Previous | Table of Contents | Next |
The IT auditor is also responsible for obtaining an accurate and complete understanding of the project as well as the flow of documents and any other deliverables throughout the process.
Detailed Testing. The IT auditor should identify key control and process attributes of the definition phase and then test a sufficient number of those attributes to support the conclusions required to meet the audit objectives. The auditor should prepare a list of exceptions, deficiencies, and observations to provide to the appropriate project participants, along with any related recommendations for their consideration.
The auditors testing should be performed using a definition phase audit program. This program includes a potential set of objectives, key indicators for each objective, along with specific audit procedures and with the tools and techniques to facilitate those tests.
The IT auditor can use the following paragraphs as a checklist for evaluating certain key elements of the development methodology.
The Project Plan. This should include a strategy for managing the software, goals, and activities for all phases and subphases, resource estimates for the duration of the system life cycle, intermediate goals, and methods for system development, documentation, problem reporting, and change control.
The Functional Requirements Document. This should include the proposed methods and procedures, a summary of improvements, a summary of security and control considerations, cost considerations, and alternatives. This document may also include qualitative and quantitative software functional requirements, the means by which the software functions satisfy performance objectives, what the performance requirements are, and an explanation of inputs and outputs.
The Security and Control Requirements Document. This should include the vulnerabilities identified during risk analysis, established internal control and application control requirements.
The Data Requirements Document. This should include data collection requirements, logical groupings of data, the characteristics of each data element, and procedures for data collection. This area also includes descriptions for sensitive and critical data, which should include sensitive and critical types of data along with the degree of that sensitivity.
The IT auditor should develop a list of findings and recommendations at the end of this phase, just as was done at the end of the initiation phase. It is possible for there to be many more findings than recommendations, as the auditor may conclude that some of the findings either are not material, or do not warrant a recommendation.
There are certain deficiencies that are common to many situations, some of which are presented below:
The IT Audit Professional is reminded that problems inadequately addressed in the definition phase can escalate costs throughout the remainder of the system development process. Implementing elements omitted from the requirements definition may cost between 10 and 100 times more than addressing the same problem in definition. This adds a responsibility for the auditor to not only identify the deficiencies but also to estimate the impact of those deficiencies on the organization. The impact of definition phase deficiencies can be estimated in two ways.
First, the IT auditor can estimate the actual cost of the deficiency itself. For example, the lack of controls can result in the loss of assets in the operational system. Second, the auditor can estimate the escalating cost of fixing definition problems. The informal rule is that for each unit of work estimated to need to be expended to fix a definition phase deficiency, it will require ten units of work to do during the test phase, and 100 units of work once the system is placed into operation.
The IT Audit Professional should reassess the audit strategy for the rest of the project based on the findings and recommendations during the current phase. The IT auditors plan should be based on one or more of the following objectives, which should confirm that systems and applications:
Previous | Table of Contents | Next |