AUDCIS CHAP 5 Flashcards
(135 cards)
1
Q
constitutes a set of activities by which organizations obtain IT-based information systems
A
Systems Development Process
2
Q
Who are the Participants in Systems Development?
A
- Systems Professionals
- End Users
- Stakeholders
- Accountants/Auditors
3
Q
These individuals actually build the system. They gather
facts about problems with the current system, analyze
these facts, and formulate a solution to solve the problems.
The product of their efforts is a new system
A
Systems Professionals
4
Q
those for whom the system is built.
A
End Users
5
Q
individuals either within or outside the organization who have an interest in the system but are not end users.
A
Stakeholders
6
Q
are those professionals who address the controls, accounting, and auditing issues for systems development.
A
Accountants/Auditors
7
Q
WHY Are Accountants Involved with SDLC?
A
- Creation/purchase of IS consumes significant resources
and has financial resource implications. - Quality of AISs and their output rests directly on SDLC
activities that produce them.
8
Q
HOW are Accountants Involved with SDLC?
A
- As Users - accountants must provide a clear picture of
their problems and needs to the systems professionals - As members of the development team
- As Auditor
9
Q
The Role of the Accountant
A
- Systems Strategy
- Conceptual Design
- Systems Selection
10
Q
Help reduce the risk of creating unneeded,
unwanted, inefficient, ineffective systems
A
Systems Strategy
11
Q
It Controls implications and the Auditability of the system.
A
Conceptual Design
12
Q
Economic feasibility
A
Systems Selection
13
Q
for organizations that require systems that are highly tuned to their unique operations. requires maintaining a full-time systems staff of analysts and programmers who identify user information needs and satisfy their needs with custom systems
A
IN HOUSE DEVELOPMENT
14
Q
purchase from software vendors.
A
COMMERCIAL SYSTEMS
15
Q
TRENDS IN COMMERCIAL SYSTEM
Factors that stimulate growth in commercial software
market:
A
- Low Cost – commercial vs. customized software
- Emergence of industry-specific vendors
- Growing Demand for Businesses
- Downsizing/ DDP IT Environment
16
Q
3 BASIC GROUPS OF COMMERCIAL SOFTWARE PACKAGES
A
- Turnkey systems
- Backbone systems
- Vendor-supported systems
17
Q
are completely finished and tested systems that are ready for implementation. These are often general-purpose systems or systems customized to a specific industry.
A
Turnkey systems
18
Q
are designed to serve a wide variety of user needs. These are designed in modules which allow users to purchase the modules that meet their specific needs.
A
General accounting systems
19
Q
that target selected segments of the economy. Standardized systems to deal with industry-specific procedures
A
Special-purpose systems
20
Q
are computer systems that improve the productivity of office workers.
A
Office automation systems
21
Q
provide a basic system structure on which to build.
A
Backbone systems
22
Q
are hybrids of custom systems and commercial software. Under this approach, the vendor develops (and maintains) custom systems for its clients. The systems themselves are custom products, but the systems development service is commercially
provided
A
Vendor-supported systems
23
Q
Advantages of Commercial Software
A
• Implementation Time
• Cost
• Reliability
24
Q
Disadvantages of Commercial Software
A
• Independence – firm becomes dependent on a vendor for
maintenance
• The need for customized systems
• Maintenance - If the user’s needs change, it may be
difficult or even impossible to modify commercial
software.
25
is an eight-phase process consisting of two major stages: new systems development (1st seven phases) and maintenance.
Systems Development Life Cycle (SDLC)
26
involves conceptual steps that can apply to any problem-solving process: identify the problem, understand what needs to be done, consider alternative solutions, select the best solution, and, finally, implement the solution.
New systems development
27
(eighth phase) constitutes the organization’s program change procedures; It begins once the seven phases are complete and the system is fully implemented.
Systems maintenance
28
The objective is to link individual system projects or
applications to the strategic objectives of the firm.
PHASE I: SYSTEMS PLANNING
29
specifies where the firm plans to go and how it will get there; the basis for the systems plan
Organization's business plan
30
- may include the chief executive officer, the chief financial officer, the chief information officer, senior management from user areas, the internal auditor, and senior management from computer services.
- provide guidance and review the status of the system
projects.
Steering committee
31
STEERING COMMITTEE & RESPONSIBILITIES
• Resolving conflicts that arise from new systems
• Reviewing projects and assigning priorities
• Budgeting funds for systems development
• Reviewing the status of individual projects under
development
• Determining at various checkpoints throughout the SDLC
whether to continue with the project or terminate it
32
Systems planning occurs at two levels:
A. STRATEGIC SYSTEMS PLANNING
B. Project planning
33
– allocation, processing, budgeting, informed decisions by systems specialists
- involves the allocation of systems resources at the
macro level. It usually deals with a time frame of 3 to 5 years.
