Information Technology Auditing and Assurance James Hall, 4e

o Be able to identify the stages in the systems development life

cycle (SDLC).
o Understand the importance of strategic system planning.
o Be able to identify and discuss the major steps involved in a
cost-benefit analysis of proposed information systems.
o Understand the advantages and disadvantages of the
commercial software option, and be able to discuss the
decision-making process used to select commercial software.
o Be familiar with different types of system documentation
and the purposes they serve.
o Understand the risks, controls, and audit issues
related to systems development and maintenance
procedures.
System Professionals
• Analysts, engineers, database designers and programmers.

End users:
• Managers, operations personnel from various functional areas,
including accountants.
Stakeholders
• Individuals with an interest in the system who are not formal end
users.
• Includes steering committee and both internal and external
auditors.
o Well designed system can increase productivity, reduce
inventories, eliminate non-value added activities,
enhance customer service, improve management
decisions, and coordinate organizational activities.

METHODS OF ACQUIRING INFORMATION SYSTEM:

COMMERCIAL PURCHASE IN HOUSE DEVELOPMENT

Four factors have contributed to the growth
of the commercial software market:
• Relative low cost for general purpose software
• Industry Specific Vendors
• Growing Demand from businesses too small to
afford in-house development
• Downsizing units and the move to distribute data
processing have increased appeal to larger
organization

Turnkey systems are finished, tested

and ready for implementation.
General accounting systems
• designed to serve a wide variety of user needs
• Designed in modules that include AP, AR, payroll, inventory, GL,
financial reporting and fixed asset
Special-purpose systems
• target specific segments

Office automation systems

• improve productivity
• Word processing, spreadsheet, desktop publishing
Backbone systems
• provide a structure to build on, with primary processing modes
programmed.
Vendor-supported systems
• custom systems developed and maintained for the client
Advantages Disadvantages
• Can be implementation • Firm is dependent on
almost immediately vendor for
once need is maintenance.
recognized. • When user needs are
• Cost is a fraction of unique and complex,
cost of in-house software may be too
development. general or inflexible.
• Reliability since • May be difficult or
software is pretested impossible to modify if
and less likely to have user needs change.
errors than in-house
systems.

o Company may satisfy some needs with commercial

software and develop other systems in-house.
Objective: To link individual systems projects to the strategic
objectives of the firm.

Most firms establish a steering committee to provide

guidance and review project status.
• May include the CEO, CFO, CIO, senior management, internal
auditors, and external parties (consultants).
• Responsibilities include resolving system conflicts, reviewing projects
and assigning priorities, budgeting system development, and
determining whether or not to continue the project at various stages of
development.

Two Levels of System Planning

Strategic System
Project Planning
Planning
Involves allocation of resources at the macro level.

Time frame of 3 – 5 years with process similar to budgeting resources for

other strategic activities.

Technically not part of SDLC which pertains to specific applications.

Concerned with allocation of systems resources.

Four justifications:

• A changing plan is better than no plan.

• Reduces crises in systems development.
• Provides authorization control for SDLC.
• Systems planning tends to be a cost-effective means of managing systems
projects and application development.
Purpose is to allocate resources to individual
applications within the framework of the
strategic plan.
• Identifying user needs, preparing proposals, evaluating
proposals’ feasibility, prioritizing and scheduling.

Two formal documents

• Project proposal provides management with a basis for
deciding whether to proceed by summarizing findings
and outlining link between system and business
objectives of the firm.
• Project schedule represents management’s
commitment to the project.
Process to survey current system and analyze user needs

Survey step has advantages and disadvantages

• Usually involves a detailed system survey.
• Can result in current tar pit syndrome where analyst is “sucked-in” and
“bogged down” by the surveying task.
• Surveying system may stifle new ideas (thinking inside the box).
• Identifies aspects of old system that should be kept.
• Forces analysts to fully understand the old system which will be
required to convert to the new one.
• Analyst may determine root cause of problems, which may not
be the system at all.
 SYSTEMS ANALYSIS – PHASE II

Survey Phase- Gathering Facts

Data Sources Transaction Volumes
Users Error Rates
Data Stores Resource costs
Processes Bottleneck
Data Flows Redundant
Operations
Controls
Fact-gathering techniques:
• Observation, task participation, personal interviews,
key document review.

