APPLICATION DEVELOPMENT

AUDITING IN A CIS ENVIRONMENT

BIT 006
APPLICATION DEVELOPMENT
• It is a process of designing, customizing or configuring software
applications or information systems.
• Audits of application development can take the form of participative
consulting during a project, post-implementation assurance review
once a project is complete to improve efficiency of application dev-
elopment, to improve the internal control in the process to reduce
the necessary depth of future audits of the function, or to improve
a specific application’s effectiveness of controls.
ApplicationDevelopment:
End-User Computing
• It is where and users are given the freedom to develop their own simple programs or
analytical tools using commonly available software tools such as spreadsheets and
database tools. Databases and spreadsheets can run on smaller systems, giving
individual users more control over their work.

POSSIBLE RISKS:
1. Developing reliance on applications that can be maintained by only
one person ( esp if the user does not provide or update sufficient
system documentation.
2. This development may not follow a formal development approach with
proper planning and other controls to manage complexity. End-user
computing applications often start out simple but as more spreadsheets
and database files interlinked, they can grow more complex.
Application Development
End-User Computing
• The internal auditors can develop an understanding of the application by getting a developer to
perform a walk-through. If no flowchart exists, the auditor can develop one with the assistance of
the expert.
• The internal auditors should review system documentation for existence and completeness as
well as as how often it is updated and whether it matches with the actual system.
• The internal auditors should determine if the application has the proper authentication controls
and other controls specific to the application or that should be included because they are part of
the organization’s general IT controls
• IAs can also determine how efficient the application is at performing the relevant task, how
effectively it achieves the objectives it was designed to do so and how easily the system can be
maintained.
• Do observations or other audit techniques reveal situations where there is an error in outputs
and it takes a very long time for the end user to find the source of the error
Application Development
Understanding of Change Control
• Changes in the IT environment may be frequent and significant.
• Change management controls include application code revisions, system upgrades,
infrastructure changes (servers, routers, cabling or firewalls)
• Patch management is the installation of released bug fixes to applications that are already in
the production. High-performing organizations perform far fewer patches then low-
performing org.
• Organizations with poor change management controls have low success for IT changes due
to project delays or scope creep.
-They suffer from unexpected outages,
-always in crisis mode due with many emergency and unauthorized
changes. Constant crisis creates stress and high turnover for IT staff,
indicates a lack of control over problem escalation and increases risks.
-change results in downtime or even worse, a material error in financial
reporting data, it carries a higher risk of loss than that of a system
attack.
Application Development
Change management
• Change Management Process Steps
1. Identify the need for change.
2. Prepare. Document the step-by-step procedure for the change
request, the change test plan,and a change rollback plan.
3. Justify change and request approval. Determine the impact and
cost-benefit; review associated risks and regulatory impact.
4. Authorization. Reject, approve, or request information.
Set priorities relative to overall schedule
5. Schedule and implement change. Schedule a change implementer,
change tester, test in preproduction, communicate to affected parties, get
final approval and implement change
6. Review implemented change. Measure change success, use of process, variances and
regulatory compliance. Report lessons learned
7. Back out change if unsuccessful
8. Close change request and report to stakeholders.
9. Revisit change management process for improvement.
Application Development
Systems Development Methodology
• IT systems have a life cycle, from design through implementation to maintenance. Early system designs were left to largely
to IT specialists. A better approach is team design to ensure that all stakeholders have their needs considered.
• System Development Life Cycle – Indicators of effective IT controls for system development include the ability to execute
new system plans within budget and on time. Resource allocation should be predictable.
- System Planning
-Systems Analysis
-System Design
-Programming
-System Selection
-Customizaton /configuration
Testing
Conversion and implementation
Systems operation and refinement
Application Development
Understanding the Application Development
• Application development or systems development is the process of
making or modifying a software application.
• The assurance of application development is a critical area since
failures to control risk here can directly damage business operations
and can waste resources spent in creating and correcting faulty
applications and remediating damage.
• Purchased applications may be off the shelf after a rigorous selection
process; developed in-house; or purchased software and customized.
Whatever, the process must be controlled and audited.
Application Development
Information Technology Control
• The following controls should be evident in all systems development and
acquisition work:
Documentation of user requirements for applications
and measurement of achievement of those requirements.
Use of formal process that ensures that user requirements
and controls are reflected in both design and actual development
Testing of elements and interfaces with actual users
Planned application maintenance
Controlled change management process
Application Development
Information Technology Controls
• Internal auditors must include out-sourcers in their IT audit including
assessment of their efficiency relative to potential internal costs.
Especially important is an assessment of the vendor’s ongoing
viability, since long-term support is essential for software systems.
• For systems selection, auditors should ensure that specific controls
are part of the selection criteria and should check that the controls
actually exist once a package has been selected. Relying on
marketing information from the vendor is inadequate; actual walk-
throughs are superior. If the auditor finds that the standards are not
met or if IT managers are reluctant to fix an internal control gaps,
these must be reported to top management.
Application Development
Various Levels of Application Controls
• In assessing risks associated with the design stage in the SDLC, internal
auditors should examine controls especially related to:
1. User approval which aids user acceptance
2. Authorization procedures for program changes and new code
development. Without authorization and access restrictions, errors or fraud
can compromise application integrity
3. Software testing and quality control – Program change control can
form the basis for quality assurance reviews
4. Staff proficiency. Internal auditors should check that the project staff
is technically proficient. Auditors must remain independent, yet helpful and
tactful. Auditors working with systems analysts and programmers should
remember that there are specialists who may explain things with jargon.
Application Development
IT Application Controls
• IT application controls pertains to individual processes or application
systems including data edits, separation of business functions,
balancing of processing totals, transaction logging and error
reporting.
• Application controls may be preventive or detective.
• The development stage is the most important one for auditor
involvement.
Application Development
IT Application Controls
• 1. IT Controls – are intended to prevent computer errors by controlling data as it manually or
electronically enters the system. These are the most common source of errors, and internal
auditors should emphasize test of these controls. GIGO
• 2. Processing Controls- are automated error checks built into computer processing as well as
segregation of duties such as controlling programmers’ access to files and records. Data center
operators access to applications should be restricted to equipment and software installation and
responding to errors. Auditos should examine restart procedures and verify that reconstructed
files have accuracy checks.
• 3. Output Controls- are detective controls that find errors and verify the accuracy and
reasonableness of output data after processing is complete. The auditor can manually produce
total samples and compare them to the system inputs and the system outputs to reveal
unreasonable relationships.
Application Development
IT Application Controls
• 4. Integrity Controls monitor data as it is processed and while stored to ensure that it remains
accurate, consistent and complete and that specific records are unique (not deplicated). These
are applied to the database and DBMS, so these controls will differ depending on the type of the
database management system being used.
Application Development
Understanding of Info Systems Development
• Development of an information system refers to the development of
the entire organization’s information network of people, processes,
data and technology
• Development of Information Systems
1. Define organizational strategy Define Information Strategy
2. Define information content Set information policies and controls
3. Design system infrastructure Specify databases, networks,software and
configurations
4. Set information system change policy and procedure Develop action plan
prioritize and schedule