- similar to budgeting resources for other strategic
activities
STRATEGIC SYSTEMS PLANNING
34
Why Perform Strategic Systems Planning?
1. A plan that changes constantly is better than no plan
at all.
2. Strategic planning reduces the crisis component in
systems development.
3. A strategic system planning provides authorization
control for the SDLC.
4. Cost Management
35
the purpose is to allocate resources to individual applications within the framework of the strategic plan (allocate scarce resources to specific projects). This involves identifying areas of user needs, preparing proposals, evaluating each proposal’s feasibility and contribution to the business plan, prioritizing individual projects, and scheduling the work to be done
Project planning
36
Products of phase I:
1. Project proposal
2. Project schedule
37
provides management with a basis for deciding whether to proceed with the project.
Project proposal
38
- represents management’s commitment to the project.
- a budget of time and costs for all the phases of the SDLC.
Project schedule
39
AUDITOR’S ROLE:
Both internal and external auditors ensures that adequate Systems planning takes place.
40
is actually a two-step process involving first a survey of the current system and then an analysis of the user’s needs.
PHASE II: SYSTEMS ANALYSIS
41
(product of phase 2) presents the findings of the analysis and recommendations for the new system
Systems analysis report
42
facts pertaining to preliminary questions about the current system are gathered and analyzed
The Survey Step
43
Disadvantages of Surveying the Current System
1. Current Physical Tar Pit (the tendency of the analyst to be sucked in & bogged down by the task);
2. Thinking Inside the Box (improved current system rather radically new approach)
44
Advantages of Surveying Current System
1. Identifying what aspects of the old system should be kept;
2. force analysis;
3. Isolating the root of problem systems
45
GATHERING FACTS IN THE SURVEY OF THE CURRENT SYSTEM:
1. Data sources
2. Users
3. Data stores
4. Processes
5. Data flows
6. Controls
7. Transaction volumes
8. Error rates
9. Resource costs
10. Bottlenecks and redundant operations
46
These include external entities, such as customers or vendors, as well as internal sources from other departments.
Data sources.
47
These include both managers and operations users.
Users.
48
are the files, databases, accounts, and source documents used in the system
Data stores
49
Processing tasks are manual or computer operations that represent a decision or an action triggered by information
Processes
50
are represented by the movement of documents and reports between data sources, data stores, processing tasks, and users
Data flows
51
These include both accounting and operational controls and may be manual procedures or computer controls
Controls
52
The analyst must obtain a measure of the transaction volumes for a specified period of time.
Transaction volumes
53
Transaction errors are closely related to transaction volume.
Error rates
54
The resources used by the current system include the costs of labor, computer time, materials (such as invoices), and direct overhead.
Resource costs
55
The analyst should note points where data flows come together to form a bottleneck. At peak-load periods, these can result in delays and promote processing errors.
Bottlenecks and redundant operations
56
FACT GATHERING TECHNIQUES:
1. Observation
2. Task Participation
3. Personal Interviews
4. Systems analysis
5. Systems Analysis Report
6. Systems Development Activities
57
involves passively watching the physical procedures of the system
Observation
58
Participation is an extension of observation, whereby the analyst takes an active role in performing the user’s work.
Task Participation
59
Interviewing is a method of extracting facts about the current system and user perceptions about the requirements for the new system.
Personal Interviews
60
allow users to elaborate on the problem as they see it and offer suggestions and recommendations.
Open-ended questions
61
are used to ask more specific, detailed questions and to restrict the user’s responses.
Questionnaires
62
The organization’s documents are another source of facts about the system being surveyed. Ex Organizational charts, job descriptions, accounting records, chart of accounts.
Reviewing Key Documents
63
is an intellectual process that is commingled with fact gathering. The analyst is simultaneously analyzing as he or she gathers facts.
Systems analysis
64
presents to management or the steering committee the survey findings, the problems identified with the current system, the user’s needs, and the requirements of the new system
Systems Analysis Report
65
- Authorizing development of new systems Addressing and documenting user needs Technical design phases
- Participation of internal auditors
- Testing program modules before implementing
- Testing individual modules by a team of users, internal audit staff and systems professionals
- Auditor’s role is as a stakeholder
Systems Development Activities
65
- Authorizing development of new systems Addressing and documenting user needs Technical design phases
- Participation of internal auditors
- Testing program modules before implementing
- Testing individual modules by a team of users, internal audit staff, and systems professionals
- Auditor’s role is as a stakeholder
Systems Development Activities
66
the purpose is to produce several alternative conceptual systems that satisfy the system requirements identified during systems analysis
PHASE III: CONCEPTUAL SYSTEM DESIGN or Conceptual design phase
67
2 approaches to CONCEPTUAL SYSTEM DESIGN:
1. Structured design approach
2. Object-oriented design (OOD) approach
68
- is a disciplined way of designing systems from the top down. It consists of starting with the “big picture” of the proposed system that is gradually decomposed into more and more detail until it is fully understood.
