461361 1013243 chapter_2_dec__11


Published on

used for studying Oracle

Published in: Education, Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

461361 1013243 chapter_2_dec__11

  1. 1. ISCANOTES.COMCA. Rishabh Pugalia
  3. 3. 2.14 Information Systems Control and Audit2.3.6 Agile MethodologiesThis is a group of software development methodologies based on the iterative and incrementaldevelopment, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams. It promotes adaptive planning, evolutionary development anddelivery; time boxed iterative approach and encourages rapid and flexible response to change. It isa conceptual framework that promotes foreseen interactions throughout the development life cycle.Basic PrinciplesFollowing are the key principles of this methodology:· Customer satisfaction by rapid delivery of useful software;· Welcome changing requirements, even late in development;· Working software is delivered frequently (weeks rather than months);· Working software is the principal measure of progress;· Sustainable development, able to maintain a constant pace;· Close, daily co-operation between business people and developers;· Face-to-face conversation is the best form of communication (co-location);· Projects are built around motivated individuals, who should be trusted;· Continuous attention to technical excellence and good design;· Simplicity;· Self-organizing teams; and· Regular adaptation to changing circumstances.Strengths· Agile methodology has the concept of an adaptive team, which is able to respond to the changing requirements.· The team does not have to invest time and effort and finally find that by the time they delivered the product, the requirement of the customer has changed.· Face to face communication and continuous inputs from customer representative leaves no space for guesswork.· The documentation is crisp and to the point to save time.· The end result is the high quality software in least possible time duration and satisfied customer.Weaknesses· In case of some software deliverables, especially the large ones, it is difficult to assess the efforts required at the beginning of the software development life cycle.· There is lack of emphasis on necessary designing and documentation.· Agile increases potential threats to business continuity and knowledge transfer. By nature, Agile projects are extremely light on documentation because the team focuses on verbal communication with the customer rather than on documents or manuals.· Agile requires more re-work. Because of the lack of long-term planning and the lightweight approach to architecture, re-work is often required on Agile projects when the various components of the software are combined and forced to interact.
  4. 4. System Development Life Cycle Methodology 2.27We will now describe some of these tools in detail.(a) Structured English : Structured English, also known as Program Design Language(PDL) or Pseudo Code, is the use of the English language with the syntax of structuredprogramming. Thus, Structured English aims at getting the benefits of both the programminglogic and natural language. Program logic that helps to attain precision and natural language thathelps in getting the convenience of spoken languages.(b) Flowcharts : Flowcharting is a graphic technique that can be used by analysts torepresent the inputs, outputs and processes of a business in a pictorial form. It is a common typeof chart, that represents an algorithm or process showing the steps as boxes of various kinds,and their order by connecting these with arrows. Flowcharts are used in analyzing, designing,
  5. 5. 2.28 Information Systems Control and Auditdocumenting or managing a process or program in various fields.(d) Decision Tree : A Decision Tree (or tree diagram) is a support tool that uses a tree-likegraph or model of decisions and their possible consequences, including chance eventoutcomes, resource costs, and utility. Decision tree is commonly used in operations research,specifically in decision analysis, to help identify a strategy most likely to reach a goal and tocalculate conditional probabilities.
