1 CHAPTER 4 : DEVELOPMENT AND SYSTEM MAINTENANCE ACTIVITY
1
CHAPTER 4 :
DEVELOPMENT
AND
SYSTEM MAINTENANCE ACTIVITY
2
Objective :
To understand the role of auditors in the SDLC
To understand how control and audit been done in SDLC
Have the skills with many kind of system documentations and the reason each one been develop
3
Individuals in the system developments
3 type of competitors : Professional systems – System analyst ,system
engineer and programmer End users – Many users from all over the
organizations level including the manager, operation staff , accountant and internal auditors
Stakeholders – Individuals either inside or outside the organizations that have an interest on the systems (not the end user), including accountant, internal and external auditors and the internal committee that supervise the systems development
4
Individual in the systems development
The involving of accountant and auditors are based on two reasons :
1. Producing the information systems need a meaningful financial transaction
2. Product (Financial information systems - SMP) that been produced by SDLC must have the quality. They to ensure the quality of the processes that produce SMP
5
Individual in the systems development
How is the commitment of the accountant in the SDLC?
1. Accountant are user
2. Accountant are one of the development group member
3. Accountant are auditors
6
SDLC
Plan Analysis Conceptual
design Detaildesign
Selections Execute
Project& timetable
proposal
System analyst report
All kind ofConceptual
design
Systems Selection
report
Detail design systems
Full Systems
documentations
The required documentations
Maintenance
New systems development
7
SDLC
Objective and SDLC activity/phase sequence are logic and are acceptable by the expert
The number of SDLC steps from the perspective of auditing are not important even there are a person that come up with the SDLC model that have 4 till 14 activity/phase
What is important according to auditing are the material and the producing of stabilized application through the process yang
Based on the figure, there are 7 steps in two main phases :New system development/proposed systems and maintenance
8
SDLC – Phase & Objective
1. Systems strategies Objective : To make a link between a system
project/applications with the strategic organization objective
2. Systems analysis Objective : to study the current systems and analyst
the users necessity
3. System design (Conceptual level) Objective : to create a few of conceptual system
design alternative that full fill the necessity of current systems analyst phase
9
SDLC – Phase & objective
4. Evaluation and choosing systems Objective: chose a system (optimizing process)
from alternative conceptual design set that will be fully describe in detailed design phase
5. Detailed design (Logical level) Objective: to make a detail description for a
support systems that full fill the systems requirement (that been identified in the systems analyst phase) and with the suitability with conceptual design phase
10
SDLC – Phase & Objective
6. Systems execute Objective: To produce a database structure and
data ,coded and application ,buying and assemble devices ,training the worker ,systems documentation and assemble new systems
11
SDLC – Systems strategy
The role of auditors in the systems strategy : Evaluate systems strategy. History proven that a cautious systems strategy are a
cost-effective control technique in the systems development/propose systems
A full commitment strategy will lower the risk of the produce of a systems that is not necessary , not wanted, not effective and not efficient
Internal and external auditors interested in making sure that the fully systems strategy are done
12
SDLC – Systems analysis
The role of auditors in systems analysis: Auditors firm (either internal or external) are the
stakeholder in the systems development/new proposed systems
Auditing criteria that is complex are usually difficult to be added in the existing systems.
Therefore the auditors must involved in the analysis necessity for the systems development/new proposed systemsTo make sure is there a room to to bring in the
complex auditing criteriaWhich criteria is most suitable to put in
13
SDLC – Systems design (Conceptual level)
The role of auditors in the systems design (Conceptual level): Systems audit ability depend to the designs
characteristic Therefore the special audit characteristic
that is in the systems have to be structured
14
SDLC – Evaluation and selecting the systems
The auditors role in the evaluation and selecting the systems:
Economy effect on the proposed systems are measured accurately
In general , this matter must be identified:i. Only a escapable cost used in the calculation of savings
dividend costii. Reasonable dividends rate are used in evaluating the
value of current cash flowiii. One time cost and repeat are finish and reported correctlyiv. Lives that are useful are used in comparing the potential
projectv. Intangible benefit that are reasonable are fix through
financial values
15
SDLC – Systems execute
The role of auditors in the systems execute: Provide a technical specialty l:
A specific design phase that involving procedure,rules and convention specifications that have been used in the systems.
