Chapter 5

IT Controls Part III:

Systems Development and
Program Changes Activities

Accounting Information Systems, 7e

James A. Hall

Hall, Accounting Information Systems, 7e

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Flow of discussion:
Describing the Roles of the
Participants

Key Activities that constitute the

SDLC

SDLC risks, controls, and audit

issues.

Hall, Accounting Information Systems, 7e 2

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Participants in Systems Devt:
Systems Professionals these individuals
actually build the system.
End users are those for whom the system is
built.
Stakeholders are individuals either within or
outside the organization who have an interest in
the system but are not end users.
Accountant/Auditors are those professionals
who address the controls, accounting, and
auditing issues for systems devt.
Hall, Accounting Information Systems, 7e 3
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Why are Accountants and Auditors
Involved with SDLC?
First, the creation of an information system
entails significant financial transactions.

Second, the natures of the products that

emerge from the SDLC.
-The quality of accounting information
rests directly on the SDLC activities that
produce accounting information system.

Hall, Accounting Information Systems, 7e 4

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 How are Accountants Involved with the
SDLC?
First, accountants are users. Like all users,
accountants must provide a clear picture of
their problems and needs to the systems
professionals.
Second, as members of the development
team. Their involvement often extends
beyond the devt of strictly AIS applications.
Third, as auditors. The auditor has a stake in
all systems and should be involved in early
design, especially regarding their auditability,
security and controls.
Hall, Accounting Information Systems, 7e 5
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Information Systems Acquisition
In-house development requires
maintaining a full-time systems staff of
analysts and programmers who identify user
information needs and satisfy their needs
with custom systems.
Commercial Systems a growing number
of systems are purchased from software
vendor, each with unique features and
attributes.

Hall, Accounting Information Systems, 7e 6

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Commercial Systems
Trends in Commercial Software
Four factors have simulated the growth of commercial
software market:
The relatively low cost of general commercial
software as compared to customized software
The emergence of industry-specific vendors who
target their software to the needs of particular
type of businesses.
A growing demand from businesses that are too
small to afford in-house systems devt staff.
the trend toward downsizing of organizational
units and the resulting move toward the
distributed data processing environment.
Hall, Accounting Information Systems, 7e 7
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Types of Commercial Software:
Turnkey Systems are completely
finished and tested systems that are ready
for implementation.
General Accounting System
Special-Purpose System
Office Automation System

Backbone System provide a basic

system structure on which to build.
Vendor-Supported System are hybrids of
custom systems and commercial software.
Hall, Accounting Information Systems, 7e 8
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Advantages of Commercial Software
Implementation Time
Cost
Reliability

Disadvantages of Commercial Software

Independence
The need for customized systems.
Maintenance

Hall, Accounting Information Systems, 7e 9

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Development Life Cycle

Is an eight-phase process consisting of two

major stages: New system development (1-7
phase) and System Maintenance (last phase).
New system development involves
conceptual steps that can apply to any problem-
solving process.
System maintenance constitutes the
organizations program change procedures.

Hall, Accounting Information Systems, 7e 10

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Planning Phase I
Objective of System Planning is to link individual
system projects or applications to the strategic
objectives of the firm.
Systems steering committee provide guidance
and review the status of systems projects. Typical
responsibilities includes:
Resolving conflicts that arise from new systems
Reviewing projects and assigning priorities
Budgeting funds for systems development
Reviewing the statues of individual projects under
development
Determining at various checkpoints throughout the SDLC
whether to continue with the project or terminate it.

Hall, Accounting Information Systems, 7e 11

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Planning Phase I
Systems Planning occurs at two levels:
Strategic Systems Planning involves the allocation of systems
resources at the macro level.
Four justifications:
A plan that changes constantly is better than no plan at all.
Strategic planning reduces the crisis component in systems
development.
Strategic systems planning provides authorization control for the
SDLC.
Cost management.
Project Planning is to allocate resources to individual
applications within the framework of the strategic plan.
Project proposal provides management with a basis for deciding
whether to proceed with the project.
Project schedule represents the managements commitment to
the project.
Hall, Accounting Information Systems, 7e 12
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Planning Phase I
The Auditors Role in Systems Planning Auditors
routinely examine the systems planning phase of the
SDLC.