  6. 6. System Development Life Cycle Methodology 2.53 1.0 GENERAL INFORMATION 1.1 SYSTEM OVERVIEW 3.0 RUN DESCRIPTION 1.2 Project References 3.1 RUN INVENTORY 1.3 Authorized Use Permission 3.2 RUN DESCRIPTION 1.4 Points of Contact *3.2.x [Run Identifier] 1.4.1 Information 3.2.x.1 Run Interrupt 1.4.2 Coordination Checkpoints 1.4.3 Help Desk 3.2.x.2 Set-Up and Diagnostic 1.5 Organization of the Manual Procedures 1.6 Acronyms and Abbreviations 3.2.x.3 Error Messages 2.0 SYSTEM OPERATIONS OVERVIEW 3.2.x.4 Restart/Recovery 2.1 System Operations Procedures 2.2 Software Inventory 2.3 Information Inventory 2.3.1 Resource Inventory 2.3.2 Report Inventory * Each run should be under a 2.4 Operational Inventory separate header. Generate new 2.5 Processing Overview sections and subsections as 2.5.1 System Restrictions necessary for each run from 3.2.1 2.5.2 Waivers of Operational through 3.2.x. Standards 2.5.3 Interfaces with Other Systems 2.6 Communications Overview 2.7 Security Fig. 2.13.1 : Sample format of Operations Manual2.14 Auditors’ Role In SDLCThe audit of systems under development can have three main objectives:· to provide an opinion on the efficiency, effectiveness, and economy of project management;
  7. 7. 2.54 Information Systems Control and Audit · to assess the extent to which the system being developed provides for adequate audit trails and controls to ensure the integrity of data processed and stored; and · to assess the controls being provided for the management of the systems operation. For the first objective to achieve, an auditor will have to attend project and steering committee meetings and examine project control documentation and conducting interviews. This is to ensure what project control standards are to be complied with, (such as a formal systems development process) and determining the extent to which compliance is being achieved. For addressing second objective, the auditor is can examine system documentation, such as functional specifications, to arrive at an opinion on controls. The auditors opinion will be based on the degree to which the system satisfies the general control objectives that any Information Technology system should meet. A list of such objectives should be provided to the auditee. The same is true for the third objective, viz. systems operational controls. The auditor should provide the a list of the standard controls, over such operational concerns as response time, CPU usage, and random access space availability, that the auditor has used as assessment criteria. An Auditor may adopt a rating system such as on scale of 1 to 10 in order to give rating to the various phases of SDLC. E.g. in rating a Feasibility Study, auditor can review Feasibility Study Report and different work products of this study phase. An interview with personnel who have conducted this feasibility study can be conducted. Depending on the content and quality of the Feasibility Study report and interviews, an auditor can arrive at a rating between 1 to 10 (10 being best). After deriving such a rating for all the phases, the auditor can form his/her overall opinion about the SDLC phases. In order to audit technical work products (such as database design or physical design), auditor may opt to include a technical expert to seek his/her opinion on the technical aspects of SDLC. However, auditor will have to give control objectives, directives and in general validate the opinion expressed by technical experts. Some of the control considerations for an auditor are: · Documented policy and procedures; · Established Project team with all infrastructure and facilities ; · Developers/ IT managers are trained on the procedures ; · Appropriate approvals are being taken at identified mile-stones; · Development is carried over as per standards, functional specifications; · Separate test environment for development/ test/ production / test plans; · Design norms and naming conventions are as per standards and are adhered to; · Business owners testing and approval before system going live; · Version control on programs; · Source Code is properly secured; · Adequate audit trails are provided in system; and© The Institute of Chartered Accountants of India
  8. 8. System Development Life Cycle Methodology 2.55 · Appropriateness of methodologies selected. Further, Post-Implementation Review is performed to determine whether the system adequately meets earlier identified business requirements and needs (in feasibility studies or Requirements Specifications). Auditors should be able to determine if the expected benefits of the new system were realized and whether users are satisfied with the new system. In post implementation review, auditors need to review which of the SDLC phases have not met desired objectives and whether any corrective actions were taken. If there are differences between expectations and actual results, auditors need to determine the reasons for the same. E.g. it could be due to incomplete user requirements. Such reasons can help auditors to evaluate the current situation and offer guidelines for future projects. Master Checklist The process objectives are: · To ensure an appropriate acquisition and / or development of information systems including software, and · To maintain the information systems in an appropriate manner. The following checklist may be used by the IS Auditors for this purpose: S. No. Checkpoints Status 1. Whether information system acquisition and / or development policy and procedure documented? 2. Whether system acquisition and / or development policy and procedure approved by the management? 3. Whether the policy and procedure cover the following: · Problems faced in the existing system and need for replacement · Functionality of new IS · Security needs · Regulatory compliance · Acceptance Criteria · Proposed roles and responsibilities · Transition/ Migration to new IS · Interfaces with legacy systems · Post implementation review · Maintenance arrangements. 4. Whether policy and procedure documents are communicated / available to the respective users?© The Institute of Chartered Accountants of India