To determine the documentations standard :In the implementations phase , the auditors are responsible to determine the systems documentations . Financial systems needs to be documented to encourage the standard documentations
To determine enough control:The applications that exist from SDLC must have control according to the SAS 78.It needs the auditors participant in the designing and implementations.Both program even manual procedures must be control
16
After the systems have been implemented, it will enter the next phase that is maintenance.
Maintenance phase includes the system changes to get along with the changes in the users need.
Sometimes the changes are unimportant like the system modification to produce a new report or change the data field.
Maintenance too can be extended for example a drastic changes to the logic applications and users interface.
The maintenance period can last for about 10 years ,depends to the organizations.
A new systems development will be carry out if the old systems is not worth to maintain it.
SDLC – Systems maintenance
17
Control & auditing SDLC
Control on the new systems development: Involving six activities:
1. Systems enforcement activity
2. Users specification activity
3. Technical design activity
4. The involves of internal auditing
5. Program testing
6. Users and receiving procedures testing
18
Control on the new systems development:1. Systems enforcement activity All systems will be well enforced to confirm the systems
justification and kesaurann economy for the systems. Like for all the transactions material, information systems
development enforcement must be the formal steps in the process.
This needs all the new proposed systems need to be send in the form of report by the users to the professional systems that have the specialty and power to evaluate and approve/reject the proposal.
Control & auditing SDLC
19
Controls to the new systems development:2. Users specifications activity User needs to actively involved in the systems
development process. User needs to provide full description writing about the
logical needs that needs to be fill by the systems. Users documentations specification preparation must
involve the cooperation between users and professional systems.
However the document will be eternal as long the users need statement about the appeared problem
Control & auditing SDLC
20
Control on the new systems development:3. Technical design activity
This activity translate the users specifications to a set of detail technical specifications systems that fulfill the users need.
This activity scoop covered the systems analyst, general systems design, probability analyst and detail systems design.
The activity adequacy measured from the documentations quality that have received from time to time.
Documentations are the control and a prove of control and it is critical to the systems long term success.
Control & auditing SDLC
21
Control on the new systems development :4. The involves of internal auditors Internal auditors are the middle man for the users
and professional systems for making sure an effective data transferring.
Internal auditors group can give the valuable contribute to all the aspect in the SDLC process.
Auditors will involved in the beginning process to make a conceptual propose based on the control and the systems necessity.
Auditors will involved in all of the development process phase till the maintenance phase.
Control & auditing SDLC
22
Control on the new systems development:5. Program testing All the program module need to be tested first
before it be implemented. Figure 4-9 shows the program testing procedure
that involving the main hypothetical fail creation and transaction fail that been processed by the module that been tested.
The result will be compared with the estimate result to identified the logic error and program.
Control & auditing SDLC
23
Control on the new systems development:5. Program testing To make it more easier the future testing, examinations data
provided when the implementations phase needs to be preserved for recycle.
This will give the auditors a reference to design and evaluate the audit testing in the future.
With the basic comparing auditors can determine the code integrity fast.
If a changing happened, the original examine data can be the prove about the changes and then auditors can give full focus only on that area.
Control & auditing SDLC
24
Control on the new systems development:6. Users examine and receiving procedure Before the implementations process been done the individuals
systems modules will be tested A group of examiners from personal users, professional systems and
internal auditors that will be examine systems intensively. After satisfied with the systems. The systems will be accept formally of
the users department. The formal examinations and the system acceptance by the users wll
be considered by a number of auditors to make it the most important control on the SDLC.
This is a final step where users can determine that the systems can fulfill the necessity.
The users acceptance in the new system need to be documented formally.
Control & auditing SDLC
25
Control on the new systems development: Audit objective :
i. SDLC activity have been used consistently and based on administration policy.
ii. Systems that have been implemented free from errors and deceptions.
iii. Systems must be attached and reasonable in the checkpoints in the SDLC.
iv. Systems documentation are accurate and complete to give audit amenity and maintenance activities.
Control & auditing SDLC
26
Control on the new systems development:Audit procedure: Auditor must chose a sample of full project and restudied the
documentation as a prove it followed the SDLC policy. The observation details must have a few aspect that
determine:
i. Users and computer maintenance administrations well manages the project.
ii. Analysis on the early kesauran shows that project have a good benefit.
iii. A detailed analysis on the users necessity been conducted to get the result in the alternative general form.
