Previous | Table of Contents | Next |
During the initiation phase, the need for an automated solution to a problem is identified, quantified, and confirmed. The person or team initiating a potential project should investigate alternative methods for satisfying the need and finally develop a recommendation for which alternative should be selected. The recommendation is presented to management, and if approved, the project continues through the remaining phases of systems development.
The IT auditors primary objective during this phase is to ensure that the system need has been established and that the cost for satisfying that need is justified. The IT auditor reviews the initiation phase by examining the documents produced during that phase and by interviewing the initiation phase participants and other involved parties. The result of the audit review of this phase may become input to the appropriate parties for determining whether or not to approve the initiation phase recommendation, if the review is done on a realtime basis.
The initiation phase begins with the recognition of a problem and the identification of a need. During this phase, the need is validated and the exploration of alternative functional concepts to satisfy the need is recommended and approved. The decision to pursue a solution must be based on a clear understanding of the problem, a preliminary investigation of alternative solutions, and a comparison of the expected benefits versus costs (including design, construction, operation, and potential risks) of the solution. At this stage, the sensitivity of the data in the system should also be considered.
It is immaterial, during the initiation phase, whether the solution will be developed internally, contracted to be developed externally, or purchased from a software vendor. The objective of this phase is to consider alternative solutions that might satisfy the end users need. This stage of the systems development life cycle methodology is not affected by the alternative approach chosen.
Likewise, the IT auditor should not vary the approach to the audit based on whether the application is purchase, developed internally, or developed externally.
The IT Audit Professional should now focus on the deliverable documents produced during the phase. Although the IT auditor will find that there are variations in the exact documents produced and their contents, it is possible to identify baseline examples. A number of these examples are described below.
The Needs Statement. This describes the deficiencies in existing capabilities, opportunities for increasing the effectiveness of existing capabilities, or describes completely new capabilities. The needs statement should also justify the exploration of alternative solutions.
The Feasibility Study. This provides an analysis of the objectives, requirements, and system concepts; an evaluation of alternative approaches, as identified in the needs statement, to achieve the objectives reasonably; and the recommendation of one of the alternatives.
This identifies the systems internal control and security vulnerabilities; determines the nature and magnitude of associated threats to data and assets; and provides managers, designers, systems security specialists, and auditors with recommended safeguards to be included during the design, development, installation, and operation phases of new or modified systems.
The Cost/Benefit Analysis. This deliverable is intended to provide managers, end users, application developers, security specialists, etc., with cost and benefit information for decision-making purposes. This information should include the impact of security, privacy, and internal control requirements on that information, enabling the decision makers and the IT auditor to analyze and evaluate alternative approaches to achieving the objectives.
In preparing for the initiation phase review, the IT auditor must gain an understanding of the phase by gathering documentation and interviewing the appropriate personnel. Most of this can be done with the team established to implement the project. The tasks that must be completed during the audit survey are to study the initiation phase elements, review initiation phase plans, and other procedures as necessary.
Studying the Initiation Phase. The IT auditor should begin the review of the initiation phase by performing the following specific review tasks:
Reviewing Initiation Phase Plans. The IT auditor must become familiar with the problem that has been recognized. The plan to initiate the system should be reviewed to ensure that it will result in the type of deliverable documents described earlier in this section.
Evaluating the Status of the Initiation Phase. The IT auditor must gather status information in three areas. First, the auditor must determine whether the five initiation phase documents have been prepared and, if so, whether they have been prepared in accordance with the life cycle methodology.
Second, the IT auditor must determine whether the project is on time and needed tasks have been completed and, if not, when completion is expected.
Third, the auditor should identify any changes in the problem or need, and ensure that those changes have been properly incorporated into the documents developed during this phase.
The IT auditor should very initiation phase information by reviewing the five documents mentioned earlier and interviewing the chief preparers about their exact role in preparing those deliverables. The project begins with the needs statement, which either includes or is supported by a needs validation and justification statement.
The project sponsor must in some manner be able to justify undertaking the initiation phase. The auditor must consider valid alternatives during this phase, even if they are not included in the deliverables.
The needs statement becomes the basis for a feasibility study and a risk analysis study. The objective of these parts of the initiation phase is to identify a proposed approach and its vulnerabilities. The risk analysis provides input to supplement the needs statement so that a cost/benefit analysis can be prepared. This document, in conjunction with the feasibility study document, provides the necessary information for management to decide either to initiate or continue the development or to take other appropriate actions.
Previous | Table of Contents | Next |