Chapter 5

Chapter 5:
System Development and

Program Change Activities
IT Auditing, Hall, 4e
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Learning Objectives
o Be able to identify the stages in the systems development life

cycle (SDLC).
o Understand the importance of strategic system planning.
o Be able to identify and discuss the major steps involved in a
cost-benefit analysis of proposed information systems.
o Understand the advantages and disadvantages of the
commercial software option, and be able to discuss the decision-
making process used to select commercial software.
o Be familiar with different types of system documentation and the
purposes they serve.
o Understand the risks, controls, and audit issues related to
systems development and maintenance procedures.
Participants in Systems
Development
o Systems professionals:
o Analysts, engineers, database designers and programmers.
o End users:
o Managers, operations personnel from various functional areas,
including accountants.
o Stakeholders:
o Individuals with an interest in the system who are not formal end
users.
o Includes steering committee and both internal and external
auditors.
Information Systems
Acquisition
o Well designed system can increase productivity, reduce

inventories, eliminate non-value added activities, enhance
customer service, improve management decisions, and
coordinate organizational activities.
o Two methods of acquiring information systems:
o In-house development
o Purchase commercial systems from software vendor.
Trends in Commercial Software
o Four factors have contributed to the growth of the commercial

software market:
o Relatively low cost for general purpose software.
o Industry-specific vendors.
o Growing demand from businesses too small to afford in-house
development.
o Downsizing units and the move to distributed data processing have
increased appeal to larger organizations.
o Turnkey systems are finished, tested and ready for
implementation.
Types of Turnkey Systems
o General accounting systems designed to serve a wide variety

of user needs.
o Designed in modules that include AP, AR, payroll, inventory, GL,
financial reporting and fixed asset.
o Special-purpose systems target specific segments.
o Office automation systems improve productivity.
o Word processing, spreadsheet, desktop publishing.
o Backbone systems provide a structure to build on, with primary
processing modes programmed.
o Vendor-supported systems are custom systems developed and
maintained for the client.
Commercial Systems
o Advantages:
o Can be implementation almost immediately once need is recognized.
o Cost is a fraction of cost of in-house development.
o Reliability since software is pretested and less likely to have errors
than in-house systems.
o Disadvantages:
o Firm is dependent on vendor for maintenance.
o When user needs are unique and complex, software may be too
general or inflexible.
o May be difficult or impossible to modify if user needs change.
o Company may satisfy some needs with commercial software and
develop other systems in-house.
Systems Development Life Cycle
(SDLC)
Systems Planning- Phase I
o Objective: To link individual systems projects to the strategic

objectives of the firm.
o Most firms establish a steering committee to provide guidance
and review project status.
o May include the CEO, CFO, CIO, senior management, internal
auditors, and external parties (consultants).
o Responsibilities include resolving system conflicts, reviewing
projects and assigning priorities, budgeting system development,
and determining whether or not to continue the project at various
stages of development.
o Two levels: strategic systems planning and project planning.
Strategic Systems Planning
o Involves allocation of resources at the macro level.

o Time frame of 3 – 5 years with process similar to budgeting
resources for other strategic activities.
o Technically not part of SDLC which pertains to specific applications.
o Concerned with allocation of systems resources.
o Four justifications:
o A changing plan is better than no plan.
o Reduces crises in systems development.
o Provides authorization control for SDLC.
o Systems planning tends to be a cost-effective means of managing
systems projects and application development.
Project Planning
o Purpose is to allocate resources to individual applications within

the framework of the strategic plan.
o Identifying user needs, preparing proposals, evaluating proposals’
feasibility, prioritizing and scheduling.
o Two formal documents:
o Project proposal provides management with a basis for deciding
whether to proceed by summarizing findings and outlining link
between system and business objectives of the firm.
o Project schedule represents management’s commitment to the
project.
Systems Analysis – Phase II
o Process to survey current system and analyze user needs.

