Database structures are created and populated with data
Equipment is purchased and installed Employees are trained System is documented New system is installed Engage in implemenatation Designers Programmers Database administrators Users Accountants Testing the Entire System When modules are coded and tested, it must brought together and tested as a whole. When satisfied, formal acceptance document will be complete. Formal acceptance document reconcile differences and assigning responsibility to post-implementation review. Documenting the System Documentation provide essential information about how system works. Three Important Groups: System designers and programmers Computer operators End users
Note that System programmers and computer operators must be
separated for security and control reasons. Designer and Programmer System flowchart Program Flowchart Program Code Listing User Scheme Novices Occasional users Frequent light users Frequent power users
User Handbook (Online Documentation)
Tutorials Help Features Converting the Databases Database conversion is a critical step in implementation phase Transfer of data from current form to the format or medium required by new system Very labor intensive Data conversion is risky and must be carefully controlled with these precautions: Validation Reconciliation Backup Converting to the New System
Also called cutover, system usually follow three approaches:
Cold Turkey Cutover (Big Bang Approach) Phase Cutover Parallel Operation Cutover The Auditors Role in System Implementation
External auditors are prohibited by SOX form direct
involvement in system implementation but internal auditors as stakeholder may get involved in the following ways: Provide Technical Expertise Specify Documentation Standards Verify Control Adequacy and Compliance with SOX Post-Implementation Review Most important steps in implementation stage Reviewed by independent team to measure success system and process after all are settled Provides internal and external auditor evidence regarding adequacy of SDLC in general and its risk Valuable post-implementation evidence: Systems Design Adequacy Accuracy of Time, Cost, and Benefit Estimates Phase VIII System Maintenance Final phase of life cycle Formal process by which application programs undergo changes to accommodate changes in user needs Five years or longer maintenance period, depends on the industry competitiveness Represent significant resource outlay compared to initial development costs Controlling and Auditing the SDLC Accuracy of the financial data in the clients databases bears directly on the auditors opinion In CBIS, financial data are processed (accessed, stored, and updated) by computer applications, its program accuracy and integrity affects financial data (corrupted or incorrectly reported in the FS), which auditors render an opinion Auditors seek efficient and effective ways to limit the application testing Controlling New Systems Development Control activities relating to authorization, development, and implementation of the original system: Systems Authorization Activities User Specification Activities Technical Design Activities Internal Audit Participation User Test and Acceptance Procedures The Controlling System Maintenance
Determine that application integrity is still intact
Programming errors may occur that create incorrect information that goes undetected by the user Program fraud take root in environment of poorly controlled maintenance and undetected for years Controllable activities relating to System Maintenance Maintenance Authorization, Testing and Documentation Formal authorization Technical specification of the changes Retesting the system Updating the documentation Source Program Library Controls Source Program Library (SPL) The WORST-CASE Situation: No Controls Access to programs is completely unrestricted Programs are subject to unauthorized changes A Controlled SPL Environment SPL System (SPLS), protective features and procedures must be explicitly addressed SPL requires specific planning and control techniques to ensure program integrity. Control techniques such as: Password Control Separate Test Libraries Audit Trail and Management Reports Program Version Numbers Controlling Access to Maintenance Commands Audit objective related to system maintenance Detect unauthorized program maintenance
Audit procedures related to system maintenance
Identify Unauthorized Changes Reconcile program version numbers Confirm maintenance authorization Identify application Errors Reconciling the source good Reviewing the test results Retesting the Progrram Test access to libraries Review programmer authority tables Test authority table