Analyst is analyzing while gathering facts.

Systems analysis report:

• Presented to management or the steering committee.
• Provides survey findings, problems identified with old
system, user needs and new system requirements.
• Constitutes a formal contract that specifies the
objectives and goals of the system.
Purpose to produce alternative systems that satisfy
identified system requirements.

Structured design approach:

• Designs system from the top-down by starting with “big picture” and
gradually decomposing system into more detail until fully understood.
• Designs should identify all inputs, outputs, processes and special
features necessary to distinguish one alternative from another.

Object-oriented design approach (OOD):

• Builds information systems from reusable objects.
• Concept of reusability is central as standard modules can be used in
other systems with similar needs.
• Library of reusable modules results in less time, cost, maintenance,
and testing and improved user support and system flexibility.
Identify optimal solution from alternatives.

First step is a detailed feasibility study:

• Technical: Existing or new technology?
• Economic: Are funds available?
• Legal: Any conflicts with new system and legal responsibilities?
• Operational: Procedures and personnel compatible with new
system?
• Schedule: Is firm able to implement project in acceptable
amount of time?

Second step is a cost-benefit analysis:

• Identify both one-time and recurring costs and tangible and
intangible benefits which cannot be easily quantified.
• Compare costs and benefits.
 ONE TIME COSTS RECURRING COSTS
HARDWARE ACQUISITION HARDWARE MAINTAINANCE
SITE PREPARATION SOFTWARE MAINTAINANCE
CONTRACTS
SOFTWARE ACQUISITION INSURANCE
PROGRAMMING AND TESTING SUPPLIES
DATA CONVERSITION (OLD TO PERSONNEL
NEW SYSTEM)
PERSONNEL TRAINING
 TANGIBLE AND INTANGIBLE
BENEFITS
TANGIBLE BENEFITS INTANGIBLE BENEFITS
Increase Revenue Increased Customer and Employee
Satisfaction
Increase in Sales in Existing Markets Current Information and Improved
Expansion in Other Markets Decision Making
Cost Reduction Efficiency of Operations and swift
response to competitor’s actions
•Labor Reduction Improved Planning and Better Internal
•Operating Cosy Reduction (supplies and External Communication
and overhead)
•Reduced Inventories
•Less Expensive Equipment
•Reduced Equipment Maintenance
Operational Flexibility
Improved Control Environment
Compare costs and benefits:
• Net present value (NPV) method deducts the present value
of the costs from the present value of the benefits over the
life of the system.
• Projects with a positive NPV are economically feasible.

NPV Example
o If only costs and tangible benefits were considered, Design A
would be selected.
o The value of the intangible benefits and the design feasibility
score must also be considered in the analysis.
Compare costs and benefits:
• Payback method is a variation of break-even analysis.
• The break-even point is reached when total cost = total
benefit.
• Payback speed often a decisive factor due to brief product
life cycles and rapid technological advances.
• Based on payback, Design B from the NPV example would
be chosen over Design A due to the shorter payback period.

Prepare the systems selection report:

• Formal document consists of a revised feasibility study, cost-
benefit analysis and list and explanation of intangible benefits
for each alternative design.
• Steering committee selects a single system on the
basis of report.
 Purpose to produce description of proposed system that
satisfies requirements identified during systems analysis and
is in accordance with conceptual design.

Components presented formally in a detailed design report

that constitutes a set of “blueprints.”
Plans proceed to the systems implementation phase.

Development team performs a design walkthrough to ensure

it is free from conceptual error
May be done by an independent quality assurance group.
Detailed design report documents and describes
system to this point including:
• Designs for input screens and source documents.
• Designs for screen outputs, reports, and operational
documents.
• Normalized data for database tables, specifying all data
elements.
• Database structures and diagrams.
• Data flow diagrams (DFD’s).
• Database models (ER, Relational).
• Updated data dictionary.
• Processing logic (flow charts).
Program the application software.
• Procedural languages require programmer to specify the
precise order program language is executed.
• Event-driven language programs designed to respond to
external action or event initiated by the user.
• Object-oriented languages are required to achieve the
benefits of the object-oriented approach.
Programming system should follow a modular approach to achieve:
programming efficiency, maintenance efficiency and control.
Test the application software.

