Auditchap

1

CHAPTER 4 :

DEVELOPMENT

AND

SYSTEM MAINTENANCE ACTIVITY

2

Objective :

To understand the role of auditors in the SDLC

To understand how control and audit been done in SDLC

Have the skills with many kind of system documentations and the reason each one been develop

3

Individuals in the system developments

3 type of competitors : Professional systems – System analyst ,system

engineer and programmer End users – Many users from all over the

organizations level including the manager, operation staff , accountant and internal auditors

Stakeholders – Individuals either inside or outside the organizations that have an interest on the systems (not the end user), including accountant, internal and external auditors and the internal committee that supervise the systems development

4

Individual in the systems development

The involving of accountant and auditors are based on two reasons :

1. Producing the information systems need a meaningful financial transaction

2. Product (Financial information systems - SMP) that been produced by SDLC must have the quality. They to ensure the quality of the processes that produce SMP

5

Individual in the systems development

How is the commitment of the accountant in the SDLC?

1. Accountant are user

2. Accountant are one of the development group member

3. Accountant are auditors

6

SDLC

Plan Analysis Conceptual

design Detaildesign

Selections Execute

Project& timetable

proposal

System analyst report

All kind ofConceptual

design

Systems Selection

report

Detail design systems

Full Systems

documentations

The required documentations

Maintenance

New systems development

7

SDLC

Objective and SDLC activity/phase sequence are logic and are acceptable by the expert

The number of SDLC steps from the perspective of auditing are not important even there are a person that come up with the SDLC model that have 4 till 14 activity/phase

What is important according to auditing are the material and the producing of stabilized application through the process yang

Based on the figure, there are 7 steps in two main phases :New system development/proposed systems and maintenance

8

SDLC – Phase & Objective

1. Systems strategies Objective : To make a link between a system

project/applications with the strategic organization objective

2. Systems analysis Objective : to study the current systems and analyst

the users necessity

3. System design (Conceptual level) Objective : to create a few of conceptual system

design alternative that full fill the necessity of current systems analyst phase

9

SDLC – Phase & objective

4. Evaluation and choosing systems Objective: chose a system (optimizing process)

from alternative conceptual design set that will be fully describe in detailed design phase

5. Detailed design (Logical level) Objective: to make a detail description for a

support systems that full fill the systems requirement (that been identified in the systems analyst phase) and with the suitability with conceptual design phase

10

SDLC – Phase & Objective

6. Systems execute Objective: To produce a database structure and

data ,coded and application ,buying and assemble devices ,training the worker ,systems documentation and assemble new systems

11

SDLC – Systems strategy

The role of auditors in the systems strategy : Evaluate systems strategy. History proven that a cautious systems strategy are a

cost-effective control technique in the systems development/propose systems

A full commitment strategy will lower the risk of the produce of a systems that is not necessary , not wanted, not effective and not efficient

Internal and external auditors interested in making sure that the fully systems strategy are done

12

SDLC – Systems analysis

The role of auditors in systems analysis: Auditors firm (either internal or external) are the

stakeholder in the systems development/new proposed systems

Auditing criteria that is complex are usually difficult to be added in the existing systems.

Therefore the auditors must involved in the analysis necessity for the systems development/new proposed systemsTo make sure is there a room to to bring in the

complex auditing criteriaWhich criteria is most suitable to put in

13

SDLC – Systems design (Conceptual level)

The role of auditors in the systems design (Conceptual level): Systems audit ability depend to the designs

characteristic Therefore the special audit characteristic

that is in the systems have to be structured

14

SDLC – Evaluation and selecting the systems

The auditors role in the evaluation and selecting the systems:

Economy effect on the proposed systems are measured accurately

In general , this matter must be identified:i. Only a escapable cost used in the calculation of savings

dividend costii. Reasonable dividends rate are used in evaluating the

value of current cash flowiii. One time cost and repeat are finish and reported correctlyiv. Lives that are useful are used in comparing the potential

projectv. Intangible benefit that are reasonable are fix through

financial values

15

SDLC – Systems execute

The role of auditors in the systems execute: Provide a technical specialty l:

A specific design phase that involving procedure,rules and convention specifications that have been used in the systems.

