Professional Documents
Culture Documents
AUDITING THE
SYSTEMS
DEVELOPMENT LIFE
CYCLE
In a CBIS environment,
financial data are processed
(accessed, stored and
Controlling updated) by computer
and
applications.
Auditing
the SDLC The accuracy and integrity of
these programs directly
affects the accuracy of the
client’s financial data.
2
◦ A properly
functioning
systems ◦ The systems
development maintenance
process ensures
process
that only needed
ensures that
Systems applications are
only legitimate
created, that
Developme they are properly changes are
nt and specified, that made to
they possess applications
Maintenanc adequate and that such
e Process controls, and that
changes are
they are
also tested
thoroughly
tested before
before being
being implemented.
implemented.
3
“
Controlling
New Systems
Development
4
Five Controllable Activities
Procedures
5
1. Systems Authorization Activities
6
3. Technical Design Activities
8
Audit Objectives Related to New Systems
Development
9
Audit Procedures Related to New Systems Development
The auditor should select a sample of completed projects and review
the documentation for evidence of compliance with SDLC policies. Specific
points for review should include determining the following:
10
“
Controlling
Systems
Maintenanc
e
11
Upon implementation, the system enters the maintenance
phase of the SDLC. This is the longest period in the SDLC,
often spanning several years. It is important to recognize
that systems do not remain static throughout this period.
Rather, they may undergo substantial changes that
constitute a financial outlay many times their original cost.
12
Maintenance Authorization, Testing, and
Documentation
Access to systems for maintenance purposes increases the possibility of
systems errors. Logic may be corrupted either by the accidental
introduction of errors or intentional acts to defraud. To minimize the
potential exposure, all maintenance actions should require, as a minimum,
four controls: formal authorization, technical specification of the changes,
retesting the system, and updating the documentation.
13
The Worst-Case Situation: No Controls
library, and
Control Techniques
1. Password Control
17
◦ Detect unauthorized program
maintenance (which may have
resulted in significant
Audit processing errors or fraud).
Objectives ◦ Determine that (1)
Related to maintenance procedures
System protect applications from
Maintenanc unauthorized changes, (2)
e applications are free from
material errors, and (3)
program libraries are protected
from unauthorized access.
18
IDENTIFY UNAUTHORIZED
CHANGES
Tests of Controls
◦ Reconcile program version numbers
Audit ◦ Confirm maintenance authorization
Procedures IDENTIFY APPLICATION
Related to ERRORS
System Tests of Controls
Maintenanc ◦ Reconcile the source code
e ◦ Review test results
◦ Retest the program
TEST ACCESS TO LIBRARIES
Tests of Controls
◦ Review programmer authority tables
◦ Test authority table
19