  9. 9. 2.56 Information Systems Control and Audit 5. Whether policy and procedure documents are reviewed and updated at regular intervals? 6. Whether the organization has evaluated requirement and functionalities of proposed IS? (Verify the requirement analysis conducted at three levels viz. process level, application level and organization level. Verify the site visit reports and other customer references obtained with respect to functionalities of proposed IS). 7. Whether the organization carried out feasibility study in respect of the following · Financial feasibility · Operational feasibility · Technical feasibility 8. Whether the selection of vendor and acquisition terms considers the following: · Evaluation of alternative vendors · Specification on service levels and deliverables · Penalty for delays · Escrow mechanism for Source codes · Customization · Upgrades · Regulatory Compliance · Support and maintenance. 9. Whether the organization has identified and assigned roles in development activities to appropriate stakeholders? (Verify the assigned roles should be on “need to know” and “need to basis”. and duties of developers and operators are segregated). 10. Whether the organization has a separate development, test and production environments? 11. Whether the IS developed plan is prepared and approved by the management? (Verify that IS development plan to include: · Input data elements, · Validations controls viz. Field/ Transactions/ File with appropriate error reporting · Process workflow© The Institute of Chartered Accountants of India
  10. 10. System Development Life Cycle Methodology 2.57 · data classifications with security are in place, viz. Read only for users, Read/ Write for authorized persons · Output).12. Whether the testing of IS includes: · Confirms the compliance to functional requirements · Confirms the compatibility with IS infrastructure · Identifies bugs and errors and addresses them by analyzing root causes Escalating functionality issues at appropriate levels.13. Whether the adequate documentation for: · Preserving test results for future reference · Preparation of manuals like systems manual, installation manual, user manual · Obtaining user sign off / acceptance14. Whether the implementation covers the following? · User Departments involvement and their role · User Training · Acceptance Testing · Role of Vendor and period of Support · Required IS Infrastructure plan · Risk involved and actions required to mitigate the risks · Migration plan15. If the development activities are outsourced, are the outsourcing activities evaluated based on the following practices: · What is the objective behind Outsourcing? · What are the in-house capabilities in performing the job? · What is the economic viability? · What are the in-house infrastructure deficiencies and the time factor involved? · What are the Risks and security concerns? · What are the outsourcing arrangement and fall back method? · What are arrangements for obtaining the source code for the software? · Reviewing the capability and quality of software development activities by visit to vendors premises? · Review of progress of IS development at periodic intervals.
  11. 11. 2.58 Information Systems Control and Audit16. Whether the organization carried out a post implementation review of new IS?17. Whether a process exists for measuring vendors performance against the agreed service levels?18. Whether the post implementation review results are documented?
  13. 13. 2.64 Information Systems Control and Audit2.14 ORGANIZATIONAL STRUCTURE OF IT DEPARTMENTWe will now give a brief introduction about the management structure of IT department.2.14.1 Management Structure Line Management Management Project ManagementLine Management Structure : The information system management subsystems in anorganization attempt to ensure that the development, implementation, operation andmaintenance of information systems proceed in a planned and controlled manner. Theyfunction to provide a stable environment in which information systems are built and operatedon a day-to-day basis. Several levels of management subsystems have been identifiedcorresponding to the organization hierarchy shown in Fig. 2.14.1 and major functionsperformed within a data processing installation. Top Management IS Management Systems Development Management Programming Management Data Administration Security Administration Operations Management Quality assurance management Fig. 2.14.1 : Several levels of management subsystems
  14. 14. System Development Life Cycle Methodology 2.65Top Management : Top management of the organization must ensure that the dataprocessing installation is well managed. It is responsible primarily for long run policiesdecisions on how computers will be used in the organization.IS Management : IS management has overall responsibility for planning and control of allcomputer activities and also provides inputs to top management’s long run policy decisionmaking and translates long run policies into short run goals and objectives.Systems Development Management : Systems Development Management is responsible forthe design, implementation and maintenance of application systems.Programming Management : Programming management is responsible for programming newsystems, maintaining old systems and providing general systems support software.Data Administration : Data administration is responsible for the control and use of anorganization’s data including the database and library of application system files.Security Administration : Security administration is responsible for the physical security ofthe data processing and IS programs.Operations Management : Operations Management controls the day-to-day operations ofdata processing systems. It is responsible for data preparation; the data flow through theinstallation, production running of systems, maintenance of hardware and sometimesmaintenance of program and file library facilities.Quality Assurance Management : Quality Assurance Management undertakes an in-depthquality assurance review of data processing in each application system. This review involves adetailed check of the authenticity, accuracy and completeness of input, processing and output.2.14.2 Project Management Structure : In project management, project requests aresubmitted to and prioritized by the steering committee. The project manager, who may be anon-IS staff member, should be given complete operational control of the project and beallocated the appropriate resources for the successful completion of the project. IS auditorsmay be included in the project team as control advocates and experts. They also provide anindependent, objective review to ensure that the level of commitment of the responsibleparties is appropriate. IS Manager Accounting Production Operations Systems Analysis Programming Fig. 2.14.2 : Roles performed by IS Manager
