Previous | Table of Contents | Next |
The IT Audit Professional will find that this phase includes the procedures for developing and testing the new or modified application. The implemented programs should be based on the detailed design and program specifications prepared in the system design phase. If the design is done correctly, the development phase should not be difficult. If there are gaps in the specifications, they will have to be filled during the development phase.
The gaps have to be filled because programming is very detailed and requires that almost every design decision be made before the code can be written. In other words, the IT auditor should confirm that either the development methodology or the specific application fully comprehends the design specifications, and that documentation and training provide for a usable and maintainable system.
The IT Audit Professional accomplishes these objectives by evaluating programming phase documentation. To do this, the auditor must understand the system development methodology, the documents that are produced by that methodology, and the flow in which the documents are produced. The documents produced during this phase vary among methodologies. Even the same methodology can be implemented differently among two or more companies and thus produce different documents.
Programming is the process of implementing the detailed design specifications into program code. The process of converting specifications to executable code depends heavily on the quality of the program definition. If the application is well defined, programming is not technically complex.
Most system development methodologies clearly define how systems move from the definition phase to the programming phase. In fact, most IT professionals are well trained in programming, but few have extensive training in definition and design skills. Therefore, the IT auditor finds that programming is frequently the best specified and most mastered skill.
The application developers may also begin to develop end-user and maintenance manuals during this phase, as is a preliminary installation plan. The preliminary installation plan specifies the approach and other details of the application installation.
Participants and Their Tasks
The IT auditor is likely to find that the programming phase includes the same participants that were in the definition phase. The responsible participants and their functions during this phase include the following:
Senior Management. Approves the updated project plan to advance to the programming phase, in consultation with the sponsor and other participants.
Project Steering Committee. Approves the updated project plan to advance to the programming phase, in consultation with the sponsor and other participants. Approves the revised project plan; revised validation, verification, and testing plan and specifications; user manual; operations and maintenance manual; and installation and conversion plan. The sponsor/user also updates the system decision paper and initiates user training.
Project Sponsor/Project Team. Updates the project plan; revises the validation, verification, and testing plan and specifications; develops the user manual, operations and maintenance manual and the installation and conversion plan. The project manager is also responsible for programming and testing.
Security Specialist. Reviews the user manual, operations and maintenance manual, installation and conversion plan, and revised validation, verification, and testing plan and specifications.
Quality Assurance Specialist. Reviews the program definition, program code, documentation, and training for compliance with design and DP standards.
The IT auditor is likely to find three new deliverables developed by the end of this phase, along with one or more revisions to existing deliverable documents. The three new documents produced during this phase are:
The IT Audit Professional faces two challenges in the programming phase. The first is determining if the application as programmed is consistent with the definition. The second is to review the control over changes made to the definition or other changes made during the programming effort.
Reviewing Definition Phase Output. The IT Audit Professional will probably find that the size and detail of the deliverables increase as the project progresses. The definition document review is significantly more time-consuming than the initiation phase review.
The IT auditor must therefore focus on the most important elements of the security- and control-related specifications and the verification and testing specifications. The security and control review should emphasize the adequacy of those elements.
Evaluating Security and Control. The auditor should identify the nature and extent of the risks faced by the system, along with the compensating controls, and then attempt to evaluate the adequacy of those controls in terms of meeting their objectives. The auditors opinion is based on this assessment.
The verification and testing plan provides the standards against which the IT Auditor evaluates the implementation and define the tests for evaluating controls. This document indicates how the project team plans to implement the application controls.
The IT Audit Professional has the information on controls as defined and programmed, which precisely defines how the controls should be implemented. This provides the information the auditor requires for conducting the programming review.
Reviewing Programming Phase Plans. The IT Auditor should review programming phase plans, paying particular attention to the flexibility in the planned deadlines. The programming phase is the one most likely to be beset by problems or unexpected situations that require additional time to resolve.
Project plans that include hard deadlines with little or no flexibility may have to be compromised to meet those dates. If the project is late going into the programming phase with hard deadlines, it becomes likely that one or more of these compromises will occur.
One of the frequently compromised areas is the programming of security and controls. Compromises in this particular area may not appear to directly affect the applications functionality, which is the basis of the compromise. The application may very well produce the desired reports, but not in a controlled manner.
The IT auditor should attempt to determine whether the project plans are sufficient to ensure that the appropriate security and control features are properly implemented. The project plan should indicate who is responsible for these controls, along with a description of how they are to be implemented.
Gathering information for the review. The IT auditor should attempt to gather the information that should be included in one or more of the following deliverables. As with the other stages, the existence and quality of the information is much more important than the names or number of deliverable documents:
Previous | Table of Contents | Next |