Previous | Table of Contents | Next |
The IT Audit Professional may need to make adjustments to the audit objectives, depending on the design methodology used or other issues that may have arisen during the procedures up to this point in the process.
Development Methodology Audit Considerations. The IT auditor may customize the two audit objectives for this phase based on one or more of the following factors.
First, the status of design up to this point must be considered. The fewer problems involved in this application, the less need there is for audit attention during this phase. Second, the design methodology used must be noted. Audit involvement changes significantly, depending on whether the software is developed in-house, contracted, or purchased, as follows:
Third, the IT Audit Professional should consider technology integration factors. During the implementation phase, the risk attributes of technology integration can be reassessed to evaluate the implementation risk. The greater the risk, the greater the need for audit attention in this phase. The technology integration attributes that must be considered in evaluating the scope and objectives of audit work include:
During detailed audit testing, the IT auditor should evaluate the adequacy of the programming effort by reviewing the test results. First, the auditor should evaluate the results of quality assurance reviews of testing efforts.
The results of this evaluation determine the effectiveness of the quality assurance departments reviews and thereby affect the nature and extent of audit procedures in this phase. If no effective quality assurance function exists, and there is no provision for another project participant to assume those responsibilities, then the IT auditor may be asked to evaluate the adequacy of testing efforts.
Second, the IT auditor may evaluate the adequacy of documentation-user, programming, maintenance, and installation manuals. Again, the auditor may review quality assurance efforts in these areas, yet try not to duplicate the work done by that function. If, however, there is no effective quality assurance function, and none of the other project participants assume those responsibilities, the auditor may be asked to substitute for the quality assurance specialist.
The IT Audit Professional should also develop a standard audit test program for the programming phase. The test begins by outlining the more common audit objectives. For each objective, the IT auditor is given one or more tests to perform, and for each test, one or more tools and techniques are suggested.
The result of the programming phase review should be documented and given to project management. Deficiencies and their potential effect on meeting the system mission should be reported to project management on a timely basis. Delays in submitting review reports can significantly increase the cost of correcting deficiencies.
Common Deficiencies. In the programming and testing phase, some deficiencies occur more frequently than others. The following deficiencies are among the more common ones for this phase.
Deficiencies in programming result in inaccurate or incomplete processing, which causes abnormal terminations in processing, resulting in reruns of processing and late delivery of output. Deficiencies not uncovered through operational controls result in improper processing by users.
In addition, deficiencies in documentation and training result in operational malfunctions and erroneous processing. These deficiencies can also result in uneconomical operations, because tasks must be performed several times to be performed correctly.
The IT Audit Professional should be able to quantify the impact of these potential deficiencies, and should demonstrate the potential adverse effects that can occur because of inadequate programming, documentation, and training.
In particular, the auditor should process test data to show that the system was not properly programmed to prevent erroneous processing, compare user and programmer documentation to identify discrepancies between these two critical documents, and compare user documentation with training documentation and instruction to identify inconsistencies.
The IT Audit Professional, at the end of the programming and training phase, should determine the nature and extent of the audit procedures to be performed. As with other phases, if only minimal problems are detected by the end of this phase, the auditor may not need to expend extensive effort in the evaluation and acceptance phase. Conversely, if the auditor suspects that there are potential weaknesses in the system, extensive audit involvement may be warranted during the next phase.
The IT auditor should also finalize any post-implementation audit programs, tools, and techniques during this phase. As the project sponsor is evaluating the system during the next phase, the auditor should be prepared to evaluate the audit program developed for use during operations. At a minimum, this audit program should include:
Previous | Table of Contents | Next |