- CISA Ch. 3.5 “Business Application Development”, pp. 173-177
- CISA Ch. 3.5.3 “Integrated Resource Management Systems”, p. 182
- CISA Ch. 3.5.4 “Risk Associated with Software Development”, pp.182-183
- CISA Ch. 3.13 “Application Controls”
- CISA Ch. 3.7 “Business application Systems”
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Usually, business application development is not just implemented, but it follows a specific process. The implementation process for business applications follows the project planning and Management processes. Typically, the business application development projected starts after individual application feasibility is initiated after one or more of the following circumstances.
– A new opportunity related to a new or already existing business process
– A problem related to a current business process
– A new opportunity that will help the organization to take advantage and utilize technology in their functions
– When there is problem with the current technology being used in an organization.
– In the case of Alignment of business applications with business partners/industry standard systems and respective interfaces.
All these circumstances are closely related to the key business drivers. Henceforth, they can easily be defined as the features of a business function that control the behavior and application of that business function meant to attain the set strategic business goals of an organization.
An increasing number of organizations both public and private are shifting from separate individual groups to form fully integrated corporate solutions. In most occasions such solutions are marketed as ERP solutions. Many European and American vendors have been majoring in thus market and offering packages using commercial names such as Oracle, SAP, and Financials or SSG. The implementation of integrated solutions is a very large software acquisition project. The acquisition and implementation of an ERP system influences the manner in which corporations do their businesses, their total control on the environment, internal resources, and technological directions. Basically, corporations that adopt integrated solution are required to convert their management policies, philosophies, and practices to those of the integrated software solution providers. Also, they must embrace the numerous customization options of the integrated solution software. In this case, such a solution will either cripple or improve the IT’s ability to sustain the goals and mission of the organization. Considering this huge change, it is important for businesses to conduct a thorough risk assessment before integrating.
There are many potential risks that can occur when designing and developing software systems. First, is the business or benefit risk, which is the risk that the new business may not meet the users’ requirements, business needs and expectations. For example, in the case where business requirements set to be attained by the new system are still unachieved, then even after system is implemented, they still will not be achieved.
Secondly is the project or delivery risks, which is the risks that project activities set to design and develop the system surpass the limits of the available financial resources allocated for the project. Thus, the implementation of the project may be completed late, it is ever completed. Apart from these two, there are many other potential risks that can occur when designing and developing software systems, therefore, there must be risks associated strategies to deal with the multiple level risks.
Software development process is a risky process. SDLC is vulnerable to risks from the start of the project till the final acceptance of the software product. Each phase of the SDLC inevitably face to different sets of threats. In order to manage these risks properly, an adequate understanding of the software development process’s risks are required.
Project managers may find it difficult to estimate the required time, cost, scope and other resources needed to complete the project. This will deadly lead to unrealistic project schedule, budget, unclear scope and insufficient resources.
Usually analysts and developers focus on what the system should do and ignore how the system should be .Non-functional requirements are essential to project success as much as the functional requirements.
On projects involving long timelines, developers tend to take things easy to begin with. As a result, sometimes, they lose significant time to complete the project. Set a realistic schedule, and stick to it.
While reading through the CISA manual’s chapter on “Risks Associated with Software Development”, I began to realize just how cumbersome application development in-house can be on an organization’s resources, both physically and financially. When initiating a software development project, it is critical for an organization to accurately list relevant “technical, operational, and functional requirements”, and to thoroughly understand system development methodologies and best practices. Examples of these methodologies and best practices include rapid application development and secure coding practices, respectively. Without an appropriate and complete documentation of the requirements, the organization runs the risk of the project being delayed, excessive costs associated with non-required functions and overruns, and overall project failure. The section of the CISA manual on “Risks Associated with Software Development” also emphasizes how understanding of specific control objectives when creating and implementing controls throughout the software development project plays a critical role in managing the risks associate with each phase of the cycle.
The risk is an expectation of loss, a potential problem that may or may not occur in the future. It is generally caused due to lack of information, control or time. A possibility of suffering from a loss in the software development process is called a software risk. Loss can be anything, an increase in production cost, development of poor quality software, not being able to complete the project on time. Software risk exists because the future is uncertain and there are many known and unknown things that cannot be incorporated in the project plan.
In order to identify the risks that your project may be subjected to, it is important to first study the problems faced by previous projects. Study the project plan properly and check for all the possible areas that are vulnerable to some of the other type of risks. The best ways of analyzing a project plan is by converting it to a flowchart and examine all essential areas. Any decision taken related to technical, operational, political, legal, social, internal or external factors should be evaluated properly.
