SOFTWARE IMPLEMENTATION AUDIT PROGRAM OVERVIEW

SOXMadeEasy.c om

SOFTWARE IMPLEMENTATION
AUDIT PROGRAM OVERVIEW
Organizations rely heavily on computer technology. There is a risk associated with the increased reliance on computer technology to perform daily transactions. There is even higher risk associated with new technology. It is important for any entity going through with the software implementation to gain assurance that controls over computer security and computer operations are adequate and operate as designed. The way to gain the assurance is by following a detailed and well thought out audit plan. The Software Implementation Audit Program offered at http://soxmadeeasy.com/Implementation.html has been developed based on the IS Auditing Standards, the COBIT Framework, and the generally accepted auditing standards. It outlines audit procedures that should be performed during Pre- and Post- Implementation project phases as part of any software development and implementation project:
Project Phases covered in the audit program: Plan/Design (pre-implementation) Build/Develop/Test (preimplementation) Go-Live/Deploy (post-implementation)

Pre-Implementation audit procedures: Pre-implementation audit procedures are to be carried out during the design and development process rather than after the system have been rolled-out into production. The scope of the pre-implementation audit includes audit of the project management and system development process and audit of the control framework being designed for the system. The reason for conducting a pre-implementation audit is dictated by the fact that it is significantly more cost effective to correct weaknesses in the control framework during the design and development process than after implementation. Post-Implementation audit procedures: Adequate audit oversight during design and development process does not eliminate the need for post-implementation audits as there is no assurance that what was designed and installed is maintained and operates as intended. The postimplementation audit procedures outlined in this audit program are designed to ensure that the original requirements have been successfully implemented into production. The post-implementation assessment includes: • The effectiveness of the system deployment after the system has been put in production; • Ensuring software implementation met its intended objectives and meets business and user needs; • Ascertaining that the software is providing accurate and complete information; • Ensuring that adequate controls are implemented and operate effectively.

~ Pre- and Post-Implementation Audit

~

Page 1

and Post-Implementation Audit ~ Page 1 .Physical Security Controls Infrastructure Security Privacy & Data Protection Business Continuity & Disaster Recovery ~ Pre.Logical Security Controls Information Technology .SOFTWARE IMPLEMENTATION AUDIT PROGRAM OVERVIEW SOXMadeEasy.c om A comprehensive control framework is designed to assess all process areas considered critical for any software design and implementation project: Process Areas covered in the audit program for each Project Phase: Project Management & Control Change Management & Control Access Security Segregation of Duties Business Process Controls Interfaces Data Conversion Information Technology .

and the generally accepted auditing standards. SOXMadeEasy. ~ Pre.and post-implementation review of the information technology solution. the COBIT Framework.c om Link to the control framework Controls are designed based on the IS Auditing Standards.SOFTWARE IMPLEMENTATION AUDIT PROGRAM OVERVIEW The audit program contains a detailed overview of the recommended audit procedures to carry out as part of pre.and Post-Implementation Audit ~ Page 1 .

System acceptance criteria.This control framework is developed to ensure that interfaces are designed. and deployed in accordance with business requirements and operate as intended. Ensuring user requirements are met. Procedures to ensure software is appropriately and sufficiently tested. Strategy over defining user responsibilities within application and the definition of roles. • Business Process control framework . • Interfaces control framework . the audit program contains a listing of audit procedures you will need to execute at each project phase after your control framework is developed. − − • Change Management & Control . and valid processing and recording of financial information and any errors identified through the course of testing are documented.to ensure adequate controls are developed to mitigate existing SOD conflicts. Some of the items covered in the Audit Program: − − − Monitoring to ensure software implementation plan is followed. However. Ensuring that application security around roles is adequately tested. Some of the items covered in the Audit Program: − − − − • Governance concept over access security. End-user . built. or invalid processing or recording of financial information. reviewed. and other information resources and to safeguard against incomplete. Some of the items covered in the Audit Program: − − − Scope of the implementation and the alignment with business & technical objectives. Business risks & impact of the software implementation. The audit program is also designed to ensure that all pertinent data is extracted from the donor system(s) and accurately transferred into the recipient ~ Pre. and much more. Ensuring roles and profiles are designed based on business requirements and job functions. Adequate end-user training.and Post-Implementation Audit ~ Page 1 .This control framework is developed to ensure that adequate access security controls are designed and implemented to enable restriction of access to programs. complete.provides guidance that can be tailored to develop your companyspecific control framework at the following levels: Conflict .SOFTWARE IMPLEMENTATION AUDIT PROGRAM OVERVIEW Control framework overview: SOXMadeEasy.to develop procedures that ensure access to roles is granted on as needed basis. inaccurate.This control framework is developed to ensure that system meets expectations of data owners and management and to track the progress and performance a project is making towards meeting its work plans so that appropriate corrective actions can be taken when the project’s performance deviates from plan.specific and would have to be developed by your entity. Monitoring the implementation. − − • Access Security control framework . Segregation of Duties control framework .to develop roles that meet SOD rules designed by management.c om • Project Management & Control . and more. and much more. and appropriately resolved.This control framework is developed to ensure that software is implemented in a manner that supports accurate. The audit program contains a listing of critical SOD conflicts (over 400 conflicts) across the business cycles below to help you further tailor the audit program to suit your business requirements: Expenditure Fixed Assets Inventory Payroll Revenue Treasury Cash Management Financial Accounting − − − Role . Error resolution process.business process controls are business.and application. Project monitoring against the requirements. data.

