Evaluating Application Systems Development and Implementation


Organizations invest heavily in the development, acquisition, implementation, and maintenance of applications and their associated systems. These applications are developed or acquired in support of key business functions. The IT department should have clearly defined processes to control the resources associated with the development, acquisition, and implementation of applications. This process, called the systems-development life cycle (SDLC), encompasses a structured approach to do the following:

  • Minimize risk and maximize return on investment

  • Reduce software business risk, the likelihood that the new system will not meet the application user's business expectations

The lack of a formal documented software-development process can result in software projects that are not on time or on budget, or do not meet user or business needs. The IS auditor should look for evidence of a structured approach to application development, acquisition, implementation, and maintenance. The IS auditor also should review policies and procedures to ensure that the objectives of the strategic plan are being met. The SDLC should have clearly defined life-cycle phases and progression points, to allow the IS auditor to identify each phase in the process and ensure adherence to planned objectives and company procedures.

As discussed in Chapter 1, "The Information Systems (IS) Audit Process," all significant IT projects should have a project sponsor and project steering committee. The project sponsor is ultimately responsible for providing requirement specifications to the software-development team. The project steering committee is responsible for the overall direction, costs, and time-tables for systems-development projects.

The IS auditor is responsible for advising the project-management team and senior management if processes are disorderly (informal) or lack sufficient controls. A primary high-level goal for an auditor who is reviewing a systems-development project is to ensure that business objectives are achieved. This objective guides all other systems-development objectives. In addition to auditing projects, the IS auditor should be included within a systems-development project in an advisory capacity to ensure that adequate controls are incorporated into the system during development and to ensure that adequate and complete documentation exists for all projects.



Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net