Control & auditing SDLC
27
Control on the new systems development:Audit procedure :iv. Low-cost analysis must be done using the accurate and
suitable number.v. Project documentations shows the detail design are the
solutions to users problem.vi. Result shows the examined systems on the individual module
and full systems before implementations.vii. There is a specific checklist problems that been found in the
exchange process with the evidence that the problem have been solve in the maintenance phase.
viii. Systems documentations must follow the standard and the organizations requirement.
Control & auditing SDLC
28
Systems maintenance control1. Enforcement and maintenance ,examinations and
documentations The benefits from the new administrators control will
disappear instantly when the maintenance systems been done if it not continuously until the phase.
The access to the systems are for maintenance purpose and will higher the possibility systems error.
To evade the possibility ,all the maintenance actions must have minimum of 4 controls; formal enforcement , technical specifications on the change, systems retesting and documentations update.
Control & auditing SDLC
29
Systems maintenance systems Maintenance, examinations and documentations
enforcements The size of changes and its potential impact towards the systems
will control the degree of control. When the maintenance affect the size of changes of the logic
program,additional control like the participation of the auditors and the conducting of the users examination and receiving procedures are needed
Control & auditing SDLC
30
Systems maintenance control Library source program control
The applications integration will be affect by an individual that have the illegal access to the program
In the huge computer systems, applications program source code saved in the magnetic disk called Library Source Codes (LSC) refer figure 4-10 .
To conduct the applications production, it must fist be compiled and linked to create a load module that can be processed by the computer.
Load module are free and save from any illegal changing
Control & auditing SDLC
31
Systems maintenance control Library source code control
Program changing (enforcement maintenance and illegal changes) can be access with making the changes with the source code that been save in the LCS and the compiled it back and link it with the program to produce a new load module that attached the changes code.
Therefore LCS are a sensitive area that’s need to be well control to be taken care of and to preserve the applications integrity.
Control & auditing SDLC
32
Control maintenance systems The worst situations – no control
Figure 4-10 shows the ASP without control. This sequence have a potential to create two kind
of exposures that is:i. Unlimited access to the systems .Programmer and other
user can access any of the program that have been stored in the library and no preparation to detect any intrusions.
Control & Auditing SDLC
33
Systems maintenance control The worst situations – no controlii. Because of the weakness , the program is bound to the illegal
changes. Therefore, there is no basic in depend on the effectiveness of the control ( maintenance enforcement , program testing and documentations).
The control always conflicted with the effectiveness and operations flexibility.
Professional systems and auditors must must understand the exposure that exist when the control characteristics not enclosed to access the received control-flexibility trade off between the both need.
Control & auditing SDLC
34
Systems maintenance control Controlled LCS environment:
To control the LCS , the characteristics and security procedures must be enclosed and it needs the LCS management systems (MSLCS) implement. Figure 4-11 are the example of this technique.
The software used to control 4 routine critical functions:i. Save the program in the LCS.ii. To get back the program for maintenance purpose iii. To delete the old program in the library.iv. Documentations the program changes to provide an audit
trace for the changes.
Control & auditing SDLC
35
Maintenance systems control Controlled LCS environment:
LCS needs the specific strategy and control technique to
confirm the program integrity. The techniques are:
i. Password.
It is a form of access control on the LCS that is quite
similar with the password control that been used in the
DBMS to protect the fail.
Control & auditing SDLC
36
Systems maintenance control Controlled LCS environment :
ii. Separate library testing. Refer figure 4-11. Program copied in the program library for
maintenance and testing . Direct access to the LCS production are to the authentic group members only that approved all the request, editing, delete and copy the program. Password to the program access can be often change and it exposed to the basic knowledge only.
The name to introduce a program either it is a test program or productions.When a program copied from the LCS productions into the program library it will be named ‘test’ for temporary and when it goes back to the LCS its name will be changed back to the original productions name.
Control & auditing SDLC
37
Systems maintenance control Controlled LCS environment:
iii. Audit trace & management reports. The important criteria for the LCS management software that
increased the management control capability and audit functions. Modified report program are the most useful here where it describe
in detail all the program changes( adding & deleting) for each module.
Editing report must be a part from the documentations fail for each applications to create an audit trace program changes on the applications life cycle.
