3. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Introduction
Project Management
Application Development
Business Information Systems
Alternatives for Project Organization
Infrastructure Development/Acquisition Practices
Process Improvement
Application Controls
Auditing Systems Development, Acquisition and
Maintenance
Summary
3
5. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Provide assurance that the practices for the
acquisition, development, testing, and
implementation of information systems meet the
organization’s strategies and objectives
5
6. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Evaluate the business case for the proposed investments in information
systems acquisition, development, maintenance and subsequent retirement to
determine whether it meets business objectives.
Evaluate the project management practices and controls to determine whether
business requirements are achieved in a cost-effective manner while managing
risks to the organization.
Conduct reviews to determine whether a project is progressing in accordance
with project plans, is adequately supported by documentation and status
reporting is accurate.
Evaluate controls for information systems during the requirements, acquisition,
development and testing phases for compliance with the organization's
policies, standards, procedures and applicable external requirements.
Evaluate the readiness of information systems for implementation and
migration into production to determine whether project deliverables, controls
and organization's requirements are met.
Conduct post-implementation reviews of systems to determine whether
project deliverables, controls and organization's requirements are met.
6
7. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Knowledge of benefits realization practices, (e.g., feasibility studies,
business cases, total cost of ownership [TCO], ROI)
Knowledge of project governance mechanisms (e.g., steering
committee, project oversight board, project management office)
Knowledge of project management control frameworks, practices and
tools
Knowledge of risk management practices applied to projects
Knowledge of IT architecture related to data, applications and
technology (e.g., distributed applications, web-based applications, web
services, n-tier applications)
Knowledge of acquisition practices (e.g., evaluation of vendors, vendor
management, escrow)
Knowledge of requirements analysis and management practices (e.g.,
requirements verification, traceability, gap analysis, vulnerability
management, security requirements)
Knowledge of project success criteria and risks
7
8. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Knowledge of control objectives and techniques that ensure the
completeness, accuracy, validity and authorization of transactions and
data
Knowledge of system development methodologies and tools including
their strengths and weaknesses (e.g., agile development practices,
prototyping, rapid application development [RAD], object-oriented
design techniques)
Knowledge of testing methodologies and practices related to
information systems development
Knowledge of configuration and release management relating to the
development of information systems
Knowledge of system migration and infrastructure deployment practices
and data conversion tools, techniques and procedures.
Knowledge of post-implementation review objectives and practices
(e.g., project closure, control implementation, benefits realization,
performance measurement)
8
11. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
A program is a set of projects and time-bound tasks
that are closely linked together through common
objectives, a common budget, intertwined schedules
and strategies
Programs have a limited time frame (start and end
date) and organizational boundaries
Methodology and processes in program
management are similar to those in project
management and run parallel to each other
To formally start a program, some form of written
assignment from the program owner to the program
manager/team is necessary
11
12. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Objectives:
Optimization of the results of the project portfolio
Prioritizing and scheduling projects
Resource coordination (internal and external)
Knowledge transfer throughout the projects
12
13. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Provides information required to decide whether
a project should proceed
Initial business case normally derives from a
feasibility study as part of project planning
Should be of sufficient detail to describe the
justification for setting up and continuing a
project
13
14. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Describing benefits management or benefits
realization
Assigning a measure and target
Establishing a tracking/measuring regime
Documenting the assumption
Establishing key responsibilities for realization
Validating the benefits predicted in the business
Planning the benefit that is to be realize
14
15. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
IS projects may be initiated from any part of an
organization
A project is always a time-bound effort
Project management should be a business
process of a project-oriented organization
The complexity of project management requires
a careful and explicit design of the project
management process
15
16. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Project context:
Time context
Social context.
Considerations:
Importance of the project in the organization
Connection between the organization’s strategy and
the project
Relationship between the project and other projects
Connection between the project to the underlying
business case
16
17. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Influence Project
Organization
Pure Project
Organization
Matrix Project
Organization
17
18. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
One-on-One
Meetings
Kick-off
Meetings
Project Start
Workshops
A
Combination
OfTheThree
18
19. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
SMART: Specific, Measurable, Achievable,
Relevant and Time-bound
Object Breakdown Structure (OBS): commonly
accepted approach to define project objectives
Work Breakdown Structure (WBS): designed after
the OBS has been compiled,
19
20. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Groups
Senior management
User management
Project steering committee
Systems development
management
Systems development
project team
User project team
Quality assurance
Individuals
Project sponsor
Project manager
Security officer
20
22. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC 22
Project
Cost and Resources
Time (Duration)Deliverables
23. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The project manager needs to determine:
The various tasks that need to be performed to produce
the expected business application system
The sequence or the order in which these tasks need to be
performed
The duration or the time window for each task
The priority of each task
The IT resources that are available and required to
perform these tasks
Budget or costing for each of these tasks
Source and means of funding
23
24. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Methods to determine relative physical size of
the application software to be developed
Can be used as a guide for the allocation of
resources, estimates of time and cost
Techniques:
Lines of source code
Function point analysis
FPA feature points
Cost budgets
Software cost estimation
24
25. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Involves establishing the sequential relationship
among tasks
The schedule can be graphically represented using:
Gantt charts
Program Evaluation Review Technique (PERT) diagram
Critical path methodology
▪ A critical path if one whose sum of activity time is longer than that
for any other path through the network
▪ The critical path is found by working forward through the network
(forward-pass) and computing the earliest possible completion
time for each activity until the earliest possible completion time for
the total project is found
25
29. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Involves automated techniques to handle
proposals and cost estimations, and to monitor,
predict and report on performance with
recommended action items
Many of these techniques are provided as
Decision Support Systems (DSS) for planning and
controlling project resources
29
30. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
When closing a project, there may still be some
issues that need to be resolved, ownership of
which needs to be assigned
The project sponsor should be satisfied that the
system produced is acceptable and ready for
delivery
Custody of contracts may need to be assigned,
and documentation archived or passed on to
those who will need it
30
32. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
SDLC begins in of one or more of the following:
A new opportunity relates to a new or existing business
process
A problem that relates to an existing business process
A new opportunity to take advantage of technology
A problem with the current technology
Benefits:
All affected parties have common and clear objectives and
how to contribute to business support
Conflicting key business drivers (e.g., cost vs. functionality)
and mutually dependent key business drivers can be
detected and resolved in early stages of an SDLC project
32
33. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Influence is significantly increased when there
are formal procedures and guidelines
Can review all relevant areas and phases of the
systems development project and report
independently to management
Can identify selected parts of the system and
become involved in the technical aspects
Can evaluate the methods and techniques
applied through the development phases
33
34. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
the oldest and most widely traditional approach
used for developing business applications
Based on a systematic, sequential approach to
software development.
