional will have to modify the list above as needed to meet the needs of a particular application review. Once this portion of the work is complete, it is necessary to determine what the audit of the next phase will encompass.

Refining the Audit Approach. The initiation phase audit should conclude with a determination of the audit strategy for the remaining developmental phases that includes:

  The nature, timing, and extent of audit involvement in the remaining system development phases.
  Specific auditor assignments for the activities planned in the preceding step. If possible, the same staff members should be involved over the course of the review. If this is done, the advantage obtained will be fewer obstacles and learning curves to work through. Specific tasks where a specialist is required represent one of the few exceptions to this rule.
  The audit tools and techniques to be used. Some tools require unique skills and extended preparation time.

The IT auditor’s analysis and conclusions related to the initiation phase will affect how the scope is set for the requirements definition phase of the project. The following list presents a sample of the conclusions the auditor might reach.

  That there are external considerations that should be reflected in the planned procedures
  That there are other internal groups like Quality Assurance whose competence affects the planned procedures
  That the initiation phase deliverable either support proceeding with the requirements phase or they do not
  Whether or not there is agreement within the organization as to the optimal course of action


Previous Table of Contents Next