Trust in, and value from, information systems - PowerPoint PPT Presentation


PPT – Trust in, and value from, information systems PowerPoint presentation | free to download - id: 69923a-YmZhN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Trust in, and value from, information systems


isaca trust in, and value from, information systems – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 175
Provided by: isaca


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Trust in, and value from, information systems

Trust in, and value from, information systems

Chapter 3 Information Systems Acquisition,
Development and Implementation
  • 2012 CISA? Review Course

Course Agenda
  • Learning Objectives
  • Discuss Task and Knowledge Statements
  • Discuss specific topics within the chapter
  • Case studies
  • Sample questions

Exam Relevance
  • Ensure that the CISA candidate
  • Understands and can provide assurance that the
    practices for the acquisition, development,
    testing and implementation of information systems
    meet the enterprises strategies and objectives.
  • The content area in this chapter will represent
    approximately 19 of the CISA examination
    (approximately 38 questions).

Learning Objectives
  • Evaluate the business case for proposed
    investments in information systems acquisition,
    development, maintenance and subsequent
    retirement to determine whether it meets business
  • Evaluate the project management practices and
    controls to determine whether business
    requirements are achieved in a cost-effective
    manner while managing risks to the organization.
  • Conduct reviews to determine whether a project is
    progressing in accordance with project plans, is
    adequately supported by documentation and status
    reporting is accurate.

Learning Objectives (continued)
  • Evaluate controls for information systems during
    the requirements, acquisition, development and
    testing phases for compliance with the
    organizations policies, standards, procedures
    and applicable external requirements.
  • Evaluate the readiness of information systems for
    implementation and migration into production to
    determine whether project deliverables, controls
    and the organizations requirements are met.
  • Conduct postimplementation reviews of systems to
    determine whether project deliverables, controls
    and the organizations requirements are met.

3.2.1 Portfolio/Program Management
  • A program is a group of projects and time-bound
    tasks that are closely linked together through
    common objectives, a common budget, intertwined
    schedules and strategies
  • Programs have a limited time frame (start and end
    date) and organizational boundaries

3.2.1 Portfolio/Program Management (continued)
  • Methodology and processes used in program
    management are similar to those in project
    management and run parallel to each other
  • To formally start a program, some form of written
    assignment from the program owner to the program
    manager/team is necessary

3.2.1 Portfolio/Program Management (continued)
  • The objectives of project portfolio management
  • Optimization of the results of the project
  • Prioritizing and scheduling projects
  • Resource coordination (internal and external)
  • Knowledge transfer throughout the projects

3.2.2 Business Case Development and Approval
  • A business case provides the information required
    for an organization to decide whether a project
    should proceed
  • The initial business case normally derives from a
    feasibility study as part of project planning
  • The business case should be of sufficient detail
    to describe the justification for setting up and
    continuing a project

3.2.3 Benefits Realization Techniques
  • Benefits realization requires
  • Describing benefits management or benefits
  • Assigning a measure and target
  • Establishing a tracking/measuring regime
  • Documenting the assumption
  • Establishing key responsibilities for realization
  • Validating the benefits predicted in the business
  • Planning the benefit that is to be realized

3.3.1 General Aspects
  • IS projects may be initiated from any part of an
  • A project is always a time-bound effort
  • Project management should be a business process
    of a project-oriented organization
  • The complexity of project management requires a
    careful and explicit design of the project
    management process

3.3.2 Project Context and Environment
  • A project context can be divided into a time and
    social context. The following must be taken into
  • Importance of the project in the organization
  • Connection between the organizations strategy
    and the project
  • Relationship between the project and other
  • Connection between the project to the underlying
    business case

3.3.3 Project Organizational Forms
  • Three major forms of organizational alignment for
    project management are
  • Influence project organization
  • Pure project organization
  • Matrix project organization

3.3.4 Project Communication and Culture
  • Depending on the size and complexity of the
    project and the affected parties, communication
    when initiating the project management project
    process may be achieved by
  • One-on-one meetings
  • Kick-off meetings
  • Project start workshops
  • A combination of the three

3.3.5 Project Objectives
  • A project needs clearly defined results that are
    specific, measurable, achievable, relevant and
    time-bound (SMART)
  • A commonly accepted approach to define project
    objectives is to begin with an object breakdown
    structure (OBS)
  • After the OBS has been compiled, a work breakdown
    structure (WBS) is designed

3.3.6 Roles and Responsibilities of Groups and
  • Senior management
  • User management
  • Project steering committee

3.3.6 Roles and Responsibilities of Groups and
Individuals (continued)
  • Project sponsor
  • Systems development management
  • Project manager
  • Systems development project team

3.3.6 Roles and Responsibilities of Groups and
Individuals (continued)
  • User project team
  • Security officer
  • Quality assurance

3.4 Project Management Practices
3.4.2 Project Planning
  • The project manager needs to determine
  • The various tasks that need to be performed to
    produce the expected business application system
  • The sequence or the order in which these tasks
    need to be performed
  • The duration or the time window for each task
  • The priority of each task
  • The IT resources that are available and required
    to perform these tasks
  • Budget or costing for each of these tasks
  • Source and means of funding