34
35. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Feasibility Study
Requirements Definition
Design
Development
Implementation
35
Post-Implementation
36. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Unanticipated events
Difficulty in obtaining an explicit set of
requirements from the user
Managing requirements and convincing the user
about the undue or unwarranted requirements in
the system functionality
The necessity of user patience
A changing business environment that alters or
changes the user’s requirements before they are
delivered
36
38. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Concerned with analyzing the benefits and solutions
for the identified problem area
Includes development of a business case, which
determines the strategic benefits of implementing
the system either in productivity gains or in future
cost avoidance
Identifies and quantifies the cost savings of the new
system and estimates a payback schedule for the
cost incurred in implementing the system or shows
the projected return on investment (ROI)
38
39. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Concerned with identifying and specifying the
business requirements of the system chosen for
development during the feasibility study
Requirements include descriptions of what a
system should do, how users will interact with a
system, conditions under which the system will
operate, and the information criteria the system
should meet
This phase deals with the issues that are
sometimes called nonfunctional requirements
39
40. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Entity Relationship Diagrams (ERD)
An ERD depicts a system’s data and how these data
interrelate
An ERD can be used as a requirements analysis tool to
obtain an understanding of the data a system needs to
capture and manage
An ERD can also be used later in the development
cycle as a design tool that helps document the actual
database schema that will be implemented
40
41. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Not a phase in the standard SDLC. However, if a decision was
reached to acquire rather than develop software, software
acquisition is the process that should occur after the
requirements definition phase
Decision based on various factors such as the cost differential
between development and acquisition, availability of generic
software, and the time gap between development and
acquisition
The project team needs to carefully examine and compare the
vendors’ responses to the request for proposal (RFP)
It is likely that more than one product/vendor fits the
requirements with advantages and disadvantages with respect
to each other
Once vendors are short listed, it can be beneficial for the
project team to talk to current users of each potential product
41
42. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Developing system flowcharts and entity
relationship models
Determining the use of structured design techniques
End of design phase
Describing inputs and outputs
Determining processing steps and computation rules
Determining data file or database system file design
Preparing program specifications
Developing test plans for the various levels of testing
Developing data conversion plans
42
43. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Coding and developing program and system-level
documents
Debugging and testing the programs developed
Developing programs to convert data from the
old system for use on the new system
Creating user procedures to handle transition to
the new system
Training selected users on the new system
Ensure modifications are documented and
applied accurately
43
44. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Considerations
Programming methods and techniques
Online programming facilities (integrated
development environment)
Programming languages
Program debugging
Testing
44
45. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Testing:
Elements
▪ Test plan
▪ Conduct and report test
results
▪ Address outstanding issues
Classifications
▪ Unit testing
▪ Interface or integration
testing
▪ System testing
▪ Final acceptance testing
Other types of testing
▪ Alpha and beta testing
▪ Pilot testing
▪ White box testing
▪ Black box testing
▪ Function/validation testing
▪ Regression testing
▪ Parallel testing
▪ Sociability testing
▪ Automated application
testing
45
46. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
During the implementation phase, the actual
operation of the new information system is
established and tested
Final user-acceptance testing is conducted in this
environment
The system may also go through a certification
and accreditation process to assess the
effectiveness of the business application at
mitigating risks to an appropriate level
46
47. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Implementation planning
Phase 1—Develop to-be support structures
Phase 2—Establish support function
End-user training
Data conversion
Refining migration scenario
Fallback (rollback) scenario
Changeover (go-live or cutover) techniques
Parallel changeover
Phased changeover
Abrupt changeover
Certification/accreditation
47
48. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Objectives:
Assess the adequacy of the system
Evaluate the projected cost benefits or ROI
Develop recommendations that address the system’s
inadequacies and deficiencies
Develop a plan for implementing the
recommendations
Assess the development project process
Should be performed jointly by the project
development team and appropriate end users
48
49. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
A growing number of organizations are shifting to
a fully integrated corporate solution, i.e., an ERP
solution
This type of software implementation is much
larger than a regular software acquisition project
ERP systems impact the way a corporation does
business, its entire control environment,
technological direction and internal resources
49
50. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Business risk relating to the likelihood that the
new system may not meet the users’ business
needs, requirements and expectations
Potential risks that can occur when designing and
developing software systems:
Within the project
With suppliers
Within the organization
With the external environment
50
51. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Closely associated with the traditional, classic
SDLC approach
Techniques provide a framework for representing
the data and process components of an
application using various graphical notations at
different levels of abstraction, until it reaches the
abstraction level that enables programmers to
code the system
51
54. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
With increasing emphasis on integrating the web channel with
a business’ internal legacy systems and the systems of its
business partners, company systems now typically will run on
