Previous Table of Contents Next


The IT auditor is also responsible for obtaining an accurate and complete understanding of the project as well as the flow of documents and any other deliverables throughout the process.

Detailed Testing. The IT auditor should identify key control and process attributes of the definition phase and then test a sufficient number of those attributes to support the conclusions required to meet the audit objectives. The auditor should prepare a list of exceptions, deficiencies, and observations to provide to the appropriate project participants, along with any related recommendations for their consideration.

The auditor’s testing should be performed using a definition phase audit program. This program includes a potential set of objectives, key indicators for each objective, along with specific audit procedures and with the tools and techniques to facilitate those tests.

The IT auditor can use the following paragraphs as a checklist for evaluating certain key elements of the development methodology.

The Project Plan. This should include a strategy for managing the software, goals, and activities for all phases and subphases, resource estimates for the duration of the system life cycle, intermediate goals, and methods for system development, documentation, problem reporting, and change control.

The Functional Requirements Document. This should include the proposed methods and procedures, a summary of improvements, a summary of security and control considerations, cost considerations, and alternatives. This document may also include qualitative and quantitative software functional requirements, the means by which the software functions satisfy performance objectives, what the performance requirements are, and an explanation of inputs and outputs.

The Security and Control Requirements Document. This should include the vulnerabilities identified during risk analysis, established internal control and application control requirements.

The Data Requirements Document. This should include data collection requirements, logical groupings of data, the characteristics of each data element, and procedures for data collection. This area also includes descriptions for sensitive and critical data, which should include sensitive and critical types of data along with the degree of that sensitivity.

AUDIT RESULTS AND REPORTING

The IT auditor should develop a list of findings and recommendations at the end of this phase, just as was done at the end of the initiation phase. It is possible for there to be many more findings than recommendations, as the auditor may conclude that some of the findings either are not material, or do not warrant a recommendation.

There are certain deficiencies that are common to many situations, some of which are presented below:

  Unrealistic estimates of the resources and time required to implement the system
  Poorly developed requirements that do not support a decision to move onto the next phase of systems development
  Incomplete input requirements that will make it difficult to properly develop the application
  Incomplete output requirements that can make system development impractical and uneconomical
  Incomplete processing specifications that do not clearly indicate how inputs should be converted into outputs
  Potential system failures and appropriate responses that are not well defined, and appropriate recovery techniques that are not properly developed
  Undefined service levels that could result in a system that does not have the necessary processing capacity to handle the system requirements
  Security and control requirements that have not been fully defined, which may lead to the application not including adequate security and controls

The IT Audit Professional is reminded that problems inadequately addressed in the definition phase can escalate costs throughout the remainder of the system development process. Implementing elements omitted from the requirements definition may cost between 10 and 100 times more than addressing the same problem in definition. This adds a responsibility for the auditor to not only identify the deficiencies but also to estimate the impact of those deficiencies on the organization. The impact of definition phase deficiencies can be estimated in two ways.

First, the IT auditor can estimate the actual cost of the deficiency itself. For example, the lack of controls can result in the loss of assets in the operational system. Second, the auditor can estimate the escalating cost of fixing definition problems. The informal rule is that for each unit of work estimated to need to be expended to fix a definition phase deficiency, it will require ten units of work to do during the test phase, and 100 units of work once the system is placed into operation.

CONFIRMING THE AUDIT STRATEGY

The IT Audit Professional should reassess the audit strategy for the rest of the project based on the findings and recommendations during the current phase. The IT auditor’s plan should be based on one or more of the following objectives, which should confirm that systems and applications:

  Carry out the policies that management has prescribed for them
  Provide the controls and audit trails needed for management, auditor, and operational review
  Include the controls necessary to protect against loss or serious error
  Are efficient and economical in operation
  Conform to legal requirements
  Are documented in a manner that provides the understanding of the system required for appropriate maintenance and auditing


Previous Table of Contents Next