3.4.2 Project Planning (continued)
  • Software size estimation
  • Relates to methods of determining the relative
    physical size of the application software to be
  • Can be used as a guide for the allocation of
    resources, estimates of time and cost required
    for its development, and as a comparison of the
    total effort required by the resources available

3.4.2 Project Planning (continued)
  • Lines of source code
  • The traditional and simplest method in measuring
    size by counting the number of lines of source
    code, measured in SLOC, is referred to as kilo
    lines of code (KLOC)

3.4.2 Project Planning (continued)
  • Function point analysis
  • Widely used for estimating complexity in
    developing large business applications
  • The results of FPA are a measure of the size of
    an information system based on the number and
    complexity of the inputs, outputs, files,
    interfaces and queries with which a user sees and

3.4.2 Project Planning (continued)
  • FPA feature points
  • Cost budgets
  • Software cost estimation

3.4.2 Project Planning (continued)
  • Scheduling and establishing the time frame
  • Involves establishing the sequential relationship
    among tasks
  • The schedule can be graphically represented using
    various techniques such as Gantt charts or
    Program Evaluation Review Technique (PERT)

3.4.2 Project Planning (continued)
  • Critical path methodology
  • A critical path if one whose sum of activity time
    is longer than that for any other path through
    the network
  • The critical path is found by working forward
    through the network (forward-pass) and computing
    the earliest possible completion time for each
    activity until the earliest possible completion
    time for the total project is found

3.4.2 Project Planning (continued)
  • Gantt charts
  • Constructed to aid in scheduling the activities
    (tasks) needed to complete a project
  • Charts show when an activity should begin and end
  • Charts show which activities can be in progress
    concurrently and which activities must be
    completed sequentially

3.4.2 Project Planning (continued)
  • Program evaluation review technique (PERT)
  • PERT is a network management technique often used
    in system development projects based on
    well-defined events and activities for specific
    project management tasks

3.4.2 Project Planning (continued)
  • Timebox management
  • Project management technique for defining and
    deploying software deliverables within a
    relatively short and fixed period of time and
    with predetermined specific resources

3.4.3 General Project Management
  • Involves automated techniques to handle proposals
    and cost estimations, and to monitor, predict and
    report on performance with recommended action
  • Many of these techniques are provided as decision
    support systems (DSS) for planning and
    controlling project resources

3.4.4 Project Controlling
  • Includes management of
  • Scope
  • Resource usage
  • Risk
  • Inventory
  • Assess
  • Mitigate
  • Discover
  • Review evaluate

3.4.5 Closing a Project
  • When closing a project, there may still be some
    issues that need to be resolved, ownership of
    which needs to be assigned
  • The project sponsor should be satisfied that the
    system produced is acceptable and ready for
  • Custody of contracts may need to be assigned, and
    documentation archived or passed on to those who
    will need it

3.5 Business Application Development
  • The implementation process for business
    applications, commonly referred to as an SDLC,
    begins when an individual application is
    initiated as a result of one or more of the
    following situations
  • A new opportunity that relates to a new or
    existing business process
  • A problem that relates to an existing business
  • A new opportunity that will enable the
    organization to take advantage of technology
  • A problem with the current technology

3.5 Business Application Development (continued)
  • Benefits of using this approach
  • All affected parties will have a common and clear
    understanding of the objectives and how they
    contribute to business support
  • Conflicting key business drivers (e.g., cost vs.
    functionality) and mutually dependent key
    business drivers can be detected and resolved in
    early stages of an SDLC project

3.5 Business Application Development (continued)
  • From an IS auditors perspective, an approach
    with defined life cycles and specific points for
    review provides the following advantages
  • Influence is significantly increased when there
    are formal procedures and guidelines
  • Can review all relevant areas and phases of the
    systems development project and report
    independently to management
  • Can identify selected parts of the system and
    become involved in the technical aspects
  • Can evaluate the methods and techniques applied
    through the development phases

3.5.1 Traditional SDLC Approach
  • Also referred to as the waterfall technique, this
    life cycle approach is the oldest and most widely
    used for developing business applications
  • Based on a systematic, sequential approach to
    software development that begins with a
    feasibility study and progresses through
    requirements definition, design, development,
    implementation and postimplementation

3.5.1 Traditional SDLC Approach (continued)
  • Some of the problems encountered with this
    approach include
  • Unanticipated events
  • Difficulty in obtaining an explicit set of
    requirements from the user
  • Managing requirements and convincing the user
    about the undue or unwarranted requirements in
    the system functionality
  • The necessity of user patience
  • A changing business environment that alters or
    changes the users requirements before they are

3.5.2 Integrated Resource Management Systems
  • A growing number of organizations are shifting to
    a fully integrated corporate solution, i.e., an
    ERP solution
  • This type of software implementation is much
    larger than a regular software acquisition
  • ERP systems impact the way a corporation does
    business, its entire control environment,
    technological direction and internal resources