different platforms, running different software and with
different databases
The challenge of integrating diverse technologies within and
beyond the business has increasingly lead companies to move
to component-based systems that utilize a middleware
infrastructure, based around an application server databases
play a key role in most e-commerce systems, maintaining data
for web site pages, accumulating customer information and
possibly storing click-stream data for analyzing web site usage
Extensible Markup Language is also likely to form an important
part of an organization’s overall e-commerce architecture
54
55. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
E-commerce risks:
Confidentiality
Integrity
Availability
Authentication and non-repudiation
Power shift to customers
It is important to take into consideration the
importance of security issues that extend beyond
confidentiality objectives
55
56. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
An IS auditor should assess applicable use of:
A set of security mechanisms and procedures that
constitute a security architecture for e-commerce
Firewall mechanisms that are in place to mediate between
the public network and an organization’s private network
A process whereby participants in an e-commerce
transaction can be identified uniquely and positively
Digital signatures
An infrastructure to manage and control public key pairs
and their corresponding certificates
The procedures in place to control changes to an e-
commerce presence
Logs of e-commerce applications
56
57. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
An IS auditor should assess applicable use of:
The methods and procedures to recognize security
breaches when they occur
The features in e-commerce applications
The protections in place to ensure that data collected
about individuals are not disclosed without their consent
The means to ensure confidentiality of data
communicated between customers and vendors
The mechanisms to protect e-commerce’s presence and
their supporting private networks from computer viruses
57
58. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
An IS auditor should assess applicable use of:
The features within the e-commerce architecture to keep
all components from failing
A plan and procedure to continue e-commerce activities
when an extended outage of required resources for
normal processing
A commonly understood set of practices and procedures
to define management’s intentions for the security of e-
commerce
A shared responsibility for e-commerce security
Communications from vendors to customers
A regular program of security audit and assessment
58
59. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Benefits:
Less paperwork
Fewer errors during the exchange of information
Improved information flow, database-to-database and
company-to-company
No unnecessary rekeying of data
Fewer delays in communication
Improved invoicing and payment processes
59
60. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Moving data in a batch transmission process through EDI
process involves 3 functions within each partner’s system:
Communications handler
EDI interface
▪ EDI translator
▪ Application interface
Application system
General requirements:
Communications software, translation software and access to
standards
To build a map, an EDI standard appropriate for the kind of EDI data
to be transmitted is selected
Final step is to write a partner profile that tells the system where to
send each transaction and how to handle errors and exceptions
60
61. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Web-based EDI has come into prominence due
to:
Internet-through-Internet service providers offering
generic network access for all computers connected to
the Internet
Its ability to attract new partners via web-based sites
to exchange information
New security products available to address issues of
confidentiality, authentication, data integrity and non-
repudiation of origin and return
Improvements in the x.12 EDI formatted standard
61
62. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
To protect EDI transmissions, the EDI process should include:
Standards set to indicate the message format and content are valid
Controls to ensure standard transmissions are properly converted for
the application software by the translation application
Procedures to determine messages are only from authorized parties
Direct or dedicated transmission channels among the parties
Data should be encrypted using algorithms agreed to by the parties
involved
The EDI process needs the ability to detect and deal with
transactions that do not conform to the standard format or are
from/to unauthorized parties
The critical nature of many EDI transactions requires that there
be positive assurances that the transmissions were complete
Organizations desiring to exchange transactions using EDI are
establishing a new business relationship
62
63. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The controls for receipt of inbound transactions are:
Use appropriate encryption techniques when using public
Internet infrastructures for communication
Perform edit checks
Perform additional computerized checking
Log each inbound transaction upon receipt
Use control totals on receipt of transactions
Segment count totals built into the transaction set trailer by the
sender
Control techniques in the processing of individual transactions
Ensure the exchange of control totals of transactions sent and
received between trading partners at predefined intervals
63
64. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
An IS auditor must evaluate EDI to ensure that all
inbound EDI transactions are received and translated
accurately, passed to an application and processed
only once
To accomplish this, an IS auditor must review:
Internet encryption process
Edit checks
Additional computerized checking
Batch control totals
The validity of the sender against trading partner details
64
65. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Linking the business processes between the related
entities such as the buyer and the seller.
SCM is all about managing the flow of goods, services and
information among suppliers, manufacturers, wholesalers,
distributors, stores, consumers and end users
EDI, which is extensively used in SCM, is not a new
technology but the cost associated with it was not
affordable to many until recent years. Now, availability of
inexpensive, web-based SCM solutions has opened this
area for everybody. However, there is a need for significant
change in the business model
65
66. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
2 Types:
Online to a central computer owned by a financial
institution or a cards administrator
Use local processors/microcomputers owned by a business
to hold the transactions for a specified period after which
they are sent to the main computer for batch processing.