  15. 15. 2.66 Information Systems Control and AuditDuties and Responsibilities :Fig. 2.14.2 shows the tasks performed by an IS Manager. The structure of an IT Department isdivided into two main areas of activity:1. Information processing.2. System development and enhancement.Information Processing or IP is primarily concerned with the operational aspect of theinformation-processing environment and often includes computer operations, systemsprogramming, telecommunications and librarian functions.System development is concerned with the development, acquisition and maintenance ofcomputer application systems and performs systems analysis and programming functions.• Data entry : The data entry supervisor is responsible for ensuring whether the data is authorized, accurate and complete when entered into the system. Components in the input subsystem are responsible for bringing information into a system. The information takes two forms : first, it may be raw data to be processed and perhaps applied against the database; second, it may be instructions to direct the system to execute particular processes, updater or interrogate particular data, or prepare particular types of output. Both types of information input must be validated. Any errors detected must be controlled so that the input resubmission is authentic, accurate, complete, unique and timely.• File Library : The file librarian is responsible for recording, issuing, receiving and safeguarding all programs and data files that are maintained on computer tapes or disks. Managing the organization’s library of machine-readable files involves three functions. First, files must be used only for the purposes intended. Control must be exercised over program files, data files and procedure files. Second, the storage media used for files must be maintained in correct working order. Third, a file backup strategy and file retention strategy must be implemented. Within the IT department, responsibility for managing files is vested in a file library section.• Control Group : The control group manages the flow of data and is responsible fore the collection, conversion and control of input, and balancing the distribution of output to the user community. The input/output control group should be in a separate e area where only authorized personnel are permitted. The supervisor of the control group usually reports to the IPF operations managers.• Operations : Operations management is responsible for the daily running of hardware and software facilities so that the production application system can accomplish their work and development staff can design, implement and maintain systems. Though there are some variations across the organizations, the operations group within the IT department undertakes major functions like - Computer operations; Communication network control; Data preparation; Production work flow control; File library; Documentation library; and Performance monitoring.
  16. 16. System Development Life Cycle Methodology 2.67• Security Administration : The security administrator in a data processing organization is responsible for matters of physical security. In other words, the security administrator attempts to ensure that the physical facilities in which the systems are developed, implemented, maintained and operated are safe from threats that affect the continuity of operation.• Physical Security : A complete reliable protection scheme must take into account the possibility of physical attacks on the database, ranging from disclosure of a password to theft of the physical storage devices. We can protect well by encrypting data. A high security system needs better identification than a password, such as personal recognition of the user by a guard.• Data Security : Database management systems often provide controls over data definition and data manipulation facilities. In environments, which combine database management with online transaction processing, access to the database objects such as tables or views can be controlled through internal database mechanisms, which limit what the transaction or program, can do. Various auditing or journaling are also available. Utility access and submission, as well as monitoring and performance tools, should be restricted to appropriate personnel.• Conducting a Security program : A security program is a series of ongoing, regular, periodic evaluations conducted to ensure that the physical facilities of an Information System are safeguarded adequately. The first security evaluation conducted may be a major exercise; the security administrator has to consider an extensive list of possible threats to the organization, prepare an inventory of assets, evaluate the adequacy of controls, implement new controls, etc. Subsequent security evaluations may focus only on changes that have occurred, perhaps in light of the purchase of new hardware or a new threat etc. Nevertheless, even in the absence of visible changes, security evaluations need to be repeated periodically to determine whether covert changes have occurred that necessitate modifications to controls. Fig. 2.14.3 shows the activities involved in an organization.• Production Work Flow Control : Production workflow control in an Information System, is the responsibility of a control section. The control section manages the flow of data between users and the information system, and between data preparation and the computer room. It is also more difficult for operators and data preparation personnel to collude and to perpetrate a fraud – for example, by alerting input data.