3.5.3 Description of Traditional SDLC Phases
  • Feasibility study
  • Concerned with analyzing the benefits and
    solutions for the identified problem area
  • Includes development of a business case, which
    determines the strategic benefits of implementing
    the system either in productivity gains or in
    future cost avoidance
  • Identifies and quantifies the cost savings of the
    new system and estimates a payback schedule for
    the cost incurred in implementing the system or
    shows the projected return on investment (ROI)

3.5.3 Description of Traditional SDLC Phases
  • Requirements definition
  • Concerned with identifying and specifying the
    business requirements of the system chosen for
    development during the feasibility study
  • Requirements include descriptions of what a
    system should do, how users will interact with a
    system, conditions under which the system will
    operate, and the information criteria the system
    should meet
  • This phase deals with the issues that are
    sometimes called nonfunctional requirements

3.5.3 Description of Traditional SDLC Phases
  • Entity relationship diagrams
  • An ERD depicts a systems data and how these data
  • An ERD can be used as a requirements analysis
    tool to obtain an understanding of the data a
    system needs to capture and manage
  • An ERD can also be used later in the development
    cycle as a design tool that helps document the
    actual database schema that will be implemented

3.5.3 Description of Traditional SDLC Phases
  • Software acquisition
  • Not a phase in the standard SDLC. However, if a
    decision was reached to acquire rather than
    develop software, software acquisition is the
    process that should occur after the requirements
    definition phase
  • Decision based on various factors such as the
    cost differential between development and
    acquisition, availability of generic software,
    and the time gap between development and

3.5.3 Description of Traditional SDLC Phases
  • Software acquisition
  • The project team needs to carefully examine and
    compare the vendors responses to the request for
    proposal (RFP)
  • It is likely that more than one product/vendor
    fits the requirements with advantages and
    disadvantages with respect to each other
  • Once vendors are short listed, it can be
    beneficial for the project team to talk to
    current users of each potential product

3.5.3 Description of Traditional SDLC Phases
  • Design
  • Key design phase activities include
  • Developing system flowcharts and entity
    relationship models
  • Determining the use of structured design
  • End of design phase
  • Describing inputs and outputs
  • Determining processing steps and computation
  • Determining data file or database system file
  • Preparing program specifications
  • Developing test plans for the various levels of
  • Developing data conversion plans

3.5.3 Description of Traditional SDLC Phases
  • Development
  • Key activities performed in a test/development
    environment include
  • Coding and developing program and system-level
  • Debugging and testing the programs developed
  • Developing programs to convert data from the old
    system for use on the new system
  • Creating user procedures to handle transition to
    the new system
  • Training selected users on the new system
  • Ensure modifications are documented and applied

3.5.3 Description of Traditional SDLC Phases
  • Development
  • Programming methods and techniques
  • Online programming facilities (integrated
    development environment)
  • Programming languages
  • Program debugging
  • Testing

Practice Question
  • 3-1 To assist in testing a core banking system
    being acquired, an organization has provided the
    vendor with sensitive data from its existing
    production system. An IS auditors PRIMARY
    concern is that the data should be
  • sanitized.
  • complete.
  • representative.
  • current.

3.5.3 Description of Traditional SDLC Phases
  • Development
  • Elements of a software testing process
  • Test plan
  • Conduct and report test results
  • Address outstanding issues
  • Testing classifications
  • Unit testing
  • Interface or integration testing
  • System testing
  • Final acceptance testing

Practice Question
  • 3-2 Which of the following is the BEST
    preventive measure for reducing the risks of an
    IT system associated with possible natural
  • A. Identify natural threats
  • B. Choose a safe location for the facility
  • C. Keep critical systems separate from general
  • D. Update and store backups offsite

3.5.3 Description of Traditional SDLC Phases
  • Development
  • Other types of testing
  • Alpha and beta testing
  • Pilot testing
  • White box testing
  • Black box testing
  • Function/validation testing
  • Regression testing
  • Parallel testing
  • Sociability testing
  • Automated application testing

3.5.3 Description of Traditional SDLC Phases
  • Implementation
  • During the implementation phase, the actual
    operation of the new information system is
    established and tested
  • Final user-acceptance testing is conducted in
    this environment
  • The system may also go through a certification
    and accreditation process to assess the
    effectiveness of the business application at
    mitigating risks to an appropriate level

3.5.3 Description of Traditional SDLC Phases
  • Implementation planning
  • Phase 1Develop to-be support structures
  • Phase 2Establish support function
  • End-user training
  • Data migration
  • Refining migration scenario
  • Fallback (rollback) scenario

3.5.3 Description of Traditional SDLC Phases
  • Changeover (go-live or cutover) techniques
  • Parallel changeover
  • Phased changeover
  • Abrupt changeover
  • Certification/accreditation

3.5.3 Description of Traditional SDLC Phases
  • A postimplementation review should meet the
    following objectives
  • Assess the adequacy of the system
  • Evaluate the projected cost benefits or ROI
  • Develop recommendations that address the systems
    inadequacies and deficiencies
  • Develop a plan for implementing the
  • Assess the development project process
  • A postimplementation review should be performed
    jointly by the project development team and
    appropriate end users

