Previous Table of Contents Next


DEVELOPING AUTOMATED APPLICATIONS

Applications development encompasses numerous tasks and multiple phases that are characterized by the nature of the work and deliverables produced. Over time, IT professionals have concluded that there are a set of basic steps that are common to all development methodologies. These steps are called the Systems Development Life Cycle (SDLC). IT management in each company needs to define and implement an SDLC methodology that is consistent with the organization’s needs. The IT auditor should be aware that any effective SDLC methodology will include at least three decision points. At each decision point, the appropriate managers should assess progress and performance and, if necessary, reevaluate, reschedule, or terminate the project.

Decision Points

The SDLC methodology should include at least three phases that are consistently followed for all applications development projects in the company. The three minimum phases are the requirements definition, program development and testing, and implementation. In other sections of this book, these three minimum phases will be broken down into more discrete phases, but these additional phases will not normally apply to all IT departments, while the three-phase approach does.

The standard phasing of key activities provides a structured approach for applications development and a systematic framework for management control. IT management should establish procedures for maintaining projects that are closely aligned with the SDLC methodology. Pertinent information summarizing performance vs. plan along with information that changes or contradicts the overall project plan should be summarized in a written deliverable at the end of each phase. This documentation gives IT management the information needed to make effective decisions. Generally, each phase should be complete, and a formal decision made to proceed before the next phase begins.

CRITICAL INFORMATION TECHNOLOGY CONTROLS

The IT auditor will learn that there are many ways to group general and application controls based on the company, the business the company is in, how technology is employed to do business, etc.

When in doubt, the IT auditor should be able to consider any situation at the most basic level, which only has two groupings.

  What technology is already available in this situation?
  How is that technology being used?

The IT auditors able to answer these two questions will be able to respond to any specific question or issue, either because they will already have the answer or know what has to be done to get the answer. One way to group these control issues follows.

Strategic Plan

Individual IT projects must be planned and carried out consistently with the IT department’s strategic plan. A strategic plan should ensure that new and existing applications will meet the company’s current and future needs. IT decision makers who have access to high-quality strategic information are likely to make decisions that ensure compatibility between hardware and software, prevent duplication by different systems in collecting and producing information, and clearly define individual projects. The plan can help IT decision makers to resolve difficult choices and provide a framework for assessing and prioritizing the unexpected items that always seem to arise.

Senior management must support the IT strategic plan for it to be successful. The Board of Directors may choose to handle IT directly by forming an IT Steering Committee and delegating its responsibility. The IT manager often oversees the strategic plan development and suggests priorities for the various tactical projects. Senior management then reviews the plan, decides whether changes are needed, and approves a final strategic plan. Senior management should meet regularly to monitor progress against the plan and reevaluate the plan as necessary.

Management Commitment

Management at all levels needs to provide support to approved projects to help ensure their successful completion. This commitment includes assigning a competent project manager and ensuring participation by all staff members who will use the system or whose work will be affected by the project. Management should also strive to keep the same personnel in critical positions throughout a project to ensure accountability and timely completion.

Senior management too often believes that when a project is turned over to an outside contractor, everything is under control. Even with a contractor, a complex application requires substantial effort from internal staff. IT personnel, end users, and others must spend considerable time away from their regular duties to communicate their detailed requirements to the contractor. A certain amount of time will also be needed to monitor and review the contractor’s work.

Contracting Process

Organizations often contract with consulting firms for systems acquisition and development services. Management must be familiar with the various laws, regulations, and legal decisions that affect contracting services. Companies must also determine whether a fixed price, cost-plus, or hourly rate contract is more appropriate, the most appropriate type of contract for the situation (e.g., fixed-price or cost-plus-fixed-fee), ensure that contract specifications are sufficiently detailed, and exercise care when evaluating bids.

Basic Features

IT and financial managers should ensure that planned automated applications include the following:

  Automated controls to help ensure the accuracy and reliability of data being input and reports being produced
  Controls to physically safeguard the computer hardware and all storage media
  Controls to logically safeguard the data in the applications and system from a loss of privacy or unauthorized changes
  Audit trails that allow transactions to be traced to the responsible end user
  Flexible inquiry capability to aid in meeting ad hoc needs
  Recording transactions only once
  Automatic matching of related transactions
  Controlled manual procedures needed to correct errors in automatic processing and to handle transactions that defy automatic handling

SDLC Methodology

Applications developed in-house, purchased from software vendors, and acquired freely from the public can be managed through an effective SDLC methodology. A proven methodology is an essential tool in developing high-quality applications. An SDLC methodology is a formal, structured approach to development that outlines and describes sequentially and in substantial technical depth all phases, tasks, and considerations necessary for a successful project.

A methodology provides a framework for ensuring that each development phase is carefully planned, controlled, and approved; that the project complies with standards; that the phases are adequately documented; and that assigned project personnel are competent. Most consulting firms have developed or adopted a systems methodology for their projects. To be fully effective, a systems methodology should take into account all of the critical factors discussed here.

The SDLC methodology should outline the planning, budgeting, and acquisition of the application, including the staff and skills needed to support the system, the space and facilities to house the people and equipment, and the procedures to convert to the new application. An effective methodology ensures that massive and complex projects are carried out segment by segment. Each phase must be completed before the project moves to the next phase. The IT auditor should recognize that certain tasks may begin before a phase is approved, but these should be the exception and not the rule.

Target Dates

Project managers often have a difficult time setting accurate target dates because of the unexpected events that make seeing into the future an art rather than a science. As a result, regular progress reports should be prepared. Target dates set at the beginning of a project should be as realistic as possible; however, variances from early projections may still occur. As the project proceeds and a greater understanding of its scope and complexity evolves, target dates should become more precise and reliable.


Previous Table of Contents Next