• Infrastructure Security control framework . Health insurers should comply with GLB.SOFTWARE IMPLEMENTATION AUDIT PROGRAM OVERVIEW system(s).This control framework is developed to ensure that adequate physical security controls are designed and operate effectively. − Monitoring systems performance reports. etc. HIPAA. − Auditing and monitoring of privacy and data protection practices. monitoring and reporting security events (i. International. Ensuring completeness of the data transfer(s). − Logging. − Data validation procedures. − Collection. and adequately secured.c om − − − − − − Risks & design assessment of the interface control techniques. user approval and acceptance of data into the production system are defined and that all pertinent data is extracted from the donor system and converted to the new system completely and accurately. − Technical support from outside contractors and/or vendors. ~ Pre. Error resolution process. − Consent for the use of Personally Identifiable Information. • Physical Security control framework .This control framework is developed to ensure that adequate logical security controls are designed and operate effectively. Some of the items covered in the Audit Program: − Assignment of responsibility and oversight for privacy and data protection. and more. timely and accurate conversion.. Some of the items covered in the Audit Program: SOXMadeEasy. • Privacy & Data Protection control framework . Some of the items covered in the Audit Program: − Risks & design assessment of the data migration control techniques. and more.This control framework is developed to ensure that computer hardware required to support implemented software is functional. maintainable. use.. and more. Ensuring accuracy of the data transfer(s). Some of the items covered in the Audit Program: − Password management functionality and other authentication mechanisms. and more. and more.e. − Authority to change physical access control mechanisms. Federal. viruses).This control framework is developed to ensure that appropriate procedures for reconciliation. Some of the items covered in the Audit Program: − Access to the building and immediate surroundings of computer equipment. • Logical Security control framework . − The quality of the Personally Identifiable Information. error handling.).Privacy control framework should be based on the specific Local. intrusion detection.and Post-Implementation Audit ~ Page 1 . validation. Included in the audit program is a sample framework that can further be tailored to suit your business requirements based on the privacy provisions your organization needs to comply with. − Disclosure of the Personally Identifiable Information. − Error resolution process. Some of the items covered in the Audit Program: − Technical infrastructure Requirements to support software implementation. − Notification and disclosure of privacy and data protection practices. − Safeguarding of the Personally Identifiable Information. − Controls around privileged access to the implemented software. valid. Ensuring timeliness of the data transfer(s). storage and destruction the Personally Identifiable Information. or Industry Specific Compliance directives and regulatory standards (e. − Ensuring complete. • Data Conversion control framework . financial services institutions face privacy provisions of the GLB Act. Data validation between donor & recipient systems. − Safeguarding access to the implemented software using generic vendor IDs. State. supportable.g. and more.

and valid during the implementation process. Clearly communicate that you are intending to have a strict oversight by your internal audit function during software implementation project and would like them (your External Audit engagement team) to place reliance on your work. Could work performed as part of this audit be leveraged (relied on) by the entity’s External Audit function? Absolutely! The Audit Program outlines all audit procedures that would normally be subject to the review by the public accounting firm.and postimplementation review. & relevant system files prior to implementation.less critical. and the minimum degree of their involvement required to gain assurance in the quality of your work.c om Business Continuity & Disaster Recovery control framework . Backups of application data. Assessment of backup and retained data readability. Strategy over maintaining compliance with the BCP and DRL plans. essential business processes and information systems can be recovered. key procedures are most likely to be audited as part of the audit procedures performed by your External Audit engagement team. For entities subject to the external audit review.This control framework is developed to ensure that application data is appropriately managed to provide reasonable assurance that financial data remains complete. • Execute this audit program as described throughout the project lifecycle. To optimize the efficiency and cost-effectiveness of the external review: • Have a discussion with your external auditors.SOFTWARE IMPLEMENTATION AUDIT PROGRAM OVERVIEW • SOXMadeEasy. accurate. programs. programs and relevant system files.key audit procedures are essential for implementation to be successful. Some of the items covered in the Audit Program − − − − − Rollback/failover procedures of the application data. if any. timeline. ~ Pre. Inquire about their requirements. and more. should be included as part of pre. Type of audit procedures covered in the Audit Program: Audit Program includes “key” and “Value Added” procedures. It is up to management to determine which “value added” procedures. Strategy over backup retention. • Value Added . and that in the event of a disaster. • (IMPORTANT!) Retain any documentary evidence obtained and reviewed as part of your assessment to share with your External Audit engagement team.and Post-Implementation Audit ~ Page 1 . • Key . likely to be scoped out by your External Audit engagement team.

c om ~ Pre.SOFTWARE IMPLEMENTATION AUDIT PROGRAM OVERVIEW The audit program is available for purchase at http://soxmadeeasy.and Post-Implementation Audit ~ Page 1 .html. SOXMadeEasy.com/Implementation.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.