Previous | Table of Contents | Next |
Different life cycle methodologies produce slightly different documents. The information defined in these five documents can be consolidated into fewer documents or expanded into a greater number of documents. What is important to the IT auditor is that the information included in these five documents be developed during the initiation phase.
The auditor must ensure that all of the appropriate documents have been prepared and must determine the appropriate accumulation of information for the system decision paper to verify the correctness of that document. If the missing documents or document attributes are significant, recommend that the methodology be corrected to provide that missing information.
The IT auditors coverage will be affected by the development methodology utilized by the organization. The chosen methodology will include processes and activities that may be easy, difficult, or impossible to audit. The IT Audit Professional will determine the appropriate audit scope during and after the preliminary review of the development methodology, based on the knowledge and understanding gained during that preliminary review.
The IT auditor will follow up setting the audit scope by allocating staff resources and deciding what the timing of the review will be.
The IT auditors decisions will be impacted more by the perceived effectiveness of the development methodology than by its formality. While deliverables are significant and critical and necessary at certain points in the systems development life cycle, all of the deliverables in the world are made meaningless by tolerated noncompliance with the preparation and use of those deliverables.
The audit scope decision is also likely to be affected by the results of prior audits. For example, if the IT auditor has found that the development process has been well controlled in the past, the auditor may choose to limit the nature, timing, and extent of the current procedures.
The IT Audit Professional may even choose to conduct one review focused exclusively on the work done by the quality assurance personnel. An audit of their activities that support a conclusion of reasonable reliance on them could lead the IT auditor to conduct only those procedures needed to confirm that quality assurance activities are taking place as expected.
Assuming that the IT auditor will be reviewing the development methodology directly, the next audit step will be to interview the key participants in the initiation phase. The interviews will have two primary objectives: to determine whether the phase is ready to be audited, and to identify the specific contact personnel associated with particular audit steps.
The following list of interview questions and tasks may need to be adjusted by the IT auditor to meet the needs of a particular situation. This list is organized by project participant, and the questions related to that party.
Project Sponsor.
Project Team.
Information Technology Manager.
Security Specialist.
Quality Assurance Specialist.
The IT auditor should provide either a report or brief memorandum summarizing the work done through this point, important observations made, and recommendations if they are appropriate. If the IT auditor fails to provide this information, there is a chance that a project will be accepted and implemented when it should not have been.
The IT Audit Professional will not normally be able to utilize any preset approach without modification. Most organizations will find a reason to make their approach just a little different than the standard approach. The following sections describe some of the changes companies make and discusses how the audit might choose to adjust to that change.
The initiation phase is designed to fully develop the understanding of the problem or potential opportunity and to produce the data and information required to support effective decision-making within the organization. The decision to proceed with defining detailed requirements will based on the information gathered to date, along with a recommendation from the project sponsor, or project team, if one was assembled to support the development of the initiation documents.
Rather than produce two or three or four distinct documents that lead to an organizational decision, the organization may choose to present all of this information in a single document. The IT auditor should not be particularly concerned about the number of documents prepared, but should concentrate on the information in those documents to ensure that it contains the necessary information with consistent quality.
The IT Audit Professional will find that the information needed for decision support is not always fully documented. Some organizations may utilize presentations to initiate projects, with the decision support information documented only on visual aids. In those instances, the IT auditor should attempt to be invited to the participation.
A presentation is likely to include questions and other participation with the attendees, and the IT auditor will find that subsequent conversations trying to find out what happened in the meeting will almost never provide the nuances and other intangibles that come through when you are present.
The IT auditor should include a review of the formal initiation phase deliverable or deliverables with other initiation phase procedures. The auditor should include a specific evaluation of the established need and the cost-justification for implementing an application to address that need.
There are several external considerations that can affect the nature, timing, and extent of the audit procedures. Some of those considerations are included in the following list:
The Use of Contractors. Another discretionary factor is based on the potential use of contractors in the development effort. The difference the IT auditor must be most wary of in situations where the company utilizes contracted resources in the initiation phase is that the contractors may have a vested interest in reaching conclusions that will result in more work for the contractor.
A contractor may be responsible for supporting the project sponsor or the project team for all of their activities. Contractors may also consult with the Steering Committee or to support the IT auditor by reviewing or evaluating the feasibility study. In any case, the organizations interests can be protected by rigorously defining the contractors role, responsibility, and authority.
The responsibility for using contractors can reside with the steering committee, project sponsor, or project steering committee. It will depend on the nature and extent of the proposed use of the contractor, and the signing authority of the internal personnel. The analysis to determine whether or not a contractor should be used is included in the alternatives analysis, feasibility study, risk analysis, and cost/benefit analysis.
Previous | Table of Contents | Next |