Mainza Milimo - MKM
Role of Internal Audit in SDLC
IIA / ISACA Zambia Governance Risk and Control Conference - Agenda 28 & 29 August 2014
Project risks
Role of IA in SDLC
Discussion
Solutions to SDLC challenges
The SDLC
What the auditor should not do
Challenges in the SDLC
IA in SDLCAgenda
Presentation objectivesProject risks The system will:!never be delivered;!be delivered late (time overrun);!exceed budget (cost overrun);!divert user resources to an unacceptable degree;!not deliver the required functionality;!contain errors;!be unfriendly;!fail frequently during operation;!not perform to the required standard;!be difficult and costly to operate, maintain and expand; !not interconnect with other systems.
The SDLCWhat is it?
A framework defining tasks performed at each step in the software development process.
1 2 3 4
Challenges in the SDLCSolution 2
How the programmer wrote it/ what was purchased From the project leader`s understanding and analysts design
1 2 3 4
Challenges in the SDLCSolution 4
What the user really needed The system meeting the user's current needs
Challenges in the SDLCCauses of project failure
1. Don’t use a specific methodology
2. Create the project plan by working backwards from a drop-dead system completion date
3. Use a Project Lead that has never completed a similar project in a project management role
4. Lack of Top Management support
Challenges in the SDLCCauses of project failure1. Don’t use a specific methodology What should be included?- Project's initiation- feasibility study - business requirements &- functional specifications phases- different development/ acquisition/ implementation
stages- assessment of the entire project after its
implementation.
Solutions to SDLC challengesWhat should we do to ensure:
ExplainedDesigned/ purchased
Currently needed
Implemented
Solutions to SDLC challengesRole of the Auditor Types of review
Pre-implementation review;the IS auditor should study the proposed SDLC model and the related *aspects to assess their appropriateness as well as the potential risks and provide the necessary risk mitigation recommendations to the appropriate management.
Assess SDLC approach & risks, and recommend mitigation!
Solutions to SDLC challengesRole of the Auditor Types of review
Parallel/concurrent reviews;the IS auditor should review the relevant SDLC stages, as they are happening, to highlight risks/issues and provide necessary risk mitigation recommendations to the appropriate management.
Occurrently review SDLC stages, highlight risks/issues and recommend mitigation!
Solutions to SDLC challengesRole of the Auditor Types of review
Post-implementation reviews;the IS auditor should review the relevant SDLC stages after their completion to highlight issues faced and provide recommendations for downstream corrections (if possible) and to serve as a *learning tool for the future.
Review completed stages, highlight issues faced, recommend corrections and document lessons learnt!
Recommended