- usually documented by data flow
Structured design approach
69
is to build information systems from reusable standard components or objects; most often associated with the iterative approach to SDLC.
Object-oriented design (OOD) approach
70
procedure for selecting the one system from the set of alternative conceptual designs that will go to the detailed design phase
PHASE IV: SYSTEM EVALUATION & SELECTION
71
- is an optimization process that seeks to identify the best system.
Purpose: to structure the decision-making process and reduce both uncertainty and risk of making a poor decision
Systems evaluation and selection phase
72
The evaluation and selection process involves two steps:
1. Perform a detailed feasibility study
2. Perform a cost-benefit analysis
73
– concerned with whether the system can be developed under existing technology or if new technology is needed
Technical Feasibility
74
– availability of funds
Economic Feasibility
75
– identifies any conflicts between the conceptual system and the company’s ability to discharge its legal responsibilities.
Legal Feasibility
76
- shows the degree of compatibility between the firm’s existing procedures and personnel skills and the operational requirements of the new system.
Operational Feasibility
77
- ability to implement within an acceptable time
Schedule Feasibility
78
- helps management determine whether (and by how much) the benefits received from a proposed system will outweigh its costs
Cost-benefit analysis
79
There are three steps in the application of cost-benefit analysis:
1. Identify Costs
2. Identify Benefits
3. Compare Costs and Benefits
80
- include the initial investment to develop and implement the system.
* Hardware Acquisition
* Site preparation
* Software acquisition
* Systems design
* Programming and testing Data conversion
* Training
One-time costs
81
include operating and maintenance costs that recur over the life of the system.
* Hardware maintenance
* Software maintenance Insurance
* Supplies
* Personnel costs
Recurring costs
82
- fall into two categories: those that increase revenue and those that reduce costs.
Tangible Benefits
83
• Increased customer satisfaction
• Improved employee satisfaction
• More current information
• Improved decision making
• Faster response to competitor actions
• More efficient operations
• Better internal and external communications
• Improved planning
• Operational flexibility
• Improved control environment
Intangible Benefits
84
- present value of the costs is deducted from the present value of the benefits over the life of the system.
NPV (Net Present Value Method)
85
- a variation of break-even analysis.
Payback Period
86
- reached when costs equal total benefits total.
Break Even Point
87
– it is a deliverable product of the systems selection process; consists of a revised feasibility study, a cost-benefit analysis, and a list and explanation of intangible benefits for each alternative design
Systems selection report
88
-The primary concern for auditors is that the economic feasibility of the proposed system is measured as accurately as possible.
The Auditor’s Role in Evaluation and Selection
89
The auditor should ensure five things:
1. Only escapable costs are used in calculations of cost savings benefits.
2. Reasonable interest rates are used in measuring present values of cash flows.
3. One-time and recurring costs are completely and accurately reported.
4. Realistic useful lives are used in comparing competing projects.
5. Intangible benefits are assigned reasonable financial values.
90
- purpose is to produce a detailed description of the proposed system that both satisfies the system requirements identified during systems analysis and is in accordance with the conceptual design.
PHASE V: DETAILED DESIGN
or
Detailed design phase
91
- ensure that the design is free from conceptual errors that could become programmed into the final system
- conducted by a quality assurance group (job of this group is to simulate the operation of the system to uncover errors, omissions, and ambiguities in the design)
Walkthrough
92
Detailed design report - documents and describes the system to this point. This report includes the following:
◦ Designs for all screen inputs & source documents
◦ Designs for all screen outputs, reports & operational documents
◦ Normalized data for database tables, specifying all data elements
◦ Database structures and diagrams
◦ Processing logic (Flow Charts)
93
- next stage of the SDLC: is to select a programming language from among the various languages available and suitable for the application:
PHASE VI: APPLICATION PROGRAMMING & TESTING 1
or
PROGRAM THE APPLICATION SYSTEM
94
- requires the programmer to specify the precise order in which the program logic is executed
- also called third-generation languages (3GLs)
Procedural Languages
95
- (uses icons Microsoft VB; GUI)
- Are no longer procedural
- the program’s code is not executed in a predefined sequence; instead, external actions or “events” that are initiated by the user dictate the control flow of the program.
