Previous | Table of Contents | Next |
The IT auditors initial evaluation involves four steps. First, the auditor must review the output documents produced in the previous phase in addition to the appropriate audit workpapers. Second, the auditor must review and become familiar with the plans to complete this phase.
The IT auditor continues by gathering the documentation produced during this phase and comparing the actual progress against the plan. Finally, the auditor must verify the documents produced during this phase by challenging and analyzing those documents as well as by interviewing the participants in the phase. The specific work within these four tasks depends on the customized audit objectives selected for this phase.
Reviewing Initiation Phase Output. The IT auditor should review all initiation phase deliverables. The key deliverable is the one used to support the decision to perform the project because it should include much of the information from all of the deliverables. The auditor should refer to the other documents, as appropriate, to get more detailed information.
The IT auditor should review the audit workpapers prepared during the initiation phase in order to become reacquainted with the deficiencies and recommendations from the initiation phase. The auditor should ensure that these items either have been, or are being, reasonably and adequately addressed during the definition phase.
One of the major audit tasks in each review phase is to evaluate the adequacy of the actions taken on the deficiencies and recommendations from the previous phase.
Reviewing Definition Phase Plans. The IT auditor should review the plans for the definition phase as part of the planning for the audit procedures in this phase. The auditor should be aware that the plans may be written or they may be maintained in automated scheduling and project management systems. The auditor may choose to have the plans printed or to review the plans online.
The IT Audit Professional will not compromise the audit by reviewing online information, although it will be necessary to print those items the auditor believes are necessary to provide the proper support in the workpapers for the conclusion reached.
Evaluating the Definition Phase Status. The IT auditor should monitor the project status to remain aware of developments in the project and to determine when reviews should occur. This can be done by contacting key participants, reviewing written status reports, or querying automated project status systems.
The IT auditor should consider which elements of the project need to be monitored. One project aspect is its administrative status, comprised of the budget and schedule. This is necessary to determine where the project stands and its availability for review.
Another aspect is the status of definition phase documentation. If schedule and budget are tight, the project team may decide to eliminate certain parts of documents in order to stay on schedule. If this is done, the auditor should note those missing items as project deficiencies. One last example is for the auditor to determine the status of any changes that have been approved through the point of the review.
Verifying the Status of the Definition Phase. The IT auditor procedures for this task will involve following up on key elements and observations from the prior step of determining the current status of the project. These procedures will mostly likely emphasize interviewing the personnel for developing the deliverable, or for providing the information that was included in it.
The document flow for the definition phase is determined by the development methodology. The project plan specifies the strategy for managing the software development process and indicates how the system will be certified before installation and operation.
The project plan is used to develop the functional requirements document, the security and control requirements, and detailed data requirements mentioned earlier in this section. The preparation of these documents is likely to require extensive interaction among the responsible participants, which is a significant portion of the value of the documents. The cooperation required to produce the documents is only a small portion of the cooperation required to make the project a success.
All documents developed during this phase, or some portion of them, should be used by appropriate members of the development team to update the overall project plan. The auditor should review the overall project plan to determine if it is current and complete.
Regardless of the IT auditors interest in the updated project plan, it is more important for the project steering committee or senior management. At this point in the cycle, one of these parties should be deciding whether to continue the project through the next phase, cancel the project, or propose modifications to the project. This decision process may cause part or all of the initiation and definition phases to be repeated.
The IT Audit Professional has two major concerns regarding the participants responsible for the definition phase. First is that the appropriate individuals participate, and second is that they participate effectively in the process. The auditor should address these concerns by identifying the participants and the roles and responsibilities of those individuals.
The IT auditor might consider the following descriptions of possible participants and questions the auditor might ask them.
Senior Management. If senior management approval was required, was it obtained before commencing the definition phase?
Project Steering Committee. The approval of the committee should have been obtained before commencing the definition phase.
Project Sponsor/Project Team. These are the participants responsible for either updating or preparing the definition phase deliverables.
Security Specialist. Has this specialist reviewed security and control components of the project plan, functional requirements document, or the data requirements document?
Quality Assurance Specialist. Has this specialist provided consultation and review of the systems security and internal control components of the project plan, functional requirements document, and data requirements document?
IT Audit Professionals should attempt to identify specific user needs that can be traced to the functional definition, along with the security and control requirements. This involves the creation of a set of specific audit objectives for the definition phase. The auditors involvement in the definition phase depends in part on a series of factors that can cause the system to have greater impact on the company.
The IT auditor will find that the better controlled the development methodology is, the less likely it is that the auditor will have to be involved in each project, or in each phase of each project. In addition, the greater the number of factors that can hinder the projects success, the greater the need for audit involvement during this phase. This involvement should be reflected in the customization of audit objectives.
The IT auditor is responsible for two aspects of verifying documents. First, the auditor must ensure that the documents are prepared in accordance with the system development methodology. Second, the auditor should determine whether information transferred between documents is accurate.
Previous | Table of Contents | Next |