Previous Table of Contents Next


Are Samples or Examples Provided?

The presence of example documents has the primary benefit of working to ensure that project by project deliverables are of the appropriate quality. Another benefit is that the systems audit professional can review the sample deliverables and establish a benchmark for auditing the deliverables in specific systems development projects.

By reviewing the sample deliverables, the systems audit professional has the opportunity to form opinions and develop recommendations that could affect the deliverables on any active and all potential future projects. This may also support improved relations with the internal customers as the review of samples is very impersonal, while reviewing the deliverables in any particular project will have more of a direct impact on the involved information systems personnel.

What Compliance or Enforcement Method Is in Place?

Systems development life cycle deliverables, being closely associated with project milestones, are much more reliable when they are mandatory and not optional. It has not been considered unreasonable for many enterprises to require a completed deliverable including time for review and approval before any work on the next phase can begin. Without a requirement for production, there is a very clear risk that other priorities will displace the deliverable, or at least delay it such that it has little value other than for providing information about the phase long after it is over and the next phase begun.

What Procedures Have Been Established for Change Management?

Most IT Audit Professionals should be familiar with the phrase “program change controls” as the phrase that covers the identity of persons capable of moving programs into the production environment and the procedures that are supposed to be followed. Program change controls developed as having a very limited focus on one type of change within the Information Systems function.

Over time, this focus expanded to encompass all of the changes that could impact information systems, with an emphasis on the ones that could affect, or disrupt, the production environment on the system. This expanded focus is referred to as “change management.” Change management should cover any change within the information systems function that has the potential, directly or indirectly, to have a negative impact on the operating environment.

The IT Auditor is most likely to be concerned about the environmental impacts that could cause system functioning to be unexpectedly disrupted; ones that could cause existing approved programs to function in unexpected and potentially unauthorized ways; and ones that result in unauthorized programs being introduced into the systems environment and then functioning in an unauthorized fashion.

Maintenance Procedures for Emergency Situations

In every situation, whether applications are completely custom coded or purchased and processed without any customization or changes, the IT Auditor should not forget to consider that applications can fail without warning and require immediate attention to resume normal processing. This attention, or maintenance, is therefore usually done on very little notice, done in isolation, and done while violating standards program change control procedures.

The IT Auditor should determine whether there are procedures for flagging emergency maintenance situations and requiring subsequent performance of at least the most critical control procedures. Requiring subsequent control procedures is an attempt to limit the organization’s risk related to an unauthorized change made during emergency maintenance.

The risk is limited as the person making the change should be easily identified if there is a subsequent problem or unauthorized processing cycle in the system.

Are Post-implementation Reviews Conducted?

The post-implementation review can be a very effective technique with total quality and continuous improvement benefits if it is done in a positive way. Being done in a positive fashion protects individual personalities, and gives people a chance to get the information they need to do better during the next systems development life cycle project.

Better can be defined in several contexts, some of which are described in the following list, which is not meant to be all-inclusive.

  a more effective and efficient systems development life cycle project
  higher quality deliverables
  reduced development costs
  shorter total life cycle time

This is about the extent of the review that should be done as part of the initial assessment of general system controls. The next chapter goes into additional detail for an IT Auditor reviewing a classical systems development life cycle methodology, which is considered to be the most extensively controlled methodology currently in use.

GENERIC DOMESTIC COMPANY
CAPITAL EXPENDITURE REQUEST
Office use only:
Requester Department Phone Date
Change requested
Reason/justification
Approval Date
TECHNICAL EVALUATION
Cost Personnel
Hours Other
Comments
Approval Date
END USER ACCEPTANCE
User Date
FINAL ACTUAL DATA
Budget hours Budget cost
Actual hours Actual cost


Previous Table of Contents Next