3.5.4 Risks Associated with Software Development
  • Business risk relating to the likelihood that the
    new system may not meet the users business
    needs, requirements and expectations
  • Potential risks that can occur when designing and
    developing software systems
  • Within the project
  • With suppliers
  • Within the organization
  • With the external environment

3.5.5 Use of Structured Analysis, Design and
Development Techniques
  • Closely associated with the traditional, classic
    SDLC approach
  • Techniques provide a framework for representing
    the data and process components of an application
    using various graphical notations at different
    levels of abstraction, until it reaches the
    abstraction level that enables programmers to
    code the system

3.6.1 Electronic Commerce
  • E-commerce models include the following
  • Business-to-consumer (B-to-C) relationships
  • Business-to-business (B-to-B) relationships
  • Business-to-employee (B-to-E) relationships
  • Business-to-government (B-to-G) relationships
  • Consumer-to-government (C-to-G) relationships
  • Exchange-to-exchange (X-to-X) relationships

3.6.1 Electronic Commerce (continued)
  • With increasing emphasis on integrating the web
    channel with a business internal legacy systems
    and the systems of its business partners, company
    systems now typically will run on different
    platforms, running different software and with
    different databases
  • The challenge of integrating diverse technologies
    within and beyond the business has increasingly
    lead companies to move to component-based systems
    that utilize a middleware infrastructure, based
    around an application server

3.6.1 Electronic Commerce (continued)
  • Databases play a key role in most e-commerce
    systems, maintaining data for web site pages,
    accumulating customer information and possibly
    storing click-stream data for analyzing web site
  • Extensible Markup Language is also likely to form
    an important part of an organizations overall
    e-commerce architecture

3.6.1 Electronic Commerce (continued)
  • E-commerce risks
  • Confidentiality
  • Integrity
  • Availability
  • Authentication and nonrepudiation
  • Power shift to customers
  • It is important to take into consideration the
    importance of security issues that extend beyond
    confidentiality objectives

3.6.1 Electronic Commerce (continued)
  • An IS auditor should assess applicable use of
  • A set of security mechanisms and procedures that
    constitute a security architecture for e-commerce
  • Firewall mechanisms that are in place to mediate
    between the public network and an organizations
    private network
  • A process whereby participants in an e-commerce
    transaction can be identified uniquely and
  • Digital signatures
  • An infrastructure to manage and control public
    key pairs and their corresponding certificates
  • The procedures in place to control changes to an
    e-commerce presence

3.6.1 Electronic Commerce (continued)
  • An IS auditor should assess applicable use of
  • Logs of e-commerce applications
  • The methods and procedures to recognize security
    breaches when they occur
  • The features in e-commerce applications
  • The protections in place to ensure that data
    collected about individuals are not disclosed
    without their consent
  • The means to ensure confidentiality of data
    communicated between customers and vendors
  • The mechanisms to protect e-commerces presence
    and their supporting private networks from
    computer viruses

3.6.1 Electronic Commerce (continued)
  • An IS auditor should assess applicable use of
  • The features within the e-commerce architecture
    to keep all components from failing
  • A plan and procedure to continue e-commerce
    activities in the event of an extended outage of
    required resources for normal processing
  • A commonly understood set of practices and
    procedures to define managements intentions for
    the security of e-commerce
  • A shared responsibility within an organization
    for e-commerce security
  • Communications from vendors to customers
  • A regular program of audit and assessment of the
    security of e-commerce environments and

Practice Question
  • 3-9 When introducing thin client architecture,
    which of the following risks regarding servers
    is significantly increased?
  • Integrity
  • Concurrency
  • Confidentiality
  • Availability

3.6.2 Electronic Data Interchange
  • The benefits associated with the adoption of EDI
  • Less paperwork
  • Fewer errors during the exchange of information
  • Improved information flow, database-to-database
    and company-to-company
  • No unnecessary rekeying of data
  • Fewer delays in communication
  • Improved invoicing and payment processes

3.6.2 Electronic Data Interchange (continued)
  • General requirements
  • An EDI system requires communications software,
    translation software and access to standards
  • To build a map, an EDI standard appropriate for
    the kind of EDI data to be transmitted is
  • Final step is to write a partner profile that
    tells the system where to send each transaction
    and how to handle errors and exceptions

3.6.2 Electronic Data Interchange (continued)
  • Moving data in a batch transmission process
    through the traditional EDI process generally
    involves three functions within each trading
    partners computer system
  • Communications handler
  • EDI interface
  • EDI translator
  • Application interface
  • Application system

3.6.2 Electronic Data Interchange (continued)
  • Web-based EDI has come into prominence due to
  • Internet-through-Internet service providers
    offering generic network access for all computers
    connected to the Internet
  • Its ability to attract new partners via web-based
    sites to exchange information
  • New security products available to address issues
    of confidentiality, authentication, data
    integrity and nonrepudiation of origin and return
  • Improvements in the x.12 EDI formatted standard

