1

How to Audit the System Development Life Cycle

William J. Papanikolas, CISA, CFSA

Western Michigan Chapter ISACA

October 20, 2011

2

Today’s Agenda

Defining SDLC

How to Impact the SDLC Process

What to Audit at Each Step

3

Defining SDLC

The System Development Life Cycle (SDLC) is the entire systems process from identifying a need through the final implementation of a solution.

SDLC is one of the best places for an auditor - and yet one of the least audited.

4

Defining SDLC

Successful SDLC projects are measured three ways:

Creating a Quality Product

Completing at Budgeted Cost

Completing on Approved Timetable

NOTE: The majority of SDLC projects fail to achieve even two of these goals!

5

Defining SDLC

Project

Initiation

Business

Requirements

Definition

Technical

Requirements

Definition

Software

Selection /

Coding

Testing Data

Conversion

Training and

Documentation

Final

Implementation

6

How to Impact the SDLC Process

Creating a Quality Product Provide assurance the final product is going to

deliver what has been promised

Ensure proper controls (automated and manual) have been designed into the new process

Completing at Budgeted Cost Ensure SDLC oversight includes controls for costs

Completing on Approved Timetable Ensure SDLC oversight includes controls for

timeliness

7

Project Initiation

Project champion determined.

Project charter developed.

High level timelines and budgets determined.

Project team assigned; roles and responsibilities established.

Project monitoring and accounting set up.

8

Project Initiation - Audit Ideas

Quality Product

Appropriate stakeholders are involved.

Project champion represents the key stakeholders.

Project is consistent with the organization’s strategic plans.

9

Project Initiation - Audit Ideas

On Time and On Budget

Budget was properly determined (watch out for approval cutoffs!).

Timeline is realistic given project magnitude and past organizational experience.

Appropriate metrics and reporting schemes are developed.

10

Business Requirements Definition

Primary system functions defined.

Usability targets established (e.g., 24x7, 1 second response time).

Management reporting requirements understood.

Regulatory and legal implications considered.

End user screen requirements determined.

11

Business Requirements Definition - Audit Ideas

Quality Product

Appropriate stakeholders are represented.

Security requirements are defined.

Automated and manual controls are considered.

12

Business Requirements Definition - Audit Ideas

On Time and On Budget

Project plan and budget remain realistic given business requirements.

Business requirements do not overly rely on new and/or unproven technologies (e.g., a requirement that all transactions will process over the intranet).

13

Technical Requirements Definition

Processing platform(s) determined

Necessary hardware acquisitions outlined.

System capacity requirements understood (both processing speed and data storage).

Network modifications defined.

Data structures created.

14

Technical Requirements Definition - Audit Ideas

Quality Product

Technical requirements support the business requirements.

Members of all impacted technical units represented.

Technology assumptions are properly validated through internal experience or external site visits.

Links to existing applications are defined and controlled (e.g., control totals)

15

Technical Requirements Definition - Audit Ideas

On Time and On Budget

Project plan and budget remain realistic given technical requirements.

Lead times for purchasing, receiving, installing and testing new hardware have been properly reflected in the timeline.

16

Software Selection/Coding

Request for Proposal created.

Vendor and software selection criteria established.

Contract terms established.

Programming teams assigned for coding and modification.

Software loaded in test environment.

17

Software Selection/Coding – Audit Ideas

Quality Product RFP and vendor assessments come directly from business and technical requirements.

Selected vendor has experience in your industry, with companies your size, and with similar setups.

Vendor is financially stable and will be around for long term support (alternatively, the source code could be owned by your organization).

Proper change management and security controls are set up for the coding environment.

18

Software Selection/Coding – Audit Ideas

On Time and On Budget

Vendor contract terms are favorable, and include clauses on cost overruns.

Vendor contract includes rewards/penalties for project timeliness.

Project plan appropriately reflects the resources and time necessary to install, code and modify.

19

Testing

Unit testing completed for each system element.

Integrated testing completed for each system module.

System testing completed for overall system and related interfaces.

Stress testing completed for online performance and data storage/retrieval.

End user testing completed.

20

Testing - Audit Ideas

Quality Product

All testing is performed in an appropriate environment with adequate security.

All issues noted during testing are communicated to the proper owner within the project.

Test cases reasonably reflect the environment as it will appear in production.

Change management controls are in place as system elements progress through the testing cycle.

21

Testing - Audit Ideas

On Time and On Budget

Resolution of test issues is focused on items that are necessary to achieve business or technical requirements (not all issues must be solved prior to going live!).

Project plans are properly updated to reflect issues noted in testing that must be resolved.

22

Data Conversion

Data from the old system(s) is properly cleansed prior to conversion.

Converted data is evaluated to ensure it is accurate and complete.

23

Data Conversion - Audit Ideas

Quality Product

Data is accurately mapped from the old system to the new.

Key data elements are screened using software (or manually in some cases) to ensure anomalies are removed.

After conversion, sample data reflects accurate transfer.

Control totals of key data fields/tables show consistency in the old and new data structure.

24

Data Conversion - Audit Ideas

On Time and On Budget

Project plans are properly updated to reflect issues noted in data conversion that must be resolved.

25

Training and Documentation

Users, operators, database administrators, management, etc. receive the training required to operate and use the system.

Documentation is provided for all users and operators of the system.

26

Training and Documentation – Audit Ideas

Quality Product

Training addresses both system usage and business process.

Training includes all affected parties.

Training is provided close enough to implementation to allow participants best retention.

Documentation (online and paper) is organized in a way to be useful to users and operators.

27

Training and Documentation – Audit Ideas

On Time and On Budget

Training and documentation are properly included in the project plan and budget.

28

Final Implementation

Final system running in the production environment.

New hardware, networking, etc. comes online.

Business processes change over to accommodate new system.

29

Final Implementation - Audit Ideas

Quality Product

Promotion to production environment follows established change management procedures.

Parallel processing with old system(s) commences.

Help desk and “swat teams” are in place.

System backout procedures are established.

30

Final Implementation - Audit Ideas

On Time and On Budget

Final costs are captured and summarized (watch out for implementation problems being defined as “on-going maintenance”).

Project teams are closed down as the implementation continues.

31

What’s Next?

Post-Implementation Review

Lessons Learned

Final Reporting

Questions?