IS auditor should determine whether any credit
cardholder information is stored on the local POS
system such as credit card numbers, personal
identification numbers (PINs), etc.
Any such information, if stored on the POS system,
should be encrypted using strong encryption
methods.
66
67. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
E-mail system components:
Mail servers
Clients
67
68. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Security issues:
Flaws in the configuration of mail server applications
Denial-of-service (DoS)
Sensitive information transmitted unencrypted between
mail server and e-mail client may be intercepted
Information within the e-mail may be altered
Viruses and other types of malicious code may be
distributed throughout an organization
Users may send inappropriate, proprietary or other
sensitive information via e-mail
68
69. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Digital signatures are a good method of securing
e-mail transmissions in that:
The signature cannot be forged
The signature is authentic and encrypted
The signature cannot be reused
The signed document cannot be altered
69
70. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Banks should have a risk management process to
enable them to identify, measure, monitor and
control their technology risk exposure
Risk management of new technologies has three
essential elements:
Risk management is the responsibility of the board of
directors and senior management
Implementing technology is the responsibility of IT senior
management members
Measuring and monitoring risk is the responsibility of
members of operational management
70
71. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
E-banking presents a number of risk management challenges:
The speed of change relating to technological and service innovation
Transactional e-banking web sites and associated retail and
wholesale business applications are typically integrated with legacy
computer systems
e-Banking increases banks’ dependence on information technology
The Internet is ubiquitous and global by nature
Effective risk management controls for e-banking include 14
controls divided among three categories:
Board and management oversight
Security controls
Legal and reputational risk management
71
72. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Advantages of e-finance to consumers include:
Lower costs
Increased breadth and quality
Widening access to financial services
A-synchrony (time-decoupled)
A-topy (location-decoupled)
72
73. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
2 Types of parties in all payment systems:
Issuer is an entity that operates the payment service. An
issuer holds the items that the payments represent (e.g.,
cash held in regular bank accounts).
User of the payment service perform two main functions:
▪ making payments (payer)
▪ receiving payments (payee)
3 models:
Electronic Money Model: emulate physical cash.
Electronic Checks Model: as real-world checks
Electronic Transfer Model
73
74. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Electronic funds transfer (EFT) is the exchange of
money via telecommunications without currency
actually changing hands
Allows parties to move money from one account
to another, replacing traditional check writing
and cash collection procedures
Usually function via an internal bank transfer
from one party’s account to another or via a
clearinghouse network
74
75. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Security in an EFT environment ensures that:
All of the equipment and communication linkages are
tested
Each party uses security procedures that are reasonably
sufficient
There are guidelines set for the receipt of data
Upon receipt of data, the receiving party will immediately
transmit an acknowledgment or notification
Data encryption standards are set
Standards for unintelligible transmissions are set
Regulatory requirements are explicitly stated
75
76. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Bill of materials (BOM)
BOM processing (BOMP)
Manufacturing resources planning (MRP)
Computer-assisted design (CAD)
Computer-integrated (or computer-intensive)
manufacturing (CIM)
Manufacturing accounting and production (MAP)
Manufacturing Resource Planning (MRP)
76
77. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Provides details regarding all business
relationships a customer maintains with an
organization. (as of CRM)
Integration aids in customer analysis and
marketing.
Integrated banking customer file.
The file includes data regarding the customer loans,
checking accounts, savings accounts and any
certificates of deposit
77
78. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Electronic devices and techniques to aid in the
conduct of business:
Word processors
Automated spreadsheets
e-mail
LANs link local offices and computers to facilitate
the use of these technologies.
May contain sensitive data; and so, access
controls and security are frequently weak or
nonexistent.
78
79. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Recommended internal control guidelines for ATMs
include:
Written policies and procedures covering personnel,
security controls, operations, settlement, balancing, etc.
Procedures for PIN issuance and protection during storage
Procedures for the security of PINs during delivery
Controls over plastic card procurement
Controls and audit trails of the transactions that have been
made in the ATM
79
80. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Cooperative processing systems are divided into
segments so different parts may run on different
independent computer devices. (Parallel Systems)
The system divides the problem into units that are
processed in a number of environments and
communicates the results among them to produce a
solution to the total problem.
The system must be designed to minimize and
maintain the integrity of communication between
the component parts and to use the most
appropriate processor for each of the problem units
80
81. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
A phone technology that allows a computer to detect
voice and touch tones using a normal phone call.
The caller uses the telephone keypad to select from preset
menu choices provided by the IYR to respond with pre-
recorded or dynamically generated audio to further direct
callers or route the caller to a customer service
representative.
Used to control almost any function where the interface
can be broken down into a series of simple menu choices.
Generally scale well to handle large call volumes. Controls
over such systems must be in place to prevent
unauthorized individuals from entering system level
commands that may permit them to change or rerecord
menu options.
81
82. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Perform three basic accounting functions:
Accounts payable processing-Recording transactions in the
accounts payable records
Goods received processing-Recording details of goods
received, but not yet invoiced
Order processing-Recording goods ordered, but not yet
received
Computer may be involved in each of these
activities, and the extent to which they are
computerized determines the complexity of the
purchase accounting system.