3.6.4 Controls in EDI Environment
  • To protect EDI transmissions, the EDI process
    should include
  • Standards set to indicate the message format and
    content are valid
  • Controls to ensure standard transmissions are
    properly converted for the application software
    by the translation application
  • Procedures to determine messages are only from
    authorized parties
  • Direct or dedicated transmission channels among
    the parties
  • Data should be encrypted using algorithms agreed
    to by the parties involved

3.6.4 Controls in EDI Environment (continued)
  • The EDI process needs the ability to detect and
    deal with transactions that do not conform to the
    standard format or are from/to unauthorized
  • The critical nature of many EDI transactions
    requires that there be positive assurances that
    the transmissions were complete
  • Organizations desiring to exchange transactions
    using EDI are establishing a new business

3.6.4 Controls in EDI Environment (continued)
  • The controls for receipt of inbound transactions
  • Use appropriate encryption techniques when using
    public Internet infrastructures for communication
  • Perform edit checks
  • Perform additional computerized checking
  • Log each inbound transaction upon receipt
  • Use control totals on receipt of transactions
  • Segment count totals built into the transaction
    set trailer by the sender
  • Control techniques in the processing of
    individual transactions
  • Ensure the exchange of control totals of
    transactions sent and received between trading
    partners at predefined intervals

3.6.4 Controls in EDI Environment (continued)
  • An IS auditor must evaluate EDI to ensure that
    all inbound EDI transactions are received and
    translated accurately, passed to an application
    and processed only once
  • To accomplish this, an IS auditor must review
  • Internet encryption process
  • Edit checks
  • Additional computerized checking
  • Batch control totals
  • The validity of the sender against trading
    partner details

Practice Question
  • 3-10 Which of the following procedures should be
    implemented to help ensure the completeness of
    inbound transactions via electronic data
    interchange (EDI)?
  • Segment counts built into the transaction set
  • A log of the number of messages received,
    periodically verified with the transaction
  • An electronic audit trail for accountability and
  • Matching acknowledgement transactions received to
    the log of EDI messages sent

3.6.5 Electronic Mail
  • At the most basic level, the e-mail process can
    be divided into two principal components
  • Mail servers, which are hosts that deliver,
    forward and store mail
  • Clients, which interface with users and allow
    users to read, compose, send and store e-mail

3.6.5 Electronic Mail (continued)
  • Security issues involved with e-mail include
  • Flaws in the configuration of mail server
  • Denial-of-service (DoS) attacks may be directed
    to the mail server
  • Sensitive information transmitted unencrypted
    between mail server and e-mail client may be
  • Information within the e-mail may be altered
  • Viruses and other types of malicious code may be
    distributed throughout an organization
  • Users may send inappropriate, proprietary or
    other sensitive information via e-mail

3.6.5 Electronic Mail (continued)
  • Digital signatures are a good method of securing
    e-mail transmissions in that
  • The signature cannot be forged
  • The signature is authentic and encrypted
  • The signature cannot be reused
  • The signed document cannot be altered

3.6.7 Electronic Banking
  • Banks should have a risk management process to
    enable them to identify, measure, monitor and
    control their technology risk exposure
  • Risk management of new technologies has three
    essential elements
  • Risk management is the responsibility of the
    board of directors and senior management
  • Implementing technology is the responsibility of
    IT senior management members
  • Measuring and monitoring risk is the
    responsibility of members of operational

3.6.7 Electronic Banking (continued)
  • E-banking presents a number of risk management
  • The speed of change relating to technological and
    service innovation
  • Transactional e-banking web sites and associated
    retail and wholesale business applications are
    typically integrated with legacy computer systems
  • e-Banking increases banks dependence on
    information technology
  • The Internet is ubiquitous and global by nature

3.6.7 Electronic Banking (continued)
  • Effective risk management controls for e-banking
    include 14 controls divided among three
  • Board and management oversight
  • Security controls
  • Legal and reputational risk management

3.6.8 Electronic Finance
  • Advantages of e-finance to consumers include
  • Lower costs
  • Increased breadth and quality
  • Widening access to financial services
  • A-synchrony (time-decoupled)
  • A-topy (location-decoupled)

3.6.11 Electronic Funds Transfer
  • Electronic funds transfer (EFT) is the exchange
    of money via telecommunications without currency
    actually changing hands
  • Allows parties to move money from one account to
    another, replacing traditional check writing and
    cash collection procedures
  • Usually function via an internal bank transfer
    from one partys account to another or via a
    clearinghouse network

3.6.12 Controls in an EFT Environment
  • Security in an EFT environment ensures that
  • All of the equipment and communication linkages
    are tested
  • Each party uses security procedures that are
    reasonably sufficient
  • There are guidelines set for the receipt of data
  • Upon receipt of data, the receiving party will
    immediately transmit an acknowledgment or
  • Data encryption standards are set
  • Standards for unintelligible transmissions are
  • Regulatory requirements are explicitly stated