System Analysis Phase II

System Analysis is actually a two-step process
involving first survey of the current system and then
an analysis of the users needs.
System Analysis Report presents the findings of the
analysis and recommendations for the new systems.
The Survey Step. Facts pertaining to preliminary
questions about the system are gathered and
analyzed.
Hall, Accounting Information Systems, 7e 13
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Analysis Phase II
Disadvantages of Surveying the Current
System:
Current physical tar pit
Thinking inside the box
Advantages of Surveying the Current
System:
Identifying what aspects of the old system should
be kept.
Forcing systems analysts to fully understand the
system.
Isolating the root of problem symptoms.

Hall, Accounting Information Systems, 7e 14

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Analysis Phase II
Gathering Facts: Controls
Data Sources Transaction Volumes
Users Error Rates
Data Stores Resource Costs
Processes Bottlenecks and redundant
Data Flows operations
Fact Gathering Techniques:
Observation involves passively watching the physical
procedures to the system.
Task Participation analysts takes an active role in
performing the users work.
Personal Interviews a method of extracting facts about
the current system and user perception about the
requirements of the new system.
- Open-ended questions
-Questionnaires
Hall, Accounting Information Systems, 7e 15
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Analysis Phase II
Fact Gathering Descriptions of
Techniques: Procedures
Reviewing Key Financial Statements
documents. Performance reports
Organizational charts System Flowcharts
Job descriptions Source Documents
Accounting records Transaction Listing
Charts of Accounts Budgets
Policy Statements Forecasts
The Analysis Step Mission Statements
System Analysis is an intellectual process that is commingled
with fact gathering
System Analysis Report presents to management or steering
committee the survey findings, problems identified with the current
system, users needs, and requirements of the new system.
Hall, Accounting Information Systems, 7e 16
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Analysis Phase II
The Auditors Role in System Analysis
- Accountant/Auditor should be involved in the
needs analysis of the proposed system to determine if it
is a good candidate for advanced audit features and, if
so, which features are best suited for the system.

Conceptual Systems Design Phase III

Purpose: is to produce several alternative
conceptual systems that satisfy the system
requirements identified during the system analysis.
The alternative designs then go to the systems
selection phase, where their respective costs and
benefits are compared.

Hall, Accounting Information Systems, 7e 17

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Conceptual Systems Design Phase III
Two Approaches to conceptual system design:
Structured Design Approach develops each new system from
scratch from the top down.

Hall, Accounting Information Systems, 7e 18

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Conceptual Systems Design Phase III
Two Approaches to conceptual system design:
Objective-Oriented Approach is to build information
systems from reusable standard components or objects.
Concept of reusability is central to this approach. Once
created, standard modules can be used in other systems with
similar needs.
The benefits of this approach include reduce time and cost for
development, maintenance and testing, and improved user
support and flexibility in the development process.

The Auditors Role in Conceptual Systems Design

- The auditor is a stakeholder in all financial systems and,
thus, has an interest in the conceptual design stage of the system.
The auditability of a system depends in part on its design
characteristics.

Hall, Accounting Information Systems, 7e 19

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Evaluation and Selection Phase IV
This phase is an optimization process that seeks to
identify the best system. The evaluation process
involves two steps:
Perform a detailed Feasibility Study
Technical Feasibility
Economic Feasibility
Legal Feasibility
Operational Feasibility
Schedule Feasibility
Perform a Cost-Benefit Analysis
Identify costs
Identify Benefits
Compare Costs and Benefits

Hall, Accounting Information Systems, 7e 20

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Evaluation and Selection Phase IV
Identify Cost
A. One-time costs include the initial investment to develop and
implement the system.
B. Recurring Costs include operating and maintenance costs
that recur over the life of the system.

Hall, Accounting Information Systems, 7e 21

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Evaluation and Selection Phase IV
Identify Benefits
A. Tangible Benefits are those that can increase revenue and
those that reduce costs.
B. Intangible Benefits are those cannot be easily measured and
quantified.