Testing methodology process has structured steps to

follow.

Testing offline before deploying online is critical to

avoid potential disaster.

Test data creation is time consuming but can provide

future benefits.
Database structures are created and populated with
data, equipment is purchased and installed, employees
are trained, the system is documented, and the new
system is installed.
• Engages efforts of designers, programmers, database administrators,
users and accountants

Test the entire system.

Document the system.

• Designer and programmer documentation.
• Operator documentation.
• User documentation often takes the form of a user handbook.
• Online tutorials and help features.
 Database conversion is a critical step.

VALIDATION RECONCILLATION BACK-UP

Converting the new system:

Under the cold turkey cutover firm switches to the new system and
simultaneously terminates the old.

Phased cutover begins operating new system in modules. Reduces the risk of a
devastating failure but can create incompatibilities during the process.

Parallel operation cutover involves running both systems simultaneously for a

period of time. Most time consuming and costly, but least risky approach.
 Post-implementation review is an important
s te p th a t t ak es p lac e mo n ths l a te r .

Conducted by independent team to measure system success

by gathering evidence regarding adequacy and risks.
Systems design adequacy: Accuracy of time, cost, and
benefit estimates.
• Physical features reviewed to see • Review of actual vs. budgeted
if they meet user needs. amounts provides critical input for
future budgeting decision.
Formal process by which application programs undergo changes
to accommodate changes in user needs.

Can be extensive and the maintenance periods can be 5 years or

longer in some organizations.
• When maintaining an old system is no longer feasible, it is
scrapped and a new SDLC begins.
Represents a significant resource outlay.

• As much as 80% - 90% of total cost may be incurred in

the maintenance phase.
Systems authorization, user specification and technical
design activities.

Internal audit participation:

• System planning and analysis.
• Conceptual system design impacts auditability.
• Economic feasibility needs to be measured accurately.
• Systems implementation.
• Provide technical expertise with regard to accounting rules.
• Specify documentation standards.
• Verify control adequacy and compliance with SOX.
Before implementation, individual modules must
be tested as a whole.
• Formal testing and user acceptance considered by many
auditors to be the most important control over the SDLC.

Audit objectives are to verify:

• SDLC activities are applied consistently and in accordance
with management’s policies.
• Original system free from material errors and fraud.
• System was judged necessary and justified.
• Documentation is adequate and complete.
CONTROLLING AND AUDITING THE SDLC

Audit procedures should determine:

• Proper end user and IT management authorization.
• Preliminary feasibility study showed project had
merit.
• Detailed analysis of user needs was conducted.
• Accurate cost-benefit analysis was conducted.
• System testing occurred before implementation.
• Checklist of specific problems determined during
conversion were corrected during maintenance.
• System documentation complies with standards.
Upon implementation system enters maintenance phase of the
SDLC.

Access to systems for maintenance increases the possibility of

system errors.
• To minimize exposure all maintenance should require: formal authorization,
technical specifications of change, retesting the system and updating the
documentation.

Source program library controls:

• Program source code stored on magnetic disks called the source program
library (SPL) which must be properly controlled to preserve application integrity.
Worst-Case situation: No controls:
• Program access completely unrestricted making them
subject to unauthorized change.
Controlled SPL Environment:
• Password control and separate test libraries.
• Audit trail and management reports that detail program
modifications and program version numbers.
• Controlled access to maintenance [SPL] commands.
• Detect unauthorized program maintenance.

• Determine maintenance procedures protect

applications from unauthorized changes.

• Verify applications are free from material errors.

• Verify SPL are protected from unauthorized access.

Identify unauthorized changes:
• Reconcile program version numbers.
• Confirm maintenance authorization.

Identify application errors:

• Reconcile source code.
• Review test results.
• Retest the program.
Test access to libraries:
• Review programmer authority tables.
• Test authority table.