3.6.15 Automated Teller Machine
  • Recommended internal control guidelines for ATMs
  • Written policies and procedures covering
    personnel, security controls, operations,
    settlement, balancing, etc.
  • Procedures for PIN issuance and protection during
  • Procedures for the security of PINs during
  • Controls over plastic card procurement
  • Controls and audit trails of the transactions
    that have been made in the ATM

3.6.20 Artificial Intelligence and Expert Systems
  • Artificial intelligence is the study and
    application of the principles by which
  • Knowledge is acquired and used
  • Goals are generated and achieved
  • Information is communicated
  • Collaboration is achieved
  • Concepts are formed
  • Languages are developed

3.6.20 Artificial Intelligence and Expert Systems
  • Key to an expert system is the knowledge base
    (KB), which contains specific information or fact
    patterns associated with a particular subject
    matter and the rules for interpreting these facts
  • The information in the KB can be expressed in
    several ways
  • Decision trees
  • Rules
  • Semantic nets

3.6.20 Artificial Intelligence and Expert Systems
  • An IS auditor should
  • Understand the purpose and functionality of the
  • Assess the systems significance to the
  • Review the adherence of the system to policies
    and procedures
  • Review procedures for updating information in the
  • Review security access over the system

3.6.21 Business Intelligence
  • Business intelligence (BI) is a broad field of IT
    that encompasses the collection and dissemination
    of information to assist decision making and
    assess organizational performance
  • Some typical areas in which BI is applied
  • Process cost, efficiency and quality
  • Customer satisfaction with product and service
  • Customer profitability
  • Staff and business unit achievement of KPIs
  • Risk management

3.6.21 Business Intelligence (continued)
  • An optimized enterprise data flow architecture
    consists of
  • Presentation/desktop access layer
  • Data source layer
  • Core data warehouse
  • Data mart layer
  • Data staging and quality layer
  • Data access layer
  • Data preparation layer
  • Metadata repository layer
  • Warehouse management layer
  • Application messaging layer
  • Internet/intranet layer

3.6.22 Decision Support System
  • A decision support system (DSS) is an
    interactive system that provides the user with
    easy access to decision models and data from a
    wide range of sources, to support semistructured
    decision-making tasks typically for business

3.6.22 Decision Support System (continued)
  • A principle of DSS design is to concentrate less
    on efficiency and more on effectiveness
  • A DSS is often developed with a specific decision
    or well-defined class of decisions to solve
  • Frameworks are generalizations about a field that
    help put many specific cases and ideas into
  • G. Gorry-M.S. Morton framework
  • Sprague-Carson framework

3.6.22 Decision Support System (continued)
  • Prototyping is the most popular approach to DSS
    design and development
  • It is difficult to implement a DSS because of its
    discretionary nature

3.6.22 Decision Support System (continued)
  • Developers should be prepared for eight
    implementation risk factors
  • Nonexistent or unwilling users
  • Multiple users or implementers
  • Disappearing users, implementers or maintainers
  • Inability to specify purpose or usage patterns in
  • Inability to predict and cushion impact on all
  • Lack or loss of support
  • Lack of experience with similar systems
  • Technical problems and cost-effectiveness issues

3.6.22 Decision Support System (continued)
  • The DSS designer and user should use broad
    evaluation criteria, including
  • Traditional cost-benefit analysis
  • Procedural changes, more alternatives examined,
    less time consumer in making the decision
  • Evidence of improvement in decision making
  • Changes in the decision process

3.7 Alternative Forms of Software Project
  • Other approaches an IS auditor may encounter
  • Incremental or progressive development
  • Iterative development
  • Evolutionary development
  • Spiral development
  • Agile development

3.7.1 Agile Development
  • Agile development refers to a family of similar
    development processes that espouse a
    nontraditional way of developing complex systems.
  • Agile development processes have a number of
    common characteristics, including
  • The use of small, time-boxed subprojects or
  • Replanning the project at the end of each
  • Relatively greater reliance on tacit knowledge
  • Heavy influence on mechanisms to effectively
    disseminate tacit knowledge and promote teamwork
  • A change in the role of the project manager

3.7.1 Agile Development
3.7.2 Prototyping
  • The process of creating a system through
    controlled trial and error procedures to reduce
    the level of risks in developing the system
  • Reduces the time to deploy systems primarily by
    using faster development tools such as
    fourth-generation techniques
  • Potential risk is that the finished system will
    have poor controls
  • Change control often becomes more complicated

3.7.3 Rapid Application Development
  • A methodology that enables organizations to
    develop strategically important systems quickly,
    while reducing development costs and maintaining
  • Achieved through the use of
  • Small, well-trained development teams
  • Evolutionary prototypes
  • Integrated power tools
  • A central repository
  • Interactive requirements and design workshops
  • Rigid limits on development time frames

3.8.1 Data-oriented System Development
  • A method for representing software requirements
    by focusing on data and their structure
  • Major advantage of this approach is that it
    eliminates data transformation errors such as
    porting, conversion, transcription and

