Mainza Milimo - MKM

Role of Internal Audit in SDLC

IIA / ISACA Zambia Governance Risk and Control Conference - Agenda 28 & 29 August 2014

Project risks

Role of IA in SDLC

Discussion

Solutions to SDLC challenges

The SDLC

What the auditor should not do

Challenges in the SDLC

IA in SDLCAgenda

Presentation objectivesProject risks The system will:!never be delivered;!be delivered late (time overrun);!exceed budget (cost overrun);!divert user resources to an unacceptable degree;!not deliver the required functionality;!contain errors;!be unfriendly;!fail frequently during operation;!not perform to the required standard;!be difficult and costly to operate, maintain and expand; !not interconnect with other systems.

The SDLCWhat is it?

A framework defining tasks performed at each step in the software development process.

1 2 3 4

Challenges in the SDLCSolution 1

How the user explained it What the users think they need

1 2 3 4

Challenges in the SDLCSolution 2

How the programmer wrote it/ what was purchased From the project leader`s understanding and analysts design

1 2 3 4

Challenges in the SDLCSolution 3

What was installed After heavy customisation

1 2 3 4

Challenges in the SDLCSolution 4

What the user really needed The system meeting the user's current needs

Challenges in the SDLCWhat are the causes?

Challenges in the SDLCCauses of project failure

1. Don’t use a specific methodology

2. Create the project plan by working backwards from a drop-dead system completion date

3. Use a Project Lead that has never completed a similar project in a project management role

4. Lack of Top Management support

Challenges in the SDLCCauses of project failure1. Don’t use a specific methodology What should be included?- Project's initiation- feasibility study - business requirements &- functional specifications phases- different development/ acquisition/ implementation

stages- assessment of the entire project after its

implementation.

Solutions to SDLC challengesWhat should we do to ensure:

ExplainedDesigned/ purchased

Currently needed

Implemented

Solutions to SDLC challengesRole of the Auditor Types of review

Pre-implementation review;the IS auditor should study the proposed SDLC model and the related *aspects to assess their appropriateness as well as the potential risks and provide the necessary risk mitigation recommendations to the appropriate management.

Assess SDLC approach & risks, and recommend mitigation!

Solutions to SDLC challengesRole of the Auditor Types of review

Parallel/concurrent reviews;the IS auditor should review the relevant SDLC stages, as they are happening, to highlight risks/issues and provide necessary risk mitigation recommendations to the appropriate management.

Occurrently review SDLC stages, highlight risks/issues and recommend mitigation!

Solutions to SDLC challengesRole of the Auditor Types of review

Post-implementation reviews;the IS auditor should review the relevant SDLC stages after their completion to highlight issues faced and provide recommendations for downstream corrections (if possible) and to serve as a *learning tool for the future.

Review completed stages, highlight issues faced, recommend corrections and document lessons learnt!

Role of IAFamous oxymorons

Our own: Project pre-audit

Questions on SDLC