Overall Management of Program
Development Activities
Point Of Focus
Management of Program Development activities should include the following:
?A formal System Development Methodology (SDM) should exist.
?A detailed project plan should be developed and used for all aspects of the system development life cycle.?Deliverables for each stage of the project should be defined and agreed upon between the user sponsor and IT.
?Management review and sign off appropriate reports on the ongoing status of the project.
?Standards should indicate how certain tasks are completed and who has ultimate responsibility for the project.
?What sorts of tools are utilized to manage and control these activities.
Potential Controls
?Formally approved comprehensive SDLC methodology/process communicated by senior management
?Baseline project plans are required ?SDLC contains well-defined standards for other project deliverables
?Periodic reporting on project status is required
?A process is in place to ensure compliance with SDLC
Potential Testing
?Examine SDM and inquire of management and application development personnel to determine formality with which it is applied.
?Support conclusions about the completeness of the SDLC with actual observations during testing of the other phases (i.e., actual existence of required deliverables for key projects tested).
?Examine evidence that management receives and reviews periodic reports on project status.
?Examine evidence of quality assurance activities designed to ensure adherence to SDLC standards.
Project Initiation
Point Of Focus
Management should ensure that each development project
has clear business objectives that consider the following:
?Does the project have clear business objectives and
well-defined scope and boundaries?
?Has a comprehensive feasibility analysis been done at the
initiation of the project?
?Is there a clear sponsor/owner for the project at senior
management level?
?Does the project team have sufficient relevant business and
technical expertise to effectively complete the project
according to specifications?
Potential Controls
?Feasibility analysis is required for all development projects
?All projects must have a business sponsor
?Approval of business sponsor and IT is required to
commence work on a project
?Roles and responsibilities are clearly defined and
communicated in a formal project plan, charter, etc.
Potential Testing
?Examine the formal SDM to determine whether it requires
that a comprehensive feasibility analysis be conducted
?Obtain evidence that feasibility studies exist
?Examine evidence and inquire of user management to
determine if there is a clear sponsor/owner at the senior
management level
?Examine the formal SDLC methodology to determine
whether it clearly defines roles and responsibilities of
users and IT
personnel
Analysis & Design
POF
Requirements, including business functionality, performance
requirements, security design and internal controls should be
defined. Stakeholders, including senior management, users
and IT staff, should be identified. In addition, the following
should be considered:
*Business specifications required for system design, based
on user requirements
*Technical specifications of the environment in which the
system will operate including interfaces with other systems
?Detailed program specifications
?Process and data modeling
?Formal user management sign-off
Potential Controls
The SDLC requires definition of business and technical
specifications, including:
?Business functionality requirements
?Internal control requirements
?Security requirements
?Capacity and performance requirements
?System interfaces and dependencies
?Requirements documentation must be approved by IT and
users.
Potential Testing
?Examine evidence that requirements have been defined in
accordance with the SDLC for a sample of projects. Assess
for reasonableness, considering the points on the previous
slide.
?Observe evidence that user management has approved the
requirements.
Construction
Point Of Focus
The goal of the Construction phase is to take the output of the
analysis and design phase, and create a working system.
?Are standard coding methodologies followed?
?Dependencies between integrated applications are identified
and considered.
?For packaged systems, how was the software package
selected? Is customization required?
Potential Controls
?Programming standards exist and are effectively
communicated to all programming staff.
?Programming standards require consistent documentation
within program code to facilitate independent reviews and
future maintenance.
?Package selection procedures exist.
?Package selection procedures require clear documentation
of how packages selected fulfil requirements defined in the
Analysis & Design phase.
Potential Testing
?Examine evidence that formal programming standards exist.
?Inquire of management and development staff to determine
the level of adherence to programming standards.
?Observe evidence of source code documentation for a
sample of programs.
?Examine documented package selection procedures.
?Examine evidence that procedures were followed for a
sample of projects that involved package selections.
Testing & QA
POF
Separate environments should be maintained for
development, test and production.
Testing throughout the Program Development phase is
critical to ensuring a successful Program Development
effort. Specifically testing should include:
?Unit Testing
?System Testing
?Integration Testing
?User Acceptance Testing (UAT)
?Testing should ensure that the system delivered achieves
the necessary business and internal control requirements
defined in the Analysis and Design phase.
?What ensures that programs are not modified after
testing and before the system is run in production?
Potential Controls
?Logical segregation between development, test and
production’environments. Management periodically
performs a recertification process to validate that access
between the environments is appropriately segregated.
?Transfer of code to the secured testing environment from
the development environment be performed by a function
independent of programming.
?Version control is enforced either procedurally or through
the use of change management software, or both.
?Testing be conducted in a separate, independently
controlled environment
?Formal test plan standards exist to ensure consistency
and adequacy of testing procedures.
?User and programming management perform an
independent review of the system and test results and
officially acknowledge acceptance of the new system in
writing.
Potential Testing
?Inquire of management regarding the segregation of
development, test and production environments.
?Observe evidence that a formal process is in place for
moving code between the development and test
environment.
?Observe evidence that management periodically
re-certifies the segregation of duties between
environments.
?Examine test plans for a sample of projects.
?Examine evidence of user and IT management
acceptance of test results for a sample of projects.
General Computer
Controls-
Program Developement
Data Conversion Point Of Focus
When data is being converted, integrated, or migrated from one system to another, it is critical that:
?Any data conversion necessary to accommodate new data model is performed
?Data fields are properly mapped from the legacy system to the legacy system(s) to the target system
Data quality is carefully considered for key fields in terms of:?Accuracy ?Integrity ?Consistency ?Accessibility ?Existence
?Critical system interfaces should be modified to accept the new data model.Potential Controls
?A data conversion methodology exists.
?Data must be formally mapped from legacy systems to target systems.
?A formal process exists to ensure data quality for key fields.
?Impact on system interfaces must be considered.
?Exception-handling routines are defined and evidence of resolution is maintained.
*User designed tests to ensure completeness and accuracy of conversion (e.g., key reports, balancing)Potential Testing
?Review the conversion document for completeness ?Examine that formal mapping procedures were used to identify each data field converted.?Review the data clean-up policy
?Examine that all system-related and user documentation was completed computer operations personnel and users.
?Determine if there is a reasonable "backout plan" to continue operations in the event there are significant unexpected problems when the system is in production. ?For major system conversions, evidence that data conversion documentation exists such as conversion strategy, mapping documents, data assessment,
cleansing plans, conversion test plans and reconciliation plans.
?Inquire of the status of critical system interfaces and
determine their impact on the conversion.
GoLive Point Of Focus
Once the testing phase is considered complete, the decision to “go live” is made by management. “Go Live” includes the following activities:
?Formal implementation approval by Project Sponsor/Owner, User management and IT management ?Communication to all stakeholders
?Definition of back-out strategies and escalation procedures Initiation of post-implementation activities Potential Controls
?The SDLC requires formal approval from multiple stakeholders prior to implementation in production.?Formal documentation exists to facilitate the “go live” decision.
?Formal communication to all stakeholders is required before production implementation.
?Back-out procedures are required for all implementations.?Post-implementation reviews are required for all projects.Potential Testing
?Examine documented approvals for a sample of implemented systems.
?Examine “go live” documentation for a sample of projects.?Examine evidence of formal communication stakeholders prior to production implementation.
?Examine documented back-out procedures for a sample of projects.
?Examine post-implementation reviews for a sample of projects.
Documentation and Training
6210 JA #3 4