3.8.2 Object-oriented System Development
  • The process of solution specification and
    modeling where data and procedures can be grouped
    into an entity known as an object
  • OOSD is a programming technique and is not a
    software development methodology itself
  • The major advantages of OOSD are
  • The ability to manage an unrestricted variety of
    data types
  • Provision of a means to model complex
  • The capacity to meet the demands of a changing

3.8.3 Component-based Development
  • Process of assembling applications from
    cooperating packages of executable software that
    make their services available through defined
  • Basic types of components are
  • In-process client components
  • Stand-alone client components
  • Stand-alone server components
  • In-process server components

3.8.3 Component-based Development (continued)
  • Components play a significant role in web-based
  • Component-based development
  • Reduces development time
  • Improves quality
  • Allows developers to focus more strongly on
    business functionality
  • Promotes modularity
  • Simplifies reuse
  • Reduces development cost
  • Supports multiple development environments

3.8.4 Web-based Application Development
  • Designed to achieve easier and more effective
    integration of code modules within and between
  • Different from traditional third- or
    fourth-generation program developments in many
  • Languages and programming techniques used
  • Methodologies used to control development work
  • The way users test and approve development work

3.8.6 Reverse Engineering
  • The process of studying and analyzing an
    application, a software application or a product
    to see how it functions, and to use that
    information to develop a similar system
  • Major advantages
  • Faster development and reduced SDLC duration
  • Possibility of introducing improvements by
    overcoming the reverse-engineered application

3.9 Infrastructure Development/Acquisition
  • The physical architecture analysis, the
    definition of a new one and the necessary road
    map to move from one to the other are critical
    tasks for an IT department
  • Goals
  • To successfully analyze the existing architecture
  • To design a new architecture
  • To write the functional requirements of this new
  • To develop a proof of concept

3.9 Infrastructure Development/Acquisition
Practices (continued)
  • Physical implementation of the required technical
    infrastructure to set up the future environment
    will be planned next
  • Task will cover procurement activities such as
    contracting partners, setting up the SLAs, and
    developing installation plans and installation
    test plans

3.9.1 Project Phases of Physical Architecture
3.9.2 Planning Implementation of Infrastructure
  • To ensure the quality of results, a phased
    approach is necessary
  • Communication processes should be set up to other
  • Through these different phases the components are
    fit together, and a clear understanding of the
    available and contactable vendors is established
    by using the selection process during the
    procurement phase and beyond

3.9.2 Planning Implementation of Infrastructure
3.9.2 Planning Implementation of Infrastructure
3.9.2 Planning Implementation of Infrastructure
3.9.2 Planning Implementation of Infrastructure
3.9.2 Planning Implementation of Infrastructure
3.9.4 Hardware Acquisition
  • For acquiring a system, the invitation to tender
    (ITT) should include the following
  • Organizational descriptions
  • Information processing requirements
  • Hardware requirements
  • System software applications
  • Support requirements
  • Adaptability requirements
  • Constraints
  • Conversion requirements

3.9.4 Hardware Acquisition (continued)
  • Acquisition steps include, but are not limited
    to, the following
  • Testimonials or visits with other users
  • Provisions for competitive bidding
  • Analysis of bids against requirements
  • Comparison of bids against each other using
    predefined evaluation criteria
  • Analysis of the vendors financial condition
  • Analysis of the vendors capability to provide
    maintenance and support (including training)

3.9.4 Hardware Acquisition (continued)
  • Acquisition steps include, but are not limited
    to, the following
  • Review of delivery schedules against requirements
  • Analysis of hardware and software upgrade
  • Analysis of security and control facilities
  • Evaluation of performance against requirements
  • Review and negotiation of price
  • Review of contract terms (including right to
    audit clauses)
  • Preparation of a formal written report
    summarizing the analysis for each of the
    alternatives and justifying the selection based
    on benefits and cost

3.9.5 System Software Acquisition
  • When selecting new system software, the following
    technical issues should be considered
  • Business, functional, technical needs and
  • Cost and benefits
  • Obsolescence
  • Compatibility with existing systems
  • Security
  • Demands on existing staff
  • Training and hiring requirements
  • Future growth needs
  • Impact on system and network performance

3.9.7 System Software Change Control Procedures
  • All test results should be documented, reviewed
    and approved by technically-qualified subject
    matter experts prior to production use
  • Change control procedures are designed to ensure
    that changes are authorized and do not disrupt

3.10.1 Change Management Process Overview
  • Change management process begins with authorizing
    changes to occur
  • Requests initiated from end users, operational
    staff and system development/maintenance staff
  • Change requests should be in a format that
    ensures all changes are considered for action and
    that allows the system management staff to easily
    track the status of the request
  • All requests for changes should be maintained by
    the system maintenance staff as part of the
    systems permanent documentation

3.10.1 Change Management Process Overview
  • Deploying changes
  • Documentation
  • Testing changed programs
  • Auditing program changes
  • Emergency changes
  • Deploying changes back into production
  • Change exposures (unauthorized changes)