82
83. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Stores, retrieves and processes graphic data, such as
pictures, charts and graphs, instead of or in addition
to text data
Examples of potential benefits are:
Item processing (e.g., signature storage and retrieval)
Immediate retrieval via a secure optical storage medium
Increased productivity
Improved control over paper files
Reduced deterioration due to handling
Enhanced disaster recovery procedure
83
84. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
IS auditors should be aware of when reviewing
an institution's controls over imaging systems
include:
Planning
Audit
Redesign of workflow
Scanning devices
Software Security
Training
84
85. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Artificial intelligence is the study and application
of the principles by which:
Knowledge is acquired and used
Goals are generated and achieved
Information is communicated
Collaboration is achieved
Concepts are formed
Languages are developed
85
86. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Key to an expert system is the knowledge base
(KB), which contains specific information or fact
patterns associated with a particular subject
matter and the rules for interpreting these facts
The information in the KB can be expressed in
several ways:
Decision trees
Rules
Semantic nets
86
88. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
An IS auditor should:
Understand the purpose and functionality of the
system
Assess the system’s significance to the organization
Review the adherence of the system to policies and
procedures
Review procedures for updating information in the KB
Review security access over the system
88
89. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Business intelligence (BI) is a broad field of IT that
encompasses the collection and dissemination of
information to assist decision making and assess
organizational performance
Some typical areas in which BI is applied include:
Process cost, efficiency and quality
Customer satisfaction with product and service offerings
Customer profitability
Staff and business unit achievement of KPIs
Risk management
89
90. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
An optimized enterprise data flow architecture consists of:
Presentation/desktop access layer
Data source layer
Core data warehouse
Data mart layer
Data staging and quality layer
Data access layer
Data preparation layer
Metadata repository layer
Warehouse management layer
Application messaging layer
Internet/intranet layer
90
91. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Interactive system that provides the user with easy access
to decision models and data from a wide range of sources,
to support semi-structured decision-making tasks typically
for business purposes
A principle of DSS design is to concentrate less on
efficiency and more on effectiveness
A DSS is often developed with a specific decision or well-
defined class of decisions to solve
Frameworks are generalizations about a field that help put
many specific cases and ideas into perspective
G. Gorry-M.S. Morton framework
Sprague-Carson framework
91
92. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Prototyping is the most popular approach to DSS
design and development
It is difficult to implement a DSS because of its
discretionary nature
92
93. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Developers should be prepared for eight
implementation risk factors:
Nonexistent or unwilling users
Multiple users or implementers
Disappearing users, implementers or maintainers
Inability to specify purpose or usage patterns in advance
Inability to predict and cushion impact on all parties
Lack or loss of support
Lack of experience with similar systems
Technical problems and cost-effectiveness issues
93
94. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The DSS designer and user should use broad
evaluation criteria, including:
Traditional cost-benefit analysis
Procedural changes, more alternatives examined, less
time consumer in making the decision
Evidence of improvement in decision making
Changes in the decision process
94
95. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The emerging customer-driven business trend is to
be focused on the wants and needs of the
customers.
With the customer's expectations constantly
increasing, these objectives are becoming more
difficult to achieve.
This emphasizes the importance of focusing on
information relating to transaction data,
preferences, purchase patterns, status, contact
history, demographic information and service trends
of customers rather than on products.
95
96. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Operational CRM: maximizing the utility of the
customer's service experience while also
capturing useful data about the customer
interaction
Analytical CRM: analyze information captured by
the organization about its customers and their
interactions with the organization into
information that allows greater value to be
obtained from the customer base
96
98. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Incremental or progressive development
Iterative development
Evolutionary development
Spiral development
Agile development
98
99. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Agile development refers to a family of similar
development processes that espouse a
nontraditional way of developing complex systems.
Agile development processes have a number of
common characteristics, including:
The use of small, time-boxed subprojects or iterations
Replanning the project at the end of each iteration
Relatively greater reliance on tacit knowledge
Heavy influence on mechanisms to effectively disseminate
tacit knowledge and promote teamwork
A change in the role of the project manager
99
100. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The process of creating a system through
controlled trial and error procedures to reduce
the level of risks in developing the system
Reduces the time to deploy systems primarily by
using faster development tools such as fourth-
generation techniques
Potential risk is that the finished system will have
poor controls
Change control often becomes more complicated
100
101. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
A methodology that enables organizations to
develop strategically important systems quickly,
while reducing development costs and maintaining
quality
Achieved through the use of:
Small, well-trained development teams
Evolutionary prototypes
Integrated power tools
A central repository
Interactive requirements and design workshops
Rigid limits on development time frames
101
102. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
A method for representing software
requirements by focusing on data and their
structure
Major advantage of this approach is that it
eliminates data transformation errors such as
porting, conversion, transcription and
transposition
102
103. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The process of solution specification and modeling
where data and procedures can be grouped into an
entity known as an object
OOSD is a programming technique and is not a
software development methodology itself
The major advantages of OOSD are:
The ability to manage an unrestricted variety of data types
Provision of a means to model complex relationships
The capacity to meet the demands of a changing
environment
103
104. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Process of assembling applications from cooperating
packages of executable software that make their
services available through defined interfaces
Components play a significant role in web-based
applications
Basic types of components are:
In-process client components
Stand-alone client components
Stand-alone server components
In-process server components
104
105. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Features:
Reduces development time
Improves quality
Allows developers to focus more strongly on business
functionality
Promotes modularity
Simplifies reuse
Reduces development cost
Supports multiple development environments
105
106. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Designed to achieve easier and more effective
integration of code modules within and between
enterprises
Different from traditional third- or fourth-
generation program developments in many ways:
Languages and programming techniques used
Methodologies used to control development work
The way users test and approve development work
106
107. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Reengineering
Process of updating an
existing system by
extracting and reusing
design and program
components process is used
to support major changes in
the way an organization
operates. A number of tools
are now available to support
this process
Reverse Engineering
Taking apart an application, a
software application or a
product to see how it
functions, in order to develop
a similar system
Advantages:
Faster development and reduced
SDLC duration
Creation of an improved system
using the reverse-engineered
application drawbacks
107
108. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
System development tools and productivity aids
include code generators, Computer-Aided
Software Engineering (CASE) applications and
fourth-generation languages (4GL).