To determine the documentations standard :In the implementations phase , the auditors are responsible to determine the systems documentations . Financial systems needs to be documented to encourage the standard documentations

To determine enough control:The applications that exist from SDLC must have control according to the SAS 78.It needs the auditors participant in the designing and implementations.Both program even manual procedures must be control

16

After the systems have been implemented, it will enter the next phase that is maintenance.

Maintenance phase includes the system changes to get along with the changes in the users need.

Sometimes the changes are unimportant like the system modification to produce a new report or change the data field.

Maintenance too can be extended for example a drastic changes to the logic applications and users interface.

The maintenance period can last for about 10 years ,depends to the organizations.

A new systems development will be carry out if the old systems is not worth to maintain it.

SDLC – Systems maintenance

17

Control & auditing SDLC

Control on the new systems development: Involving six activities:

1. Systems enforcement activity

2. Users specification activity

3. Technical design activity

4. The involves of internal auditing

5. Program testing

6. Users and receiving procedures testing

18

Control on the new systems development:1. Systems enforcement activity All systems will be well enforced to confirm the systems

justification and kesaurann economy for the systems. Like for all the transactions material, information systems

development enforcement must be the formal steps in the process.

This needs all the new proposed systems need to be send in the form of report by the users to the professional systems that have the specialty and power to evaluate and approve/reject the proposal.


19

Controls to the new systems development:2. Users specifications activity User needs to actively involved in the systems

development process. User needs to provide full description writing about the

logical needs that needs to be fill by the systems. Users documentations specification preparation must

involve the cooperation between users and professional systems.

However the document will be eternal as long the users need statement about the appeared problem


20

Control on the new systems development:3. Technical design activity

This activity translate the users specifications to a set of detail technical specifications systems that fulfill the users need.

This activity scoop covered the systems analyst, general systems design, probability analyst and detail systems design.

The activity adequacy measured from the documentations quality that have received from time to time.

Documentations are the control and a prove of control and it is critical to the systems long term success.


21

Control on the new systems development :4. The involves of internal auditors Internal auditors are the middle man for the users

and professional systems for making sure an effective data transferring.

Internal auditors group can give the valuable contribute to all the aspect in the SDLC process.

Auditors will involved in the beginning process to make a conceptual propose based on the control and the systems necessity.

Auditors will involved in all of the development process phase till the maintenance phase.


22

Control on the new systems development:5. Program testing All the program module need to be tested first

before it be implemented. Figure 4-9 shows the program testing procedure

that involving the main hypothetical fail creation and transaction fail that been processed by the module that been tested.

The result will be compared with the estimate result to identified the logic error and program.


23

Control on the new systems development:5. Program testing To make it more easier the future testing, examinations data

provided when the implementations phase needs to be preserved for recycle.

This will give the auditors a reference to design and evaluate the audit testing in the future.

With the basic comparing auditors can determine the code integrity fast.

If a changing happened, the original examine data can be the prove about the changes and then auditors can give full focus only on that area.


24

Control on the new systems development:6. Users examine and receiving procedure Before the implementations process been done the individuals

systems modules will be tested A group of examiners from personal users, professional systems and

internal auditors that will be examine systems intensively. After satisfied with the systems. The systems will be accept formally of

the users department. The formal examinations and the system acceptance by the users wll

be considered by a number of auditors to make it the most important control on the SDLC.

This is a final step where users can determine that the systems can fulfill the necessity.

The users acceptance in the new system need to be documented formally.


25

Control on the new systems development: Audit objective :

i. SDLC activity have been used consistently and based on administration policy.

ii. Systems that have been implemented free from errors and deceptions.

iii. Systems must be attached and reasonable in the checkpoints in the SDLC.

iv. Systems documentation are accurate and complete to give audit amenity and maintenance activities.


26

Control on the new systems development:Audit procedure: Auditor must chose a sample of full project and restudied the

documentation as a prove it followed the SDLC policy. The observation details must have a few aspect that

determine:

i. Users and computer maintenance administrations well manages the project.

ii. Analysis on the early kesauran shows that project have a good benefit.

iii. A detailed analysis on the users necessity been conducted to get the result in the alternative general form.