o Survey step has advantages and disadvantages:
o Usually involves a detailed system survey.
o Can result in current tar pit syndrome where analyst is “sucked-in”
and “bogged down” by the surveying task.
o Surveying system may stifle new ideas (thinking inside the box).
o Identifies aspects of old system that should be kept.
o Forces analysts to fully understand the old system which will be
required to convert to the new one.
o Analyst may determine root cause of problems, which may not be
the system at all.
Survey Phase- Gathering Facts

o Data sources o Transaction volumes
o Users o Error rates
o Data stores o Resource costs
o Processes o Bottlenecks
o Data flows o Redundant operations
o Controls
o Fact-gathering techniques:
o Observation, task participation, personal interviews, key document
review.
o Analyst is analyzing while gathering facts.
o Systems analysis report:
o Presented to management or the steering committee.
o Provides survey findings, problems identified with old system, user
needs and new system requirements.
o Constitutes a formal contract that specifies the objectives and goals
of the system.
Conceptual System Design –
Phase III
o Purpose to produce alternative systems that satisfy identified
system requirements.
o Structured design approach:
o Designs system from the top-down by starting with “big picture” and
gradually decomposing system into more detail until fully understood.
o Designs should identify all inputs, outputs, processes and special
features necessary to distinguish one alternative from another.
o Object-oriented design approach (OOD):
o Builds information systems from reusable objects.
o Concept of reusability is central as standard modules can be used in
other systems with similar needs.
o Library of reusable modules results in less time, cost, maintenance,
and testing and improved user support and system flexibility.
System Evaluation and
Selection – Phase IV
o Identify optimal solution from alternatives.
o First step is a detailed feasibility study:
o Technical: Existing or new technology?
o Economic: Are funds available?
o Legal: Any conflicts with new system and legal responsibilities?
o Operational: Procedures and personnel compatible with new system?
o Schedule: Is firm able to implement project in acceptable amount of
time?
o Second step is a cost-benefit analysis:
o Identify both one-time and recurring costs and tangible and intangible
benefits which cannot be easily quantified.
o Compare costs and benefits.
One-Time and Recurring Costs
Tangible and Intangible Benefits
Hierarchical Data Model
o Compare costs and benefits:

o Net present value (NPV) method deducts the present value of the
costs from the present value of the benefits over the life of the system.
o Projects with a positive NPV are economically feasible.
NPV Example:
NVP Example
o If only costs and tangible benefits were considered, Design A would be

selected.
o The value of the intangible benefits and the design feasibility score
must also be considered in the analysis.
System Evaluation and
Selection – Phase IV
o Compare costs and benefits:

o Payback method is a variation of break-even analysis.
o The break-even point is reached when total cost = total benefit.
o Payback speed often a decisive factor due to brief product life cycles
and rapid technological advances.
o Based on payback, Design B from the NPV example would be
chosen over Design A due to the shorter payback period.
o Prepare the systems selection report:
o Formal document consists of a revised feasibility study, cost-benefit
analysis and list and explanation of intangible benefits for each
alternative design.
o Steering committee selects a single system on the basis of report.
Detailed Design – Phase V
o Purpose to produce description of proposed system that satisfies

requirements identified during systems analysis and is in
accordance with conceptual design.
o All system components (user views, database tables, processes
and controls) specified.
o Components presented formally in a detailed design report that
constitutes a set of “blueprints.”
o Plans proceed to the systems implementation phase.
o Development team performs a design walkthrough to ensure it is
free from conceptual error
o May be done by an independent quality assurance group.
Detailed Design – Phase V
o Detailed design report documents and describes system to this

point including:
o Designs for input screens and source documents.
o Designs for screen outputs, reports, and operational documents.
o Normalized data for database tables, specifying all data elements.
o Database structures and diagrams.
o Data flow diagrams (DFD’s).
o Database models (ER, Relational).
o Updated data dictionary.
o Processing logic (flow charts).
Application Programming and
Testing- Phase VI
o Program the application software.

o Procedural languages require programmer to specify the precise
order program language is executed.
o Event-driven language programs designed to respond to external
action or event initiated by the user.
o Object-oriented languages are required to achieve the benefits
of the object-oriented approach.
o Programming system should follow a modular approach to
achieve: programming efficiency, maintenance efficiency and
control.
Application Programming and
Testing- Phase VI
o Test the application software.

o Testing methodology process has structured steps to follow.
o Testing offline before deploying online is critical to avoid
potential disaster.
o Test data creation is time consuming but can provide future
benefits.
Program and Testing
Procedures
System Implementation – Phase VII
o Database structures are created and populated with data,

equipment is purchased and installed, employees are trained,
the system is documented, and the new system is installed.
o Engages efforts of designers, programmers, database
administrators, users and accountants
o Test the entire system.
o Document the system.
o Designer and programmer documentation.
o Operator documentation.
o User documentation often takes the form of a user handbook.
o Online tutorials and help features.
Systems Implemention –
Phase VII
o Database conversion is a critical step.
o Validation, reconciliation, backup.
o Converting the new system:
o Under the cold turkey cutover (Big Bang) firm switches to the new
system and simultaneously terminates the old.
o Phased cutover begins operating new system in modules. Reduces
the risk of a devastating failure but can create incompatibilities during
the process.
o Parallel operation cutover involves running both systems
simultaneously for a period of time. Most time consuming and costly,
but least risky approach.
System Implementation-
Phase VII
o Post-implementation review is an important step that takes