108
109. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Code generators are tools, often incorporated
with CASE products, that generate program code
based on parameters defined by a systems
analyst or on data/entity flow diagrams
developed by the design module of a CASE
product.
These products allow most developers to
implement software programs with efficiency.
The IS auditor should be aware of nontraditional
origins of source code
109
111. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
CASE is the use of automated tools to aid in the
software development process
May include the application of software tools for
software requirements analysis, software design,
code production, testing, document generation and
other software development activities
Three categories:
Upper - support analysis and design phases
Lower - support coding phase
Integrated - also known as I-CASE support analysis, design
and coding phases
111
112. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
IS auditor considerations:
CASE tools do not ensure that the design, programs
and system are correct or that they fully meet the
needs of the organization
CASE tools should complement and fit into the
application development methodology
The integrity of data moved between CASE products
needs to be monitored and controlled
Changes to the application should be reflected in
stored CASE product data
112
113. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Common characteristics of 4GLs include:
Nonprocedural language
Environmental independence (portability)
Software facilities
Programmer workbench concepts
Simple language subsets
4GLs are classified as:
Query and report generators
Embedded database 4GLs
Relational database 4GLs
Application generators
113
115. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The physical architecture analysis, the definition of a new one
and the necessary road map to move from one to the other are
critical tasks for an IT department
Goals:
To successfully analyze the existing architecture
To design a new architecture
To write the functional requirements of this new architecture
To develop a proof of concept
Physical implementation of the required technical
infrastructure to set up the future environment will be planned
next
Task will cover procurement activities such as contracting
partners, setting up the SLAs, and developing installation plans
and installation test plans
115
117. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Phased approach to ensure the quality of results
Communication processes should be set up to
other projects
Through these different phases the components
are fit together, and a clear understanding of the
available and contactable vendors is established
by using the selection process during the
procurement phase and beyond
117
123. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
To avoid delays, the appropriate skilled staff must
attend workshops and participate for the entire
project duration.
The documentation needed for carrying out the
work needs to be ready at project initiation.
Decision makers must be involved at all steps to
ensure all necessary decisions can be made quickly.
Part one of the project (Analysis of Physical
Architecture) must be completed and the needed
infrastructure decisions must be made.
123
124. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
For acquiring a system, the Invitation To Tender
(ITT) should include the following:
Organizational descriptions
Information processing requirements
Hardware requirements
System software applications
Support requirements
Adaptability requirements
Constraints
Conversion requirements
124
125. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Acquisition steps:
Testimonials or visits with other users
Provisions for competitive bidding
Analysis of bids against requirements
Comparison of bids against each other
Analysis of the vendor’s financial condition
Analysis of the vendor’s capability to provide maintenance
Review of delivery schedules against requirements
Analysis of security and control facilities
Review and negotiation of price
Review of contract terms
125
126. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
When selecting new system software, the following
technical issues should be considered:
Business, functional, technical needs and specifications
Cost and benefits
Obsolescence
Compatibility with existing systems
Security
Demands on existing staff
Training and hiring requirements
Future growth needs
Impact on system and network performance
126
127. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
System software implementation involves
identifying features, configuration options and
controls for standard configurations to apply
across the organization.
Additionally, implementation involves testing the
software in a nonproduction environment and
obtaining some form of certification and
accreditation to place the approved operating
system software into production.
127
128. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
All test results should be documented, reviewed
and approved by technically-qualified subject
matter experts prior to production use
Change control procedures are designed to
ensure that changes are authorized and do not
disrupt processing
128
129. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The process of managing change to application
systems while maintaining the integrity of both the
production source and executable code
Once a system is moved into production, it seldom
remains static.
Change is expected in all systems regardless of
whether they are vendor-supplied or internally
developed
To control the ongoing maintenance of the system, a
standard process for performing and recording
changes is necessary.
