Previous Table of Contents Next


Different life cycle methodologies produce slightly different documents. The information defined in these five documents can be consolidated into fewer documents or expanded into a greater number of documents. What is important to the IT auditor is that the information included in these five documents be developed during the initiation phase.

The auditor must ensure that all of the appropriate documents have been prepared and must determine the appropriate accumulation of information for the system decision paper to verify the correctness of that document. If the missing documents or document attributes are significant, recommend that the methodology be corrected to provide that missing information.

SETTING THE SCOPE FOR THE SDLC AUDIT

The IT auditor’s coverage will be affected by the development methodology utilized by the organization. The chosen methodology will include processes and activities that may be easy, difficult, or impossible to audit. The IT Audit Professional will determine the appropriate audit scope during and after the preliminary review of the development methodology, based on the knowledge and understanding gained during that preliminary review.

The IT auditor will follow up setting the audit scope by allocating staff resources and deciding what the timing of the review will be.

The IT auditor’s decisions will be impacted more by the perceived effectiveness of the development methodology than by its formality. While deliverables are significant and critical and necessary at certain points in the systems development life cycle, all of the deliverables in the world are made meaningless by tolerated noncompliance with the preparation and use of those deliverables.

The audit scope decision is also likely to be affected by the results of prior audits. For example, if the IT auditor has found that the development process has been well controlled in the past, the auditor may choose to limit the nature, timing, and extent of the current procedures.

The IT Audit Professional may even choose to conduct one review focused exclusively on the work done by the quality assurance personnel. An audit of their activities that support a conclusion of reasonable reliance on them could lead the IT auditor to conduct only those procedures needed to confirm that quality assurance activities are taking place as expected.

Assuming that the IT auditor will be reviewing the development methodology directly, the next audit step will be to interview the key participants in the initiation phase. The interviews will have two primary objectives: to determine whether the phase is ready to be audited, and to identify the specific contact personnel associated with particular audit steps.

The following list of interview questions and tasks may need to be adjusted by the IT auditor to meet the needs of a particular situation. This list is organized by project participant, and the questions related to that party.

Project Sponsor.

1.  Has the needs statement been developed?
2.  Has the project sponsor confirmed or validated the needs?
3.  What direction did the sponsor provide to the personnel preparing the feasibility study, risk analysis, and cost/benefit analysis.
4.  Has a project team been established?

Project Team.

1.  Has the project team completed their development of the feasibility study, risk analysis, and cost/benefit analysis?

Information Technology Manager.

1.  How has the IT manager or designee participated in the initiation phase of the project?

Security Specialist.

1.  Has the security specialist been involved in the development of these deliverables on a continuing basis? Or reviewed them before they were considered final?
2.  Were internal control considerations included in the security specialist’s review?

Quality Assurance Specialist.

1.  Has (or will) the quality assurance specialist reviewed the initiation phase deliverables before they are presented to the appropriate managers and other company personnel?

The IT auditor should provide either a report or brief memorandum summarizing the work done through this point, important observations made, and recommendations if they are appropriate. If the IT auditor fails to provide this information, there is a chance that a project will be accepted and implemented when it should not have been.

CUSTOMIZING THE AUDIT OBJECTIVES

The IT Audit Professional will not normally be able to utilize any preset approach without modification. Most organizations will find a reason to make their approach just a little different than the standard approach. The following sections describe some of the changes companies make and discusses how the audit might choose to adjust to that change.

The initiation phase is designed to fully develop the understanding of the problem or potential opportunity and to produce the data and information required to support effective decision-making within the organization. The decision to proceed with defining detailed requirements will based on the information gathered to date, along with a recommendation from the project sponsor, or project team, if one was assembled to support the development of the initiation documents.

Rather than produce two or three or four distinct documents that lead to an organizational decision, the organization may choose to present all of this information in a single document. The IT auditor should not be particularly concerned about the number of documents prepared, but should concentrate on the information in those documents to ensure that it contains the necessary information with consistent quality.

The IT Audit Professional will find that the information needed for decision support is not always fully documented. Some organizations may utilize presentations to initiate projects, with the decision support information documented only on visual aids. In those instances, the IT auditor should attempt to be invited to the participation.

A presentation is likely to include questions and other participation with the attendees, and the IT auditor will find that subsequent conversations trying to find out what happened in the meeting will almost never provide the nuances and other intangibles that come through when you are present.

The IT auditor should include a review of the formal initiation phase deliverable or deliverables with other initiation phase procedures. The auditor should include a specific evaluation of the established need and the cost-justification for implementing an application to address that need.

There are several external considerations that can affect the nature, timing, and extent of the audit procedures. Some of those considerations are included in the following list:

1.  Laws, regulations, or other standards directing audit involvement in the computerized application
2.  Requirements included in contractual provisions defining the internal audit role during systems development
3.  The presence or absence of internal assessment groups (e.g., quality assurance or computer security officers) necessitating greater or lesser audit involvement
4.  Computerized applications that are administratively sensitive within the organization
5.  Resource constraints on the audit organization (e.g., the lack of budget, expertise, or tools to perform the function)

The Use of Contractors. Another discretionary factor is based on the potential use of contractors in the development effort. The difference the IT auditor must be most wary of in situations where the company utilizes contracted resources in the initiation phase is that the contractors may have a vested interest in reaching conclusions that will result in more work for the contractor.

A contractor may be responsible for supporting the project sponsor or the project team for all of their activities. Contractors may also consult with the Steering Committee or to support the IT auditor by reviewing or evaluating the feasibility study. In any case, the organization’s interests can be protected by rigorously defining the contractor’s role, responsibility, and authority.

The responsibility for using contractors can reside with the steering committee, project sponsor, or project steering committee. It will depend on the nature and extent of the proposed use of the contractor, and the signing authority of the internal personnel. The analysis to determine whether or not a contractor should be used is included in the alternatives analysis, feasibility study, risk analysis, and cost/benefit analysis.


Previous Table of Contents Next