place months later.
o Conducted by independent team to measure system
success by gathering evidence regarding adequacy and
risks.
o Systems design adequacy:
o Physical features reviewed to see if they meet user needs.
o Accuracy of time, cost, and benefit estimates.
o Review of actual vs. budgeted amounts provides critical input
for future budgeting decision.
Systems Maintenance –
Phase VIII
o Formal process by which application programs undergo changes
to accommodate changes in user needs.
o Can be extensive and the maintenance periods can be 5 years
or longer in some organizations.
o When maintaining an old system is no longer feasible, it is scrapped
and a new SDLC begins.
o Represents a significant resource outlay.
o As much as 80% - 90% of total cost may be incurred in the
maintenance phase.
Controlling and Auditing the SDLC
o Systems authorization, user specification and technical design

activities.
o Internal audit participation:
o System planning and analysis.
o Conceptual system design impacts auditability.
o Economic feasibility needs to be measured accurately.
o Systems implementation.
o Provide technical expertise with regard to accounting rules.
o Specify documentation standards.
o Verify control adequacy and compliance with SOX.
o Before implementation, individual modules must be tested as a

whole.
o Formal testing and user acceptance considered by many auditors to
be the most important control over the SDLC.
o Audit objectives are to verify:
o SDLC activities are applied consistently and in accordance with
management’s policies.
o Original system free from material errors and fraud.
o System was judged necessary and justified.
o Documentation is adequate and complete.
o Audit procedures should determine:

o Proper end user and IT management authorization.
o Preliminary feasibility study showed project had merit.
o Detailed analysis of user needs was conducted.
o Accurate cost-benefit analysis was conducted.
o System testing occurred before implementation.
o Checklist of specific problems determined during conversion
were corrected during maintenance.
o System documentation complies with standards.
Controlling and Auditing
System Maintenance
o Upon implementation system enters maintenance phase of the

SDLC.
o Access to systems for maintenance increases the possibility of
system errors.
o To minimize exposure all maintenance should require: formal
authorization, technical specifications of change, retesting the
system and updating the documentation.
o Source program library controls:
o Program source code stored on magnetic disks called the source
program library (SPL) which must be properly controlled to
preserve application integrity.
the SDLC
o Worst-Case situation: No controls:

o Program access completely unrestricted making them subject to
unauthorized change.
o Controlled SPL Environment:
o Password control and separate test libraries.
o Audit trail and management reports that detail program
modifications and program version numbers.
o Controlled access to maintenance [SPL] commands.
the SDLC – Audit Objectives
o Detect unauthorized program maintenance.

o Determine maintenance procedures protect applications from
unauthorized changes.
o Verify applications are free from material errors.
o Verify SPL are protected from unauthorized access.
Controlling and Auditing the
SDLC- Audit Procedures
o Identify unauthorized changes:

o Reconcile program version numbers.
o Confirm maintenance authorization.
o Identify application errors:
o Reconcile source code.
o Review test results.
o Retest the program.
o Test access to libraries:
o Review programmer authority tables.
o Test authority table.
Auditing SPL Software
System

Chapter 5

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Chapter 5

Hochgeladen von

Copyright:

Verfügbare Formate

Chapter 5:

System Development and

o Be able to identify the stages in the systems development life

o Well designed system can increase productivity, reduce

o Four factors have contributed to the growth of the commercial

o General accounting systems designed to serve a wide variety

o Objective: To link individual systems projects to the strategic

o Involves allocation of resources at the macro level.

o Purpose is to allocate resources to individual applications within

o Process to survey current system and analyze user needs.

Survey Phase- Gathering Facts

o Data flows o Redundant operations

o Compare costs and benefits:

o If only costs and tangible benefits were considered, Design A would be

o Compare costs and benefits:

o Purpose to produce description of proposed system that satisfies

o Detailed design report documents and describes system to this

o Program the application software.

o Test the application software.

o Database structures are created and populated with data,

o Post-implementation review is an important step that takes

o Systems authorization, user specification and technical design

o Before implementation, individual modules must be tested as a

o Audit procedures should determine:

o Upon implementation system enters maintenance phase of the

o Worst-Case situation: No controls:

o Detect unauthorized program maintenance.

o Identify unauthorized changes:

Das könnte Ihnen auch gefallen