Auditing in CIS

Environment

From: Laiza Cristella J. Saray

BSA - 3 (C - 2021-0495)

To:Mrs. Myka Bianca T. Geraldino

 Chapter 5

Auditing Systems Development and Program Change Activities

Instructions: In this assignment, you will explore the auditing aspects

related to systems development and program change activities in a Computer

Information Systems (CIS) environment. Please follow the instructions below to

complete the assignment.

Part 1: Research

1.Define the role of auditing in a Computer Information Systems (CIS) environment.

Explain why auditing is essential for ensuring the integrity and security of information systems.

Answer: Auditing in a Computer Information Systems (CIS) environment involves

the systematic examination of the controls, processes, and operations within an information

system to ensure compliance, accuracy, and security. The primary objective of auditing in this

context is to evaluate the effectiveness of internal controls, identify weaknesses or

vulnerabilities, and provide recommendations for improvement. Auditing helps in verifying that

the information systems are operating as intended, data integrity is maintained, and security

measures are adequate to protect against unauthorized access or breaches. Additionally, auditing

ensures regulatory compliance and helps in detecting and preventing fraud or misuse of

information resources. Without auditing, there's a risk of undetected errors, security breaches, or

compliance failures, which can lead to significant financial losses, reputational damage, or legal

consequences for organizations.

 2. Identify and explain at least three key audit procedures that can be applied

specifically to systems development activities in a CIS environment.

Answer:

Review of Documentation - Auditors can examine the documentation related to

systems development activities, including project plans, requirements specifications, design

documents, coding standards, and testing protocols. This review helps in assessing whether

proper procedures are followed, requirements are adequately captured, and development

activities are conducted in accordance with established guidelines.

Code Review - Auditors can conduct a detailed review of the source code to identify

potential vulnerabilities, coding errors, or deviations from coding standards. This process

involves analyzing the logic, structure, and security aspects of the code to ensure that it meets the

intended functionality and adheres to best practices.

Testing Validation - Auditors can evaluate the effectiveness of testing procedures

implemented during systems development. This involves reviewing test plans, test cases, and test

results to ensure comprehensive coverage of system functionalities, identification of defects or

anomalies, and validation of system performance against specified requirements. Additionally,

auditors can assess the adequacy of regression testing to ensure that system changes do not

introduce unintended consequences or regressions.

3. Discuss the concept of change management in the context of auditing. Why is it

crucial for auditors to monitor program changes in information systems?

Answer: Change management refers to the process of controlling and managing

changes to information systems, including updates, modifications, or enhancements. In the

context of auditing, change management is crucial because any alterations to the system can
impact its integrity, security, and compliance. Auditors need to monitor program changes to

ensure that proper controls are in place to manage the entire change lifecycle, from initiation to

implementation and post-implementation review. This includes assessing the authorization

process for changes, evaluating the impact analysis conducted before implementing changes,

verifying that changes are tested adequately before deployment, and ensuring proper

documentation and tracking of changes for audit trail purposes. Failure to effectively manage

program changes can lead to unauthorized modifications, introduction of security vulnerabilities,

or disruptions to system functionality, jeopardizing the reliability and effectiveness of

information systems. Therefore, auditors play a critical role in overseeing change management

processes to mitigate risks and maintain the integrity and security of information systems.

Part 2: Case Study Analysis

Read the following case study and answer the questions that follow:

Case Study:

Company ABC is a financial services firm that is undergoing a major software upgrade to

enhance its online banking platform. As part of the upgrade, several program changes are being

implemented to improve the user experience and security features.

Questions:

1. As an auditor, what specific aspects of the software upgrade project would you

focus on to ensure compliance, security, and data integrity?

Answer:

Compliance
 Ensure that the software upgrade adheres to regulatory requirements such as data

protection laws, industry standards and internal policies.

Security

Evaluate the security measures implemented in the upgraded platform, including

encryption protocols, access controls, authentication mechanisms, and vulnerability assessments

to safeguard customer data and prevent unauthorized access.

Data Integrity

Assess the data migration processes to verify the accuracy and completeness of

transferred data, ensuring that no data loss or corruption occurs during the upgrade. Validate the

integrity of critical financial data and transaction records post-upgrade.

2. How would you verify that proper change management procedures are followed

during the software upgrade process?

Answer:

Documentation Review

Examine change request forms, change management policies, and procedures to

ensure that all changes are authorized, documented, and tracked throughout the upgrade process.

Change Impact Analysis

Verify that comprehensive impact assessments are conducted before implementing

changes to assess potential risks, dependencies, and implications on system functionality,

security, and performance.

Testing Validation
 Review test plans and results to confirm that adequate testing is performed at various

stages of the upgrade, including unit testing, integration testing, and regression testing, to

mitigate the risk of introducing defects or disruptions.

3. Discuss the potential risks associated with program changes in the context of

financial services, and suggest mitigation strategies that auditors can implement.

Answer:

Data Breaches

Risk of unauthorized access or data breaches due to security vulnerabilities

introduced during the upgrade.

Mitigation: Implement robust security measures, conduct penetration testing, and

deploy intrusion detection systems to detect and prevent security breaches.

System Downtime

Risk of service disruptions or downtime during the upgrade, impacting customer

access to online banking services.

Mitigation: Develop a comprehensive rollback plan, conduct the upgrade during off-

peak hours, and communicate with customers about scheduled maintenance windows to

minimize inconvenience.

Regulatory Non-Compliance

Risk of non-compliance with regulatory requirements, leading to penalties or legal

consequences.

Mitigation: Conduct regular compliance audits, stay updated with regulatory changes,

and involve legal counsel in reviewing software upgrades to ensure adherence to applicable laws

and regulations.
 By focusing on these aspects and implementing appropriate verification and

mitigation strategies, auditors can help ensure the successful execution of the software upgrade

project while maintaining compliance, security, and data integrity in the financial services

environment.