SYSTEMS AUDIT

SYSA – 410
Lecture Five

Lewis Msosa, MSc Computer

science 1
 Intended learning outcomes
• By the end of this lecture, you should be able to:
• Address business application development and systems.
• Discuss forms of software organisations and alternative development methods.

2
 Introduction
• In this lecture, business application development and systems is discussed
through addressing developing a system and change controls.

• Alternative forms and auditing application controls are also addressed in this
lecture as well.

3
 Developing a system
• The process of developing a computer system is referred to as Systems Development Life
Cycle (SDLC)
• Steps followed in this process:
• Analyse
• Design
• Code
• Test
• Retest
• Redesign
• Reset
• Run
• Audit

4
 Developing a system cont’d
• There are various forms of this SDLC but overall, it splits tasks into the following:
• Feasibility study
• Outline design
• Detailed design
• Code, tests, and implement
• Conversion
• Installation
• Post-implementation review

5
 Change control
• Change control’s objective is to manage and control risk

• It is meant to ensure that:

• All changes are authorised

• All authorised changes are made

• Only authorised changes are made

• All changes are specified

• All changes are cost effective

6
 Causes of maintenance due to change
controls
• New requests from users and managers

• Bugs or errors in the program

• Technical and hardware problems

• Corporate mergers and acquisitions

• Governmental regulations that require changes in the program

7
 Why do systems fail
• Poor support from management.

• Poor staff attitude.

• Unclear business objectives and inadequate capital/ investment including in IT.

• Management and user unclear of their needs.

• IT personnel unfamiliar with user needs.

8
 Auditor’s role in systems development

• An auditor needs to make sure that controls within the project management are
adequate and provide assurance that the system delivers as required and
whether business control processes have been incorporated in the design of the
new/ amended system.

9
 Information system vendors
• System acquisition usually requires purchasing, leasing or renting computer
resources from IS vendors

• Acquiring IT resources like software still needs active involvement from the user.

10
Advantages of acquiring IT resources
• Lower cost

• Less risk

• High quality

• Less time

• Fewer resources needed

11
 Request for information
• The initial stage in system acquisition is issuing a Request for Information (RFI).

• RFI is issued early during the overall development process with purposes of
gathering information on the currently available products when the acquisition of
an external package is being considered

12
 Requirements definition
• This is the second stage following a successful RFI.

• It defines the functional requirements of the proposed system in sufficient detail

to facilitate selection of the appropriate package.

13
 Request for proposal
• The third stage in system acquisition is a request for proposal.

• The request for proposal is then sent to a vendor to elicit bids for any of delivery,
tailoring and implementation of the packaged solution.

14
 Installation
• Once the contracts have been signed by both parties, it is expected that the
package will be delivered and installation will happen as a matter of course.

15
 System maintenance
• System maintenance involves checking, changing and enhancing the system to make it
more useful in obtaining user and organisation goals.

• Some causes to program maintenance are:

• New request from users and managers

• Bugs or errors in the program

• Technical and hardware problems

16
 System maintenance review
• This is the process of analysing existing systems to ensure they are operating as intended
and may be event or time driven.

• Some of the factors to be considered in conducting system reviews include:

• Response time

• Training

• Reliability

• Mission

• Goals and objectives

17
 What are systems
• Systems are defined as a set of elements that interact to accomplish goals and
objectives

18
 Characteristics of a system
• Accuracy
• Completeness
• Economy
• Reliability
• Relevance
• Simplicity
• Timeliness
• Verifiability
19
 Classification of a systems
• Simple vs complex

• Open vs closed

• Stable vs dynamic

• Adaptive vs non-adaptive

• Permanent vs temporary

20
 Conclusion
• The overall concept of an SDLC process is addressed.

• All the tasks that are important in developing or acquiring a system are looked
from an IT audit perspective

21
End of Lecture

• Thank you!

22
 References & Further reading
• Cascarino, R.E., 2007. Auditor's guide to information systems auditing. John
Wiley & Sons.
• Champlain, J.J., 2003. Auditing information systems. John Wiley & Sons.
• Hunton, J.E., Bryant, S.M., and Bangranoff, N.A..2004. Core Concepts of
Information Technology Auditing. John Wiley and Sons.
• Weber, R.A.1998. Information Systems Control and Auditing, Pretice Hall

23