1. Any business application system developed will flow these major categories. One is organization-centric MIS, ERP, CRM, SCM. The objective of organization centric applications is to collect collate, store, archive and share information with business users and various applicable support functions on accounts, administration, government levy payment departments. Regulatory levy fulfillment is also addressed by the presence of organization-centric, applications. Organization-centric application projects usually use the SDLC or other detailed software engineering approaches for development.
Another is end-user-centric computing that the objective of an end-user-centric application is to provide different views of data for their performance optimization. This objective includes DSS geographic information system, techniques. Most of these applications are developed using alternative development approaches.
2. The IS auditor must evaluate EDI to ensure that all inbound EDI transactions are received and translated accurately, passed to an application. EDI audits should accomplish these steps.
Audit monitor that devices can be installed at EDI workstations to capture transactions as they are received. Such transactions can store in a protected file for use by the auditor. It should be given to storage requirements for voluminous amounts of data.
Expert systems within the context of utilizing the computer system for internal control checks. It should be given to having audit monitors evaluate the transactions received. Based upon judgmental rules, the system can determine the audit significance of such transaction and provide a report for the auditor’s use.
Good points, Li Zhu. EDI presents numerous audit and control implications. The auditor needs to understand how the entity conducts business using EDI and to adjust audit procedures accordingly. EDI creates a dependence on the trading partner’s computer system, so its errors and security breaches might affect the client’s system.
Application development always interests me and I found program debugging specifically interesting because we know to code requires quite a lot of time and it should make sense and perform as much as it intended to be. But what about debugging?
Many programming bugs are detected during the system development process after a programmer runs a program in the test environment. The purpose of debugging programs during system development is to ensure that all program abends (unplanned ending of a program due to programming errors) and program coding flaws are detected and corrected before the final program goes into production. All debugging tools fall into three main categories:
-Logic path monitors. They report on the sequence of events performed by the program so it gives clues to the programmer of logic errors.
-Memory dumps. They provide a picture of the internal memory’s content at one point in time. Essentially meaning developers can diagnostic information at the time of a crash to help them troubleshoot issues and learn more about the event.
-Output analyzers. They help check results of program execution for accuracy. This is achieved by comparing expected results with the actual results.
These three tools help developers to debug, thus providing a better final product.
In software development, debugging involves locating and correcting code errors in a computer program. Debugging is part of the software testing process and is an integral part of the entire software development life cycle. The debugging process starts as soon as code is written and continues in successive stages as code is combined with other units of programming to form a software product. In a large program that has thousands and thousands of lines of code, the debugging process can be made easier by using strategies such as unit tests, code reviews and pair programming.
One thing that I found interesting from 3.7 business application systems is the availability risk for E-commerce. This textbook also talks about confidentiality which we have already learned a lot such as theft of credit card information. Integrity is about unauthorized alteration or deletion. Availability which I found interesting because online shopping became a part of our life, so we don’t really think about the availability is 24/7. Authentication and nonrepudiation is another risk. Moreover, System’s failure is really costly for companies and companies would have to hire more IT staff to maintain the system, but I would say that the benefit of E-commerce is over the extra cost of maintaining the system. I also found interesting that the textbook considers power shift to customers is also a risk to companies because they need to improve system design and reengineering of business processes to be more competitive in the industry.
In the CISA Manual section on Risks Associated with Software Development a lot was taken away from this section. In this section there was a great emphasis put on understanding, documenting, and regulating the controls within an organization. As an IS auditor documenting the controls, communication those controls to the specified parties, and making sure the rules are followed to a T are all part of risk mitigation. Risk Mitigation, s we know is the #1 priority of auditors, therefore, following those steps and the outlined details in the CISA are critical fro f=smooth business operations.
I agree. Risk mitigation is the top priority for an IS Auditor. Understanding, documenting, and regulating controls is very important inside an organization. Although Auditing is considered a cost of doing business, the amount of money it saves the business is enormous. Nowadays with the constant security threats, making sure you get all this stuff could make or break a business.
In couple of my recent interviews I was asked about my knowledge in Application Controls. I think this is one of the important areas to focus and increase expertise as a technology auditor. Application control is a security practice that blocks or restricts unauthorized applications from executing in ways that put data at risk. The control functions vary based on the business purpose of the specific application, but the main objective is to help ensure the privacy and security of data used by and transmitted between applications.
Application control includes completeness and validity checks, identification, authentication, authorization, input controls, and forensic controls, among others.
• Completeness checks – controls ensure records processing from initiation to completion
• Validity checks – controls ensure only valid data is input or processed
• Identification – controls ensure unique, irrefutable identification of all users
• Authentication – controls provide an application system authentication mechanism
• Authorization – controls ensure access to the application system by approved business users only
• Input controls – controls ensure data integrity feeds into the application system from upstream sources
CISA manual includes list of tasks that are required for IS auditor while performing application controls (page 224).
