Auditing in

CIS
Environment

From: Laiza Cristella J. Saray

BSA - 3 (C - 2021-0495)

To:Mrs. Myka Bianca T. Geraldino

 Chapter 5

Auditing Systems Development and Program Change Activities

Instructions: In this assignment, you will explore the auditing aspects related to systems

development and program change activities in a Computer Information Systems (CIS)

environment. Please follow the instructions below to complete the assignment.

Part 1: Research

1.Define the role of auditing in a Computer Information Systems (CIS) environment. Explain

why auditing is essential for ensuring the integrity and security of information systems.

Answer: Auditing in a Computer Information Systems (CIS) environment involves the

systematic examination of the controls, processes, and operations within an information system

to ensure compliance, accuracy, and security. The primary objective of auditing in this context is

to evaluate the effectiveness of internal controls, identify weaknesses or vulnerabilities, and

provide recommendations for improvement. Auditing helps in verifying that the information

systems are operating as intended, data integrity is maintained, and security measures are

adequate to protect against unauthorized access or breaches. Additionally, auditing ensures

regulatory compliance and helps in detecting and preventing fraud or misuse of information

resources. Without auditing, there's a risk of undetected errors, security breaches, or compliance

failures, which can lead to significant financial losses, reputational damage, or legal

consequences for organizations.

2. Identify and explain at least three key audit procedures that can be applied specifically to

systems development activities in a CIS environment.

Answer:

a. Review of Documentation - Auditors can examine the documentation related to systems

development activities, including project plans, requirements specifications, design

documents, coding standards, and testing protocols. This review helps in assessing

whether proper procedures are followed, requirements are adequately captured, and

development activities are conducted in accordance with established guidelines.

b. Code Review - Auditors can conduct a detailed review of the source code to identify

potential vulnerabilities, coding errors, or deviations from coding standards. This process

involves analyzing the logic, structure, and security aspects of the code to ensure that it

meets the intended functionality and adheres to best practices.

c. Testing Validation - Auditors can evaluate the effectiveness of testing procedures

implemented during systems development. This involves reviewing test plans, test cases,

and test results to ensure comprehensive coverage of system functionalities, identification

of defects or anomalies, and validation of system performance against specified

requirements. Additionally, auditors can assess the adequacy of regression testing to

ensure that system changes do not introduce unintended consequences or regressions.

3. Discuss the concept of change management in the context of auditing. Why is it crucial for

auditors to monitor program changes in information systems?

Answer: Change management refers to the process of controlling and managing changes to

information systems, including updates, modifications, or enhancements. In the context of

auditing, change management is crucial because any alterations to the system can impact its

integrity, security, and compliance. Auditors need to monitor program changes to ensure that

proper controls are in place to manage the entire change lifecycle, from initiation to

implementation and post-implementation review. This includes assessing the authorization

process for changes, evaluating the impact analysis conducted before implementing changes,

verifying that changes are tested adequately before deployment, and ensuring proper

documentation and tracking of changes for audit trail purposes. Failure to effectively manage

program changes can lead to unauthorized modifications, introduction of security vulnerabilities,

or disruptions to system functionality, jeopardizing the reliability and effectiveness of

information systems. Therefore, auditors play a critical role in overseeing change management

processes to mitigate risks and maintain the integrity and security of information systems.
Part 2: Case Study Analysis

Read the following case study and answer the questions that follow:

Case Study:

Company ABC is a financial services firm that is undergoing a major software upgrade to

enhance its online banking platform. As part of the upgrade, several program changes are being

implemented to improve the user experience and security features.

Questions:

As an auditor, what specific aspects of the software upgrade project would you focus on to

ensure compliance, security, and data integrity?

Answer:

a. Compliance
 Ensure that the software upgrade adheres to regulatory requirements such as data

protection laws, industry standards and internal policies.

b. Security

Evaluate the security measures implemented in the upgraded platform, including

encryption protocols, access controls, authentication mechanisms, and vulnerability

assessments to safeguard customer data and prevent unauthorized access.

c. Data Integrity

Assess the data migration processes to verify the accuracy and completeness of

transferred data, ensuring that no data loss or corruption occurs during the upgrade.

Validate the integrity of critical financial data and transaction records post-upgrade.

How would you verify that proper change management procedures are followed during the

software upgrade process?

Answer:

a. Documentation Review

Examine change request forms, change management policies, and procedures to ensure that

all changes are authorized, documented, and tracked throughout the upgrade process.

b. Change Impact Analysis

Verify that comprehensive impact assessments are conducted before implementing changes

to assess potential risks, dependencies, and implications on system functionality, security, and

performance.

c. Testing Validation
 Review test plans and results to confirm that adequate testing is performed at various stages

of the upgrade, including unit testing, integration testing, and regression testing, to mitigate

the risk of introducing defects or disruptions.

Discuss the potential risks associated with program changes in the context of financial services,

and suggest mitigation strategies that auditors can implement.

Answer:

a. Data Breaches

Risk of unauthorized access or data breaches due to security vulnerabilities introduced during

the upgrade.

Mitigation: Implement robust security measures, conduct penetration testing, and deploy

intrusion detection systems to detect and prevent security breaches.

b. System Downtime

Risk of service disruptions or downtime during the upgrade, impacting customer access to

online banking services.

Mitigation: Develop a comprehensive rollback plan, conduct the upgrade during off-peak

hours, and communicate with customers about scheduled maintenance windows to minimize

inconvenience.

c. Regulatory Non-Compliance

Risk of non-compliance with regulatory requirements, leading to penalties or legal

consequences.
Mitigation: Conduct regular compliance audits, stay updated with regulatory changes, and

involve legal counsel in reviewing software upgrades to ensure adherence to applicable laws

and regulations.

By focusing on these aspects and implementing appropriate verification and mitigation

strategies, auditors can help ensure the successful execution of the software upgrade project

while maintaining compliance, security, and data integrity in the financial services

environment.