In further examining the IT Auditor’s role in the IT project environment, I’d like to look at how the book “Information Technology Control and Audit” discusses the IT Auditor’s role in the overall software development process.
Software Development Process
A formal systems development process provides an environment that is conducive to successful systems development. This includes:
(1) an information systems strategy that guides developers in building systems that are consistent with the organization’s technical and operational goals,
(2) standards that guide in the selection of hardware, software, and developing new systems, (3) policies and procedures that support the organization’s goals and objectives, and
(4) project management that ensures projects are completed on time and within budget. Auditors can assist organizations by reviewing the systems development process to ensure that developed systems comply with the organization’s strategy and standards.
Software Development Phases
The systems development process can be broken down into four phases:
- Planning
- Development
- Implementation
- Maintenance
The planning phase sets the stage for the success of the development effort. If not done properly, the budget and schedule may not be sufficient, the problem may not be adequately defined, the final project may not solve the business problem, and the right people may not be involved. The planning phase of systems development includes the following activities:
- Needs analysis: a study to determine whether a new system should be developed
- Current system review: a study of the current system to identify existing processes and procedures that will continue in the new system
- Conceptual design: preparation of the proposed system flow and other information illustrating how the new system will operate
- Equipment requirements: hardware configuration needed to process and use the new systems (e.g., processing speed, storage space, and transmission media)
- Cost benefits analysis: detailed financial analysis of the cost to develop and operate the new system, the savings or additional expense, and the return on investment
- Project team formation: identify people from programming, user departments, and support departments to develop and implement the new system
- Project plan: an overall project plan with defined tasks and deliverables to monitor actual results and ensure successful progress
Auditing can be involved in the planning process to develop an understanding of the proposed system, make sure time is built into the schedule to adequately define controls, and verify that all the right people are involved.
There is a definite correlation between a well-managed systems development process and a successful system. The use of a proven system development methodology increases the probability that the system’s internal controls will be effective and reliable. As discussed under the traditional development approach, systems development includes the following phases:
- Analysis: Define what is required of the new system.
- Design: Define how to build the new system to satisfy the requirements.
- Construction: Build the new system using the design information.
- Testing: Verify that the completed system meets the users’ needs and functions without fault.
- Implementation: Deliver the completed system to the end users; obtain satisfactory feedback.
- Maintenance: Modify the system as needed to correct problems or meet changing needs.
Auditing can review the development process to ensure the software is designed with user requirements documented, that management approves the design, and that the application is tested before implementation. An additional focus is ensuring that the end user is able to use the system based on a combination of skills and supporting documentation.