27

Control on the new systems development:Audit procedure :iv. Low-cost analysis must be done using the accurate and

suitable number.v. Project documentations shows the detail design are the

solutions to users problem.vi. Result shows the examined systems on the individual module

and full systems before implementations.vii. There is a specific checklist problems that been found in the

exchange process with the evidence that the problem have been solve in the maintenance phase.

viii. Systems documentations must follow the standard and the organizations requirement.


28

Systems maintenance control1. Enforcement and maintenance ,examinations and

documentations The benefits from the new administrators control will

disappear instantly when the maintenance systems been done if it not continuously until the phase.

The access to the systems are for maintenance purpose and will higher the possibility systems error.

To evade the possibility ,all the maintenance actions must have minimum of 4 controls; formal enforcement , technical specifications on the change, systems retesting and documentations update.


29

Systems maintenance systems Maintenance, examinations and documentations

enforcements The size of changes and its potential impact towards the systems

will control the degree of control. When the maintenance affect the size of changes of the logic

program,additional control like the participation of the auditors and the conducting of the users examination and receiving procedures are needed


30

Systems maintenance control Library source program control

The applications integration will be affect by an individual that have the illegal access to the program

In the huge computer systems, applications program source code saved in the magnetic disk called Library Source Codes (LSC) refer figure 4-10 .

To conduct the applications production, it must fist be compiled and linked to create a load module that can be processed by the computer.

Load module are free and save from any illegal changing


31

Systems maintenance control Library source code control

Program changing (enforcement maintenance and illegal changes) can be access with making the changes with the source code that been save in the LCS and the compiled it back and link it with the program to produce a new load module that attached the changes code.

Therefore LCS are a sensitive area that’s need to be well control to be taken care of and to preserve the applications integrity.


32

Control maintenance systems The worst situations – no control

Figure 4-10 shows the ASP without control. This sequence have a potential to create two kind

of exposures that is:i. Unlimited access to the systems .Programmer and other

user can access any of the program that have been stored in the library and no preparation to detect any intrusions.

Control & Auditing SDLC

33

Systems maintenance control The worst situations – no controlii. Because of the weakness , the program is bound to the illegal

changes. Therefore, there is no basic in depend on the effectiveness of the control ( maintenance enforcement , program testing and documentations).

The control always conflicted with the effectiveness and operations flexibility.

Professional systems and auditors must must understand the exposure that exist when the control characteristics not enclosed to access the received control-flexibility trade off between the both need.


34

Systems maintenance control Controlled LCS environment:

To control the LCS , the characteristics and security procedures must be enclosed and it needs the LCS management systems (MSLCS) implement. Figure 4-11 are the example of this technique.

The software used to control 4 routine critical functions:i. Save the program in the LCS.ii. To get back the program for maintenance purpose iii. To delete the old program in the library.iv. Documentations the program changes to provide an audit

trace for the changes.


35

Maintenance systems control Controlled LCS environment:

LCS needs the specific strategy and control technique to

confirm the program integrity. The techniques are:

i. Password.

It is a form of access control on the LCS that is quite

similar with the password control that been used in the

DBMS to protect the fail.


36

Systems maintenance control Controlled LCS environment :

ii. Separate library testing. Refer figure 4-11. Program copied in the program library for

maintenance and testing . Direct access to the LCS production are to the authentic group members only that approved all the request, editing, delete and copy the program. Password to the program access can be often change and it exposed to the basic knowledge only.

The name to introduce a program either it is a test program or productions.When a program copied from the LCS productions into the program library it will be named ‘test’ for temporary and when it goes back to the LCS its name will be changed back to the original productions name.


37


iii. Audit trace & management reports. The important criteria for the LCS management software that

increased the management control capability and audit functions. Modified report program are the most useful here where it describe

in detail all the program changes( adding & deleting) for each module.

Editing report must be a part from the documentations fail for each applications to create an audit trace program changes on the applications life cycle.