Hello,
As I was reading through your thoughts that you had while reviewing the CISA chapter on Application Controls, I actually found myself learning quite a bit thanks to your choice in words making the concepts easy to digest and understand. I also very much appreciate you taking the time to define each of the types of controls that are most commonly applied to applications integrated by organizations. I liked that you also included a page reference towards the end of your response to the page of the CISA manual on the requirements IS auditors must check for when testing application controls.
I think the point about testing and other types of testing is really interesting. As mentioned in the book, testing is an essential part of the development process that verifies and validates that a program, subsystem or application performs the functions for which it has been designed. At the point when the testing is finished, the IS auditor issue a conclusion to the executives with respect to whether the system meets the business requirements and has implemented appropriate controls. Moreover, there are many types of testing that we should know. For example, parallel testing is the process of feeding test data into two systems, the modified system and alternative system, and comparing the results. I believe that testing is an important component of development processes.
Hi Ryu,
I believe as well that testing is an essential part of the SDLC. With every iteration and improvement to the system, ample testing and seeing the system in real time is the only way to evaluate the usability of the new system. Testing is how you can see your project in action and to evaluate what shortcomings may occur while in use.
Hi Ryu,
Testing is for sure an important part of the SDLC and I also found it is interesting that there are many technical names for testing as well. Project can not go far without proper testing and this is why it is very important for a development process. Prepare, Review, Rework, Baseline,Revise are important steps for testing.
Good explanation, Ryu. System testing is definitely an important part in the SDLC. To deliver high-quality products or applications, proper testing is required. System testing enables you to test, validate and verify both the application architecture and the business requirements. Additionally, a well-tested product encounters less maintenance costs and so the results delivered are more accurate, consistent and reliable
An ERP ) project is considered highly risky, since it is large, complex, usually unfamiliar to the organization and implemented under a tight timetable. It usually entails process reengineering and many changes. To reduce the risk and improve the probability of project success, an organization can use a structured development approach for such a project, beginning with the selection stage and culminating in the operation stage.
There are several conventional structured development approaches. The major ones are the ISDLC model, the prototyping approach and the software package life cycle model. The implementation of an ERP system requires a new methodology that combines components from each of the above approaches. The model suggested in this paper is comprised of four stages: (1) selection; (2) definition; (3) implementation; and (4) operation. Several organizations that have adopted this structured methodology have evidenced a successful ERP implementation.
Hi Yuan, just like what you mentioned that ERP projects are considered highly risky, it’s important for company to have the appropriate ERP system to comprehensively balance and optimize the management of the comprehensive resources. The ERP software coordinates all the management departments of the company, and the ERP system carries out business activities centering on the market orientation to improve the core competitiveness of the company to achieve the best economic benefits.
I would like to introduce one thing of interest that I took away from CISA Ch. 3.5.4 “Risk Associated with Software Development”, pp.182-183. There are many potential risks when designing and developing software systems, but they can be defined into 2 types in general, so-called business risk and project risk.
Business risks (or benefit risks) are the risks might cause the new system cannot meet the users’ business need, requirements, and expectations. For example, the process of design a new system could be a waste of resources if the new system cannot fulfill the business requirements, and even if the system is implemented, it will most likely not be maintained.
Project risks (or delivery risks) are the risks cause the project activities to design and develop the system exceed the limits of the financial resources setting for the project, such as the delivery time of the project is late.
Hi Penghui, I like your point about business risks and I also think it is interesting. Especially for a small business, if it is trying to develop a new system by itself, it might be wasted its time and resource to develop its main business. I think this could be a business risk for the organization, so it needs to conduct an analysis before the project
Hi, penghui:
Great post and I totally agree with you that business risk is about not meeting the user requirements which including regular functional requirements as well as information security requirement. As IT auditors, we would review the users’ requirements first to ensure the project deliveries are meeting the business meets. At the same time, the project would face the kill/continuous decision at the mid of the project depending on the cost and benefit analysis.
After reading through the Integrated Resource Management Systems, I understand the functionality and importance of the ERP system because with development of information construction, the role and influence of IT resources on the main operation are becoming increasingly prominent. Without an appropriate Integrated Resource Management system, there will be some drawbacks caused by poor Management of IT resources. ERP is the enterprise management software integrating material resource management, human resource management, financial resource management, and information resource management. ERP system integrates information technology and advanced management thoughts together, becoming the operation mode of enterprises, reflecting the requirements for enterprises to allocate resources rationally and create social wealth to the greatest extent, and becoming the cornerstone for enterprises to survive and develop in the information age. ERP help enterprises optimize the resources to maximize the efficiency.