Event Driven Languages
96
– ( Java and Smalltalk)
- central to achieving the benefits of the object-oriented approach is developing software in this language
Object Oriented Languages
97
– are real-world phenomena that possess two characteristics: 1) state 2) behavior
Objects
98
– class: a blueprint that defines the attributes and the methods common to all objects of a certain type; instance: a single occurrence of an object within a class
Class and Instance
99
– act of placing data and methods in the same class and thus restricting access to the object’s components
Encapsulation
100
– each object instance inherits the attributes and methods of the class to which it belongs
Inheritance
101
– allows multiple and different objects to respond to the same message
Polymorphism
102
– produces small programs that perform narrowly defined tasks; a technique used to program the system
Modular approach
103
- programs should follow a modular approach regardless of the language used. Benefits associated with modular programming:
1. Programming Efficiency
2. Maintenance Efficiency
3. Control
Programming the System
104
◦ Identifying programming & logical errors Testing Offline Before Deploying Online
◦ Never Ever Underestimate (Testing Environment vs Actual Environment) Test Data
◦ Should be retained for reuse
◦ Serves as a frame of reference for auditor in designing and evaluating future audit tests (i.e. the system has not undergone any change)
Testing Methodology / 2) TEST THE APPLICATION SOFTWARE
105
of the systems development process, database structures are created and populated with data, equipment is purchased and installed, employees are trained, the system is documented, and the new system is installed.
PHASE VII: SYSTEM IMPLEMENTATION (GO LIVE)
or
System implementation phase
106
- systems designers and programmers need documentation to debug errors and perform maintenance on the system.
Designer & Programmer Documentation
107
- shows the relationship of input files, programs, and output files
system flowchart
108
- provides a detailed description of the sequential and logical operation of the program
program flowchart
109
- computer operators use documentation called a run manual, which describes how to run the system.
Operator Documentation
110
- users need documentation describing how to use the system
User Documentation
111
- users need documentation describing how to use the system
Novices
112
- once understood the system but have forgotten some essential commands and procedures
Occasional Users
113
- are familiar with limited aspects of the system
Frequent Light Users
114
- understand the existing system and will readily adapt to new systems
Frequent Power Users
115
- this is the transfer of data from its current form to the format or medium required by the new system.
Database conversion
116
requires analysing each class of data to determine whether it should be reproduced in the new database
Validation
117
- new database must be reconciled against the original
Reconciliation
118
- copies of the original files must be kept as backup against discrepancies in the converted data.
Backup
119
– (most risky; all at once) the firm switches to the new system and simultaneously terminates the old system
Cold Turkey Cutover (“Big Bang” approach)
120
- (by modules; gradual) entire system need not be cut over at once; begins operating the new system in modules
Phased Cutover
121
– (simultaneous; reconciliation) involves running the old system and the new system simultaneously for a period of time
Parallel Operation Cutover
122
THE AUDITOR’S ROLE IN SYSTEM IMPLEMENTATION:
External auditors are prohibited by SOX legislation from direct involvement in systems Implementation. They get involved in the ff:
1. Provide Technical Expertise
2. Specify Documentation Standards
3. Verify Control Adequacy & Compliance w/ SOX
123
Review is conducted by an independent team to measure the success of the system and of the process after the dust has settled.
POST IMPLEMENTATION REVIEW
124
- the physical features of the system should be reviewed to see if they meet user needs
- Accuracy of Time, Cost, and Benefit Estimates
Systems Design Adequacy
125
- is a formal process by which application programs undergo changes to accommodate changes in user needs
- It could be extensive
PHASE VIII: SYSTEMS MAINTENANCE
or
Systems maintenance
126
- Last, longest, and most costly phase of SDLC
- Up to 80-90% of the entire cost of a system Audit Procedures:
- All maintenance actions should require Technical specifications
SYSTEM MAINTENANCE INTERNAL CONTROLS
127
CONTROLLING NEW SYSTEMS DEVELOPMENT
The first five controllable activities deal with the authorization, development, and implementation of the original system. The last two pertain to systems maintenance procedures.
1. Systems Authorization Activities
2. User Specifications Activities
3. Technical Design Activities
4. Internal Audit Participation
5. User Test and Acceptance Procedure
6. Audit Objectives Related to New Systems Development
7. Audit Procedures Related to New Systems Development
128
- All systems must be properly authorized to ensure their economic justification and feasibility.
Systems Authorization Activities
129
- Users must be actively involved in the systems development process
User Specifications Activities
130
- translate the user specifications into a set of detailed technical specifications of a system that meets the user’s needs
Technical Design Activities
131
- internal auditor can serve as a liaison between users and the systems professionals to ensure an effective transfer of knowledge
Internal Audit Participation
132
- rigorous testing; once accepted, he system is formally accepted by the user department(s)
User Test and Acceptance Procedure
133
-The auditor should select a sample of completed projects and review the documentation for evidence of compliance with SDLC policies
Audit Procedures Related to New Systems Development
134
- the longest period in the SDLC
Maintentance phase
