Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
In systems development, the temptation to skip certain prescribed tasks associated with documentation, combined with the fastpaced life of IT professionals, can create an environment that is not able to properly employ the best practices of systems development. However, the employment of best practices has proven over the years to provide returns in both efficiencies and effectiveness. In all types of audit, the employment of any set of “best practices” is generally seen by auditors as a positive impact on the quality of the information, systems or operations being audited. In the case of the systems development life cycle (SDLC), some practices provide additional benefits in terms of IT audits. Specifically, throughout the steps in the SDLC, documentation is being created that provides valuable potential sources of evidence for IT auditors. In other words, employing SDLC as it is prescribed in the industry is a control. In this article, the conventional phases of the SDLC—and how each one can provide this potential evidence—will be discussed. Different groups use different lists of steps in the SDLC, but almost all agree on the same elements. Herein, a list of eight phases is used to demonstrate this process of analyzing an entity’s SDLC. A summary of six of the eight phases and examples of related documentation are depicted in figure 1. Other documentation should exist; those contained in the figure are for illustrative purposes. Phase One: Systems Planning
In phase one, systems are planned using a strategic approach. Executives and others evaluate the effectiveness of systems in terms of meeting the entity’s mission and objectives. This process includes general guidelines for system selection and systems budgeting. Management develops a written long-term plan for systems that is strategic in nature. The plan will change in a few months, but much evidence exists that such planning pays dividends in terms of effective IT solutions over the long term. This phase is similar to IT governance, and the two are quite compatible. Thus, the first thing an IT auditor would like to see is the implementation of IT governance activities. During this phase, several documents will be generated. They include the long-term plan, policies for selection of IT projects, and a long-term and short-term IT budget, as well as preliminary feasibility studies and project authorizations. Project proposals should have been documented when submitted to management, and a project schedule should exist that contains the approved projects (see figure 1).
The presence of these documents illustrates a structured, formal approach to systems development and, as such, illustrates an effective planning system for IT projects and systems. It also demonstrates a formal manner of approving IT projects. IT auditors will want to verify the presence of a systems planning phase (or IT governance activities) and take a sample of the documents to verify the effectiveness of that system. The same audit procedure will be true for all of the other seven phases and, therefore, will not be repeated in the narratives of phases two through eight. Phase Two: Systems Analysis
In the systems analysis phase, IT professionals gather information requirements for the IT project. Facts and samples to be used in the IT project are gathered primarily from end users. A systems analyst or developer then processes the requirements, producing a document that summarizes the analysis of the IT project. The result is some kind of documentation, such as a systems analysis report (see figure 1). Other documentation should exist. In effect, systems analysis illustrates the entity’s ability to be thorough with its systems development. Phase Three: Conceptual Design
Next comes the conceptual design phase. In phase two, systems analysis, the requirements have been gathered and...