3.10.2 Configuration Management
  • Maintenance requests must be formally documented
    and approved by a change control group
  • Careful control is exercised over each stage of
    the maintenance process via checkpoints, reviews
    and sign-off procedures
  • From an audit perspective, provides evidence of
    managements commitment to careful control
  • Involves procedures throughout the software life

3.10.2 Configuration Management (continued)
  • As part of the software configuration management
    task, the maintainer performs the following
  • Develop the configuration management plan
  • Baseline the code and associated documents
  • Analyze and report on the results of
    configuration control
  • Develop the reports that provide configuration
  • Develop release procedures
  • Perform configuration control activities
  • Update the configuration status accounting

3.11.2 Computer-aided Software Engineering
  • CASE is the use of automated tools to aid in the
    software development process
  • May include the application of software tools for
    software requirements analysis, software design,
    code production, testing, document generation and
    other software development activities
  • Three categories
  • Upper CASE
  • Middle CASE
  • Lower CASE

3.11.2 Computer-aided Software Engineering
  • Key issues an IS auditor needs to consider with
    CASE include
  • CASE tools do not ensure that the design,
    programs and system are correct or that they
    fully meet the needs of the organization
  • CASE tools should complement and fit into the
    application development methodology
  • The integrity of data moved between CASE products
    needs to be monitored and controlled
  • Changes to the application should be reflected in
    stored CASE product data

3.11.3 Fourth-generation Languages
  • Common characteristics of 4GLs include
  • Nonprocedural language
  • Environmental independence (portability)
  • Software facilities
  • Programmer workbench concepts
  • Simple language subsets
  • 4GLs are classified as
  • Query and report generators
  • Embedded database 4GLs
  • Relational database 4GLs
  • Application generators

3.12.1 Business Process Reengineering and Process
Change Projects
  • The steps in a successful BPR are
  • Define the areas to be reviewed
  • Develop a project plan
  • Gain an understanding of the process under review
  • Redesign and streamline the process
  • Implement and monitor the new process
  • Establish a continuous improvement process

3.12.1 Business Process Reengineering and Process
Change Projects
3.12.1 Business Process Reengineering and Process
Change Projects (continued)
  • A successful BPR/process change project requires
    the project team to perform the following for the
    existing processes
  • Process decomposition to the lowest level
    required for effectively assessing a business
  • Identification of customers, process-based
    managers or process owners responsible for
    beginning to end processes
  • Documentation of the elementary process-related
    profile information

3.12.1 Business Process Reengineering and Process
Change Projects (continued)
  • BPR methods and techniques
  • Benchmarking process
  • Plan
  • Research
  • Observe
  • Analyze
  • Adapt
  • Improve

Practice Question
  • 3-3 When conducting a review of business
    process reengineering, an IS auditor found that
    a key preventive control had been removed. In
    this case, the IS auditor should
  • inform management of the finding and determine
    whether management is willing to accept the
    potential material risk of not having that
    preventive control.
  • determine if a detective control has replaced the
    preventive control during the process and, if it
    has not, report the removal of the preventive
  • recommend that this and all control procedures
    that existed before the process was reengineered
    be included in the new process.
  • develop a continuous audit approach to monitor
    the effects of the removal of the preventive

Practice Question
  • 3-4 During which of the following steps in the
    business process reengineering should the
    benchmarking team visit the benchmarking
  • Observation
  • Planning
  • Analysis
  • Adaptation

3.13 Application Controls
  • Application controls are controls over input,
    processing and output functions. They include
    methods for ensuring that
  • Only complete, accurate and valid data are
    entered and updated in a computer system
  • Processing accomplishes the correct task
  • Processing results meet expectations
  • Data are maintained

3.13 Application Controls (continued)
  • An IS auditors tasks include the following
  • Identifying the significant application
    components and the flow of transactions through
    the system
  • Identifying the application control strengths
  • Testing the controls to ensure their
    functionality and effectiveness
  • Evaluating the control environment
  • Considering the operational aspects of the
    application to ensure its efficiency and

3.13.1 Input/Origination Controls
  • Input authorization
  • Input authorization verifies that all
    transactions have been authorized and approved by
  • Types of authorization include
  • Signatures on batch forms or source documents
  • Online access controls
  • Unique passwords
  • Terminal or client workstation identification
  • Source documents

3.13.1 Input/Origination Controls (continued)
  • Batch controls and balancing
  • Batch controls group input transactions to
    provide control totals
  • Types of batch controls include
  • Total monetary amount
  • Total items
  • Total documents
  • Hash totals

3.13.1 Input/Origination Controls (continued)
  • Batch controls and balancing
  • Batch balancing can be performed through manual
    or automated reconciliation
  • Types of batch balancing include
  • Batch registers
  • Control accounts
  • Computer agreement

3.13.1 Input/Origination Controls (continued)
  • Error reporting and handling
  • Input processing requires that controls be
    identified to verify that data are accepted into
    the system correctly and that input errors are
    recognized and corrected
  • Input error handling can be processed by
  • Rejecting only transactions with errors
  • Rejecting the whole batch of transactions
  • Holding the batch in suspense
  • Accepting