Top Banner
Mainza Milimo - MKM Role of Internal Audit in SDLC IIA / ISACA Zambia Governance Risk and Control Conference - Agenda 28 & 29 August 2014
17

IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Mar 22, 2019

Download

Documents

dinhque
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Mainza Milimo - MKM

Role of Internal Audit in SDLC

IIA / ISACA Zambia Governance Risk and Control Conference - Agenda 28 & 29 August 2014

Page 2: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Project risks

Role of IA in SDLC

Discussion

Solutions to SDLC challenges

The SDLC

What the auditor should not do

Challenges in the SDLC

IA in SDLCAgenda

Page 3: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Presentation objectivesProject risks The system will:!never be delivered;!be delivered late (time overrun);!exceed budget (cost overrun);!divert user resources to an unacceptable degree;!not deliver the required functionality;!contain errors;!be unfriendly;!fail frequently during operation;!not perform to the required standard;!be difficult and costly to operate, maintain and expand; !not interconnect with other systems.

Page 4: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

The SDLCWhat is it?

A framework defining tasks performed at each step in the software development process.

Page 5: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

1 2 3 4

Challenges in the SDLCSolution 1

How the user explained it What the users think they need

Page 6: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

1 2 3 4

Challenges in the SDLCSolution 2

How the programmer wrote it/ what was purchased From the project leader`s understanding and analysts design

Page 7: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

1 2 3 4

Challenges in the SDLCSolution 3

What was installed After heavy customisation

Page 8: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

1 2 3 4

Challenges in the SDLCSolution 4

What the user really needed The system meeting the user's current needs

Page 9: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Challenges in the SDLCWhat are the causes?

Page 10: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Challenges in the SDLCCauses of project failure

1. Don’t use a specific methodology

2. Create the project plan by working backwards from a drop-dead system completion date

3. Use a Project Lead that has never completed a similar project in a project management role

4. Lack of Top Management support

Page 11: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Challenges in the SDLCCauses of project failure1. Don’t use a specific methodology What should be included?- Project's initiation- feasibility study - business requirements &- functional specifications phases- different development/ acquisition/ implementation

stages- assessment of the entire project after its

implementation.

Page 12: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Solutions to SDLC challengesWhat should we do to ensure:

ExplainedDesigned/ purchased

Currently needed

Implemented

Page 13: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Solutions to SDLC challengesRole of the Auditor Types of review

Pre-implementation review;the IS auditor should study the proposed SDLC model and the related *aspects to assess their appropriateness as well as the potential risks and provide the necessary risk mitigation recommendations to the appropriate management.

Assess SDLC approach & risks, and recommend mitigation!

Page 14: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Solutions to SDLC challengesRole of the Auditor Types of review

Parallel/concurrent reviews;the IS auditor should review the relevant SDLC stages, as they are happening, to highlight risks/issues and provide necessary risk mitigation recommendations to the appropriate management.

Occurrently review SDLC stages, highlight risks/issues and recommend mitigation!

Page 15: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Solutions to SDLC challengesRole of the Auditor Types of review

Post-implementation reviews;the IS auditor should review the relevant SDLC stages after their completion to highlight issues faced and provide recommendations for downstream corrections (if possible) and to serve as a *learning tool for the future.

Review completed stages, highlight issues faced, recommend corrections and document lessons learnt!

Page 16: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Role of IAFamous oxymorons

Our own: Project pre-audit

Page 17: IA in SDLC - ISACA · 2014-09-02 · Project risks Role of IA in SDLC Discussion Solutions to SDLC challenges The SDLC What the auditor should not do Challenges in the SDLC IA in

Questions on SDLC