CISA Ch. 3.5.4 “Risk Associated with Software Development”, pp.182-183
The risk associated with software development sparked my interest the most because each phase of the SDLC carries ongoing risk. In each phase, there’s a different threat that can ultimately halt the development completely. Adequate risk assessment/mitigation have to be in place before each phase can be successfully completed. The involvement of the project team to see the bigger picture is also very important, having a detailed project scope, the requirements will also be laid out easier.
Laying out the timeline, budget, and delegating resources
Having the functional, non-functional, and technical requirements listed
Keeping a realistic timeline
Staying on budget
These are all in-house requirements turned risks associated with project development and understanding the importance of managing the project well, while adhering to all security practices heavily influences the success of a project.
Hi, Mei,
I think Risk Associated with Software Development is one interesting topic as well. It is great to see different takeaways from one same topic. As you mentioned, adequate risk assessment/mitigation and the involvement of the project team to see the bigger picture are important to be implemented, so the risks can be reduced in a proper way.
I also found it interesting how within each phase, there is a different aspect of risk that needed to be addressed. It’s basically like thinking of every type of scenario that might happen within the system. I think this the one instance in which having a doomsday mentality might actually be beneficial. If we can think of the risks and what might possibly go wrong, then we can take the precautions necessary in order to mitigate those risks.
CISA Ch. 3.5.4 “Risk Associated with Software Development”, pp.182-183
Ideally, if I was ever assigned on a project team, I would love for it to be application development. Being a project manager for app development sounds like the perfect job for someone in IT. My favourite part of this reading is the emphasis on the project management aspects. Explaining how to set a realistic budget & timeline, how to list requirements, etc… are all very important things needed as a project manager. As I mentioned in my other replies, I always found risk very interesting so including the risk management aspect of app development made this a very interesting read for me.
I found this topic interesting too!
Identifying and understanding the risk is one area which I always find challenging, but this is a preliminary stage for managing the risks successfully and it requires high level of knowledge and understanding about project management. Each phase of SDLC is vulnerable to risks from starting stage of the project till the final acceptance of the software project. In order to manage these risks properly, an adequate understanding of the software development process’s problems, risks and their causes are required. Hence, the first step in managing these risks is to identify them.
Risk factors are the uncertain conditions and influences that will affect the cost, duration and quality of the project negatively and if ignored or not mitigated well they will present serious threats to the software project.
One thing is the electronic banking. Banking organizations have been delivering electronic services for years includes internet banking, tele banking, debit cards etc. E-banking activities do not raise risk (strategic, reputational, operational, credit, price and liquidity) that was not already in traditional banking, but it indeed increases and modifies some of types of traditional risks. The reason is that the speed of change relating to technological and service innovation in e-banking is unprecedented and e-banking increases the technical complexity of many operational and security issue. The fifteen controls mentioned are divided into three categories: board and management oversight, security controls and legal and reputational risk management.
Hi Haixin
There are also lots of advantage and disadvantage of electronic banking,
pros:
access to the bank 24 hours a days, 7 days a week, without depending on the
bank’s schedule;
at present, customers can access bank servers by dial-up connection or
through the web; bank statements are easy to access;
transactions are made in the best safety conditions;
cons:
additional costs (subscription and connection to the server);
dependence on the computer where the client software has been installed;
What I found interesting, albeit not surprising, in section 3.5.4 was the multitude of risks associated with software development. From the project itself to the type of technology, we can see that there is a variety of factors that must be considered when designing/developing these software systems. However, even with the proper risk analysis, we need to ensure that the project is staying on track by assessing processes such as scope creep control and activity tracking. I think this is an example of “there’s more to it than meets the eye.” While we can follow a certain set of steps to achieve our goal, we also need to maintain those steps along the way so that they don’t either fall out from beneath us, or lead us in the wrong direction.
Hi Sara, I like how you touched upon the “risks” associated with software development. As we learned in Week 1, the main role of an IT Auditor is to mitigate the overall risk of the IT projects they are assigned to. In addition to making risk you main topic, you analyzed the certain aspects that bring about risk: technology, analysis, time management, and ensuring scope. I like how you challenged all of us — intentionally or not — to follow our own internal steps to mitigate the overall risks of a project.
CISA Ch. 3.5.3 “Integrated Resource Management Systems”
When most businesses are established, their processes are usually individual applications from different vendors or homemade applications. As the business evolves overtime, so do their systems. This is an important improvement as it provides growth of the business and efficiency of its information systems. Not to mention, since the organization does not have to maintain multiple systems, a significant reduction in operational costs can be assumed annually. Lastly, employee productivity and performance may increase since data can be retrieved from one location as opposed to several different sources.