129
130. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Change management process begins with
authorizing changes to occur
Requests initiated from end users, operational staff
and system development/maintenance staff
Change requests should be in a format that ensures
all changes are considered for action and that allows
the system management staff to easily track the
status of the request
All requests for changes should be maintained by the
system maintenance staff as part of the system’s
permanent documentation
130
131. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Deploying changes
Documentation
Testing changed programs
Auditing program changes
Emergency changes
Deploying changes back into production
Change exposures (unauthorized changes)
131
132. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Maintenance requests must be formally
documented and approved by a change control
group
Careful control is exercised over each stage of the
maintenance process via checkpoints, reviews
and sign-off procedures
From an audit perspective, provides evidence of
management’s commitment to careful control
Involves procedures throughout the software life
cycle
132
133. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Tasks:
Develop the configuration management plan
Baseline the code and associated documents
Analyze and report on the results of configuration
control
Develop the reports that provide configuration status
Develop release procedures
Perform configuration control activities
Update the configuration status accounting database
133
135. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Business processes require improvements, which
are accomplished with practices and techniques
addressed in the following sections
135
137. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The steps in a successful BPR are:
Define the areas to be reviewed
Develop a project plan
Gain an understanding of the process under review
Redesign and streamline the process
Implement and monitor the new process
Establish a continuous improvement process
A successful BPR/process change project requires the project
team to perform the following for the existing processes:
▪ Process decomposition to the lowest level required for effectively assessing a
business process
▪ Identification of customers, process-based managers or process owners
responsible for beginning to end processes
▪ Documentation of the elementary process-related profile information
137
138. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
BPR methods and techniques
Benchmarking process
▪ Plan
▪ Research
▪ Observe
▪ Analyze
▪ Adapt
▪ Improve
138
139. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
ISO 9126 is an international standard to assess
the quality of software products.
Attributes:
Functionality
Reliability
Usability
Efficiency
Maintainability
Portability
139
140. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Initial-Characterized as ad hoc, where success depends solely on individual
effort
Repeatable-Disciplined management processes are established to plan and
track cost, schedule and functionality, and provide oversight over a software
project, and create a learning environment where successfully defined and
applied processes can be repeated successfully on other projects of similar size
and scope.
Defined-Lessons learned from the prior phase provide the impetus to develop
a standard software process across the organization. This includes both
management and software engineering activities, documented, standardized
and integrated into an institutionalized standard software process applicable to
all software development projects.
Managed-Once processes are well-defined and applied, the organization has
reached a point where it can develop and apply quantitative managed control
over its software development processes.
Optimizing-When an organization has attained the ability to quantitatively and
successfully control its software projects, it is in a position to use continuous
process improvement strategies in applying innovative solutions and state-of-
the-art technologies to its software processes.
140
142. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Also known as Software Process Improvement and Capability
Determination (SPICE), is based on CMM and Bootstrap
SPICE, like CMMI, serves as a baseline for process improvement and
process benchmarking, and leverages the adoption of best practices.
Reference models for SPICE include:
Software life cycle processes-Through ISO/IEC 12207 AMD1I2
System life cycle processes-Through ISO/IEC 15288
Human-centered life cycle processes-Through ISO 18529
Component-based development processes-Through the OOSPICE project
IT service management processes-Through a SPICE user group initiative
Quality management system processes-Through SPICE for 9000 (S9K)
Automotive embedded software--Through Automotive SPICE (an initiative
of The Procurement Forum and The SPICE User Group with the major
European car manufacturers)
Medical device software--Through the Medi SPICE initiative
142
145. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Controls over input, processing and output
functions.
To ensure that:
Only complete, accurate and valid data are entered
and updated in a computer system
Processing accomplishes the correct task
Processing results meet expectations
Data are maintained
145
146. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
IS auditor’s tasks:
Identifying the significant application components and
the flow of transactions through the system
Identifying the application control strengths
Testing the controls to ensure their functionality and
effectiveness
Evaluating the control environment
Considering the operational aspects of the application
to ensure its efficiency and effectiveness
146
147. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Input authorization
Verifies that all transactions have been authorized and
approved by management
Types:
Signatures on batch forms or source documents
Online access controls
Unique passwords
Terminal or client workstation identification
Source documents
147
148. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Batch controls and balancing
Batch controls group input transactions to provide control
totals
Types:
Total monetary amount
Total items
Total documents
Hash totals
Performed through manual or automated reconciliation
Types of batch balancing include:
Batch registers
Control accounts
Computer agreement
148
149. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Error reporting and handling
Input processing requires that controls be identified to
verify that data are accepted into the system correctly
and that input errors are recognized and corrected
Input error handling can be processed by:
Rejecting only transactions with errors
Rejecting the whole batch of transactions
Holding the batch in suspense
Accepting the batch and flagging error transactions
149
150. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Error reporting and handling
Input control techniques include:
Transaction log
Reconciliation of data
Documentation
Error correction procedures
Anticipation
Transmittal log
Cancellation of source documents
150
151. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Data validation and editing procedures
Procedures should be established to ensure that
input data are validated and edited as close to
the time and point of origination as possible
Data validation identifies data errors, incomplete
or missing data and inconsistencies among
related data items
151
152. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Processing controls
Ensure the completeness and accuracy of accumulated
data
The following techniques can be used:
Manual recalculations
Editing
Run-to-run totals
Programmed controls
Reasonableness verification of calculated amounts
Limit checks on calculated amounts
Reconciliation of file totals
Exception reports
152
153. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Data file control procedures
File controls should ensure that only authorized
processing occurs to stored data
Data files generally fall into four categories:
System control parameters
Standing data
Master data/balance data
Transaction files
153
154. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Output controls provide assurance that the data
delivered to users will be presented, formatted and
delivered in a consistent and secure manner
Output controls include:
▪ Logging and storage of negotiable, sensitive and critical forms in a
secure place
▪ Computer generation of negotiable instruments, forms and
signatures
▪ Report distribution
▪ Balancing and reconciling
▪ Output error handling
▪ Output report retention
▪ Verification of receipt of reports
154
155. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Specific matters to consider in business process
control assurance are:
Process maps
Process controls
Assessing business risks within the process
Benchmarking with best practices
Roles and responsibilities
Activities and tasks
Data restrictions
155
156. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
A transaction flowchart provides information
regarding key processing controls. Points where
transactions are entered, processed and posted
should be reviewed for control weaknesses
156
157. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The quality of internal
controls
Economic conditions
Recent accounting system
changes
Time elapsed since last
audit
Complexity of operations
Changes in
operations/environment
Recent changes in key
positions
Time in existence
Competitive environment
Assets at risk
Prior audit results
Staff turnover
Transaction volume
Regulatory agency impact
Monetary volume
Sensitivity of transactions
Impact of application
failure
157
158. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Separation of duties
Authorization of input
Balancing
Error control and correction
Distribution of reports
Review and testing of access
158
159. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
A set of substantive tests examine the accuracy,
completeness, consistency and authorization of
data presently held in a system
Indicate failure in input or processing controls
Two common types of data integrity tests are:
Relational integrity tests
Referential integrity tests
159
160. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The ACID principle:
Atomicity
Consistency
Isolation
Durability
160
166. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Determine the main components, objectives and
user requirements of the system
Determine and rank the major risks to, and
exposures of, the system
Identify controls to mitigate the risks to, and
exposures of, the system
Monitor the system development process
Participate in post-implementation reviews
Test system maintenance procedures
Evaluate the system maintenance process
166
167. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Levels of oversight by project committee
Risk management methods within the project
Issue management
Cost management
Processes for planning and dependency
management
Reporting processes to senior management
Change control processes
Stakeholder management involvement
Sign off process
167
168. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Review the documentation produced in this
phase for reasonableness
Determine whether all cost justifications/benefits
are verifiable
Identify and determine the criticality of the need
Determine if a solution can be achieved with
systems already in place
Determine the reasonableness of the chosen
solution
168
169. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Obtain the detailed requirements definition document
Identify the key team members on the project team
Verify that project initiation and cost have received proper
management approval
Review the conceptual design specifications to ensure they
address the needs of the user
Review the conceptual design to ensure control
specifications have been defined
Determine whether a reasonable number of vendors
received a proposal covering the project scope and user
requirements
Review the UAT specification
Determine whether the application is a candidate for an
embedded audit routine
169
170. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Analyze the documentation from the feasibility
study
Review the RFP
Determine whether the selected vendor is
supported by RFP documentation
Attend agenda-based presentations and
conference room pilots
Review the vendor contract prior to its signing
Ensure the contract is reviewed by legal counsel
before it is signed
170
171. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Review the system flowcharts for adherence to the general
design
Review the input, processing and out controls designed
into the system for appropriateness
Interview the key users of the system
Assess the adequacy of audit trails
Verify the integrity of key calculations and processes
Verify that the system can identify and process erroneous
data correctly
Review the quality assurance results of the programs
developed
Verify that all recommended corrections to programming
errors were made
171
172. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Review the test plan for completeness
Reconcile control totals and converted data
Review error reports for their precision in recognizing
erroneous data and for resolution of errors
Verify cyclical processing for correctness
Interview end users of the system for their understanding
of new methods, procedures and operating instructions
Review unit and system test plans to determine whether
tests for internal controls are planned and performed
Review parallel testing results for accuracy
172
173. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
An IS auditor should verify that appropriate sign-offs
have been obtained prior to implementation, then:
Review the programmed procedures used for scheduling
and running the system along with system parameters
used in executing the production schedule
Review all system documentation to ensure its
completeness and that all recent updates from the testing
phase have been incorporated
Verify all data conversion to ensure that they are correct
and complete before implementing the system in
production
173
174. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Determine if the system’s objectives and
requirements were achieved
Determine if the cost benefits identified in the
feasibility study are being measured, analyzed and
accurately reported to management
Review program change requests performed to
assess the type of changes required of the system
Review controls built into the system
Review operators’ error logs
Review input and output control balances and
reports
174
175. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Identifying the significant application
components and the flow of transactions
through the system
Identifying the application control strengths and
evaluating the impact of the control weaknesses
to develop a testing strategy by analyzing the
accumulated information
Reviewing application system documentation to
provide an understanding of the functionality of
the application
175
176. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
The use and existence of a methodology for authorizing,
prioritizing and tracking system change requests from the
user
Whether emergency change procedures are addressed in
the operations manuals
Whether change control is a formal procedure for the user
and the development groups
Whether the change control log ensures all changes shown
were resolved
The user’s satisfaction with the turnaround of change
requests
The adequacy of the security access restrictions over
production source and executable modules
176
177. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
For a selection of changes on the change control log:
Determine whether changes to requirements resulted in
appropriate change-development documents
Determine whether changes were made as documented
Determine whether current documentation reflects the
changed environment
Evaluate the adequacy of the procedures in place for
testing system changes
Review evidence to ensure that procedures are carried out
as prescribed by organizational standards
Review the procedures established for ensuring executable
and source code integrity
177
178. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Provides a method for an IS auditor to collect
evidence on system reliability while normal
processing takes place
Important IS audit tools, particularly when used
in a time-sharing environment that process a
large number of transactions with a scarce paper
trail
178
179. Copyright@2013 Al-Taysir for Information Systems Security Consulting LLC
Systems Control Audit Review File And Embedded Audit
Modules (SCARF/EAM)
Snapshots
Audit Hooks
IntegratedTest Facility (ITF)
Continuous And Intermittent Simulation (CIS)
179