When auditing , the report must attached with the maintenance program request to confirm the request changes and only the legal one will be implement. This report can be produce as a hard copy /disk and can be controlled by the password.


38


iv. Program version number. MSLCS gives the version number automatically for each stored

program. When the program paled first time in the library (when implementation in progress) the version number = 0 will been given to the program .With every modifications on the program version number will be added once a time.

This characteristic will be combined with the audit trace report that will produce the prove to identified the illegal changes to the program modules.this illegal changes will be mark with the version number to the production load module that cannot be suit with enforcement changed number.


39

Systems maintenance control

Controlled LCS environment:

iv. Program version number. For example if there is 10 changes verified but the

production program showed 12 versions then one of the 2 possibility describe this differential i:

a) Enforcement changed that not supported by the documentations exist.

b) Illegal changes been made on the program which will increase version number.


40

Systems maintenance control Controlled LCS environment :

v. Access control on the maintenance command. SPL management systems used the maintenance command

to change or delete program password , change program version number (modification) and editing program temporarily with generating a modifications record.

There is a technical reason to the commands needs , however if the command lost control , maintenance command will cause illegal program modification to happen. Access to the maintenance command need to be control with the password and the right to control the enforcement manage by the administrations or the security.


41

Systems maintenance control Audit objective:

To detect the illegal (that will cause a process error and cheating) and to determine :

i. Maintenance procedure to protect the applications from any illegal modifications.

ii. Applications is free from ‘material’ error.

iii. Program library are protected against any illegal access. Checking will be carry out with focusing to the testing on the

suitable control to get every objective. Assumption, using the LCS software to control the program maintenance


42

Systems maintenance control Audit procedures : to determine the illegal changes

Auditors must check the audit trace on the program changes that is been repaired. This can be ensure doing a control testing like:

1. Program version number adaptations :Permanent applications fail must contain the suitable enforcement document program modifications with the version number when productions application in progress.Every number of differential between version number with the support document shows that an illegal changes have been done.


43

Systems maintenance Audit procedure : to determine the illegal changes

2. Maintenance enforcement confirmation Maintenance enforcement program document must

indicate the request changes and the date of changes been done. Needs to be mark and approved by the computer service management and users department.

Auditors need to verify the facts in the enforcement maintenance and determine about the enforcement from the involved manager.

Control & auditing DLC

44


Audit procedures: determine the applications error Auditors can determine the program are free from material error by

conducting this three type of control::

1. Source code adaptations Every permanent fail must contain the current program list and the

changes list that been made on the applications.

This document describe detailed about the applications maintenance

history. Every changes need to be recorded (program changes

enforcement document).


45

Systems maintenance control Audit procedure: determine the applications error

1. Source code adaptations Auditors need to choose a sample of applications & adjust

every changes with the suitable enforcement document. The modular approach to the systems design give a lots of services to this testing technique.The reduce of complexity towards the module increased the auditors capability to determine the awkward that marks the error , disregarding and fake program code.

2. Rechecking on the testing result Every program changing need to be tested before

implementations.


46

Systems maintenance control Audit procedure: determine the applications error

2. Rechecking the test result Program testing procedure needs to be well documented by

the testing objective ,examine data and the process result hat will support the programmer decisions to implement the changes.

Auditors need to restudied the record for every program changes to prove the test are neat to detect any error.

3. Program retesting Auditors can retest the applications to determine its

integrity .The technique will be discuss in chapter 6


47

Systems maintenance control Audit procedure: test the access to the library

Auditor need to strengthen the library program and private library protected by any illegal access trough:

1. Restudied the programmer enforcement table Auditors can chose a sample of programmer and

restudied their access. Programmer enforcement table will determine the library

that can be access by the programmer. This enforcement must suit the programmer maintenance enforcement to determine the uncertainty.


48


Audit procedure : testing the access on the library

2. Enforcement table testing Auditors should be the same like the programmer access

privilege and then disturb the enforcement rule by trying to access the library illegally.

Every attempt will be denied by the operation systems


Auditchap

Technology

systems objective

sdlc systems strategy

support systems

systems requirement

existing systems

sdlc systems analysis

cautious systems strategy

sdlc objective