When auditing , the report must attached with the maintenance program request to confirm the request changes and only the legal one will be implement. This report can be produce as a hard copy /disk and can be controlled by the password.
Control & auditing SDLC
38
Systems maintenance control Controlled LCS environment:
iv. Program version number. MSLCS gives the version number automatically for each stored
program. When the program paled first time in the library (when implementation in progress) the version number = 0 will been given to the program .With every modifications on the program version number will be added once a time.
This characteristic will be combined with the audit trace report that will produce the prove to identified the illegal changes to the program modules.this illegal changes will be mark with the version number to the production load module that cannot be suit with enforcement changed number.
Control & auditing SDLC
39
Systems maintenance control
Controlled LCS environment:
iv. Program version number. For example if there is 10 changes verified but the
production program showed 12 versions then one of the 2 possibility describe this differential i:
a) Enforcement changed that not supported by the documentations exist.
b) Illegal changes been made on the program which will increase version number.
Control & auditing SDLC
40
Systems maintenance control Controlled LCS environment :
v. Access control on the maintenance command. SPL management systems used the maintenance command
to change or delete program password , change program version number (modification) and editing program temporarily with generating a modifications record.
There is a technical reason to the commands needs , however if the command lost control , maintenance command will cause illegal program modification to happen. Access to the maintenance command need to be control with the password and the right to control the enforcement manage by the administrations or the security.
Control & auditing SDLC
41
Systems maintenance control Audit objective:
To detect the illegal (that will cause a process error and cheating) and to determine :
i. Maintenance procedure to protect the applications from any illegal modifications.
ii. Applications is free from ‘material’ error.
iii. Program library are protected against any illegal access. Checking will be carry out with focusing to the testing on the
suitable control to get every objective. Assumption, using the LCS software to control the program maintenance
Control & auditing SDLC
42
Systems maintenance control Audit procedures : to determine the illegal changes
Auditors must check the audit trace on the program changes that is been repaired. This can be ensure doing a control testing like:
1. Program version number adaptations :Permanent applications fail must contain the suitable enforcement document program modifications with the version number when productions application in progress.Every number of differential between version number with the support document shows that an illegal changes have been done.
Control & auditing SDLC
43
Systems maintenance Audit procedure : to determine the illegal changes
2. Maintenance enforcement confirmation Maintenance enforcement program document must
indicate the request changes and the date of changes been done. Needs to be mark and approved by the computer service management and users department.
Auditors need to verify the facts in the enforcement maintenance and determine about the enforcement from the involved manager.
Control & auditing DLC
44
Systems maintenance control
Audit procedures: determine the applications error Auditors can determine the program are free from material error by
conducting this three type of control::
1. Source code adaptations Every permanent fail must contain the current program list and the
changes list that been made on the applications.
This document describe detailed about the applications maintenance
history. Every changes need to be recorded (program changes
enforcement document).
Control & auditing SDLC
45
Systems maintenance control Audit procedure: determine the applications error
1. Source code adaptations Auditors need to choose a sample of applications & adjust
every changes with the suitable enforcement document. The modular approach to the systems design give a lots of services to this testing technique.The reduce of complexity towards the module increased the auditors capability to determine the awkward that marks the error , disregarding and fake program code.
2. Rechecking on the testing result Every program changing need to be tested before
implementations.
Control & auditing SDLC
46
Systems maintenance control Audit procedure: determine the applications error
2. Rechecking the test result Program testing procedure needs to be well documented by
the testing objective ,examine data and the process result hat will support the programmer decisions to implement the changes.
Auditors need to restudied the record for every program changes to prove the test are neat to detect any error.
3. Program retesting Auditors can retest the applications to determine its
integrity .The technique will be discuss in chapter 6
Control & auditing SDLC
47
Systems maintenance control Audit procedure: test the access to the library
Auditor need to strengthen the library program and private library protected by any illegal access trough:
1. Restudied the programmer enforcement table Auditors can chose a sample of programmer and
restudied their access. Programmer enforcement table will determine the library
that can be access by the programmer. This enforcement must suit the programmer maintenance enforcement to determine the uncertainty.
Control & auditing SDLC
48
Systems maintenance control
Audit procedure : testing the access on the library
2. Enforcement table testing Auditors should be the same like the programmer access
privilege and then disturb the enforcement rule by trying to access the library illegally.
Every attempt will be denied by the operation systems
Control & auditing SDLC