  17. 17. 2.68 Information Systems Control and Audit Organization User Data preparation Control section Computer room Data processing Service Bureau Fig. 2.14.3 : Activities involved in an Organization• Quality Assurance : Quality Assurance group is responsible for testing and verifying whether the program changes and documentation adhere to standards and naming conventions before the programs are moved into production. The control section facilitates the orderly flow of data and checks to see that the input is in order by scanning it for reasonableness and completeness and by checking control totals. If the input passes the quality assurance check, it is entered into a log and dispatched either to the computer room, if it is already in machine-readable form or to data preparation, if it must be keyed to cards, tape or disk.• Systems Analysis : System analysts are responsible for interpreting the needs of the user, determining the programs and the programmers necessary to create the particular application. System analysts design systems based on the needs of the user. For the auditor acting as a participant in the system development process, the information processing system design phase is one of major involvement. From a system effectiveness viewpoint, the auditor is concerned with whether the design meets strategic requirements. From efficiency viewpoint the auditor is concerned with the resources that will be needed to run the system. From safeguarding access and data integrity viewpoint, the auditor is concerned with the controls designed into the system.• Applications Programming : Applications programmers are responsible for developing new systems and for monitoring systems in production. They should work in a test only environment and should not move test versions into the production environment. Application programmers should not have access to system program libraries.• Systems programming : System programmers are responsible for maintaining the systems software including the operating systems.
  18. 18. System Development Life Cycle Methodology 2.69• Local Area Network (LAN) Administration : LAN administrator is responsible for technical and administrative control over the local area network. This includes ensuring transmission links are functioning correctly, backups of the system are occurring and software/hardware purchases are authorized and properly installed. In smaller installations, this person may be responsible for security administration over the LAN. The LAN administrator should have no application responsibilities, but may have end- user responsibilities. The LAN administrator may report to the director of the IPF and in a decentralized operation, he can report to the end-user manager.• Help Desk Administration : The Help Desk Administrator is responsible for monitoring, improving and controlling system performance in mainframe and client/server hardware and software. The Help Desk Administration may be useful when data entry is not based upon a dedicated source document. If users are uncertain about the nature or format of the data to be entered into a particular field, they may ask the system to provide information to assist them.References :1. Valacich George, Haffer, Essentials of Systems Analysis & Design, Prentice Hall India, IInd Edition 2004.2. Charles Parker & Thomas Case, Management Information System Strategy & Action, IInd Edition, Mcgraw Hill, 1993.3. http://www.cms.hhs.gov/SystemLifecycleFramework/Downloads/Selecting Development Approach.pdf4. http://en.wikipedia.org/wiki/Systems_Development_Life_Cycle5. http://www.klbschool.org.uk/ict/gcse/theory/5_3/5_3_3_implementation.htm6. http://www.epmbook.com/pir.htmSelf - Examination Questions1. What is Systems Development Process?2. What activities are part of the Systems Development Life Cycle (SDLC)?3. Discuss various approaches to systems development.4. What types of systems are best for development by the traditional approach? What types of systems by prototyping approaches? What types by end user development?5. How is systems development handled in smaller organizations?6. What is the purpose of a preliminary investigation? What outcome is expected from it? Who caries out this investigation?7. What do you mean by feasibility study? How is it conducted?8. What systems costs are estimated during feasibility study for various alternative solutions?