Figure 17-8
Hall, Accounting Information Systems, 7e 22
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Evaluation and Selection Phase IV
Compare Cost and Benefits
A. Net Present value Method the PV of the costs is deducted from the
PV of the benefits over the life of the system.
B. Payback Method is a variation of break-even analysis.

Hall, Accounting Information Systems, 7e 23

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Evaluation and Selection Phase IV
Prepare Systems Selection Report
Systems Selection Report the deliverable product of the systems
selection process. It consists of a revised feasibility study, cost-
benefit analysis, and a list of explanation of intangible benefits for
each alternative design.
The Auditors Role in Evaluation and Selection
Primary concern for auditors is that the economic feasibility of the
proposed system is measured as accurately as possible. Auditor
should ensure five things:
o Only escapable costs are used in calculations of cost savings
benefits.
o Reasonable interest rates are used in measuring PV of cash flows
o One-time and recurring costs are completely and accurately reported.
o Realistic useful live are used in computing competing projects.
o Intangible benefits are assigned reasonable financial values.

Hall, Accounting Information Systems, 7e 24

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Detailed Design Phase V

Purpose: is to produce a detailed description of the

proposed system the both satisfies the system
requirements identified during systems analysis and in
accordance with the conceptual design.
At the end of this phase, all system components are
presented formally in a detailed design report.
After completing the detailed design, the development
team usually performs a system design walkthrough
to ensure that the design is free from conceptual
errors that could become programmed into the final
system. Walkthroughs are conducted by quality
assurance group.

Hall, Accounting Information Systems, 7e 25

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Detailed Design Phase V
Detailed Design Report includes:
Designs for all screen inputs and source documents for the system.
Designs of all screen outputs. Reports, and operational documents.
Normalized data for database tables, specifying all data elements.
Database structures and Diagrams
An updated data dictionary describing each data element in the
database.
Processing logic.
Quality Control Group scrutinizes these documents,
and any errors are detected are recorded in a
walkthrough report.
The system design will either be accepted without
modification, accepted subject to modification of minor
errors, or rejected because of material errors.
Hall, Accounting Information Systems, 7e 26
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Application Programming and Testing
Phase VI
Program the Application Software: the next stage is to
select a programming language from among the various
languages available and suitable for application. These
include:
Procedural Languages requires the programmer to specify the
precise order in which the program logic is executed.
Event-Driven Languages are no longer procedural, programs code
is not executed in a predefined sequence.
Object-Oriented Language is the central to achieving the benefits of
the object-oriented approach.
Programming the System: Modular approach produces
small programs that perform narrowly defined tasks.

Hall, Accounting Information Systems, 7e 27

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Application Programming and Testing
Phase VI
The ff. benefits are associated with modular
programming:
Programming efficiency
Maintenance efficiency
Control
Test the Application Software there are some
proven concepts about testing
Testing Methodology
Testing Offline Before Deploying Online
Test Data

Hall, Accounting Information Systems, 7e 28

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Application Programming and Testing
Phase VI
Sample of Testing Methodology:

Hall, Accounting Information Systems, 7e 29

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Implementation Phase VII
In this phase, database structure are created and
populated with data, equipment is purchased and
installed, employees are trained, the system is
documented, and the new system is installed.
Testing the Entire System: when all modules
have been coded and tested, they must be brought
together and tested as a whole.
Documenting the System: it provides the auditor
with essential information about how the system
works.
Designer and Programmer Documentation. Use to debug
errors and perform maintenance on the system.
- System Flowchart shows the relationship of input files,
programs, and output files.
Hall, Accounting Information Systems, 7e 30
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Implementation Phase VII
- Program Flowchart provides a detailed description of the
sequential and logical operation of the program.

Operator Documentation. Computer operators use

documentation called run manual, which describes how to
run the system. Typical contents include:
o The name of the system
o The run schedule
o Required hardware devices
o File requirements
o Run-time instructions
o A list of users
-for security and control reasons, system flowcharts, logic
flowcharts, and program code listings should not be a part of
operators documentation.
Hall, Accounting Information Systems, 7e 31
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Implementation Phase VII
User Documentation describes how to use system. The nature of
user documentation will depend on the users degree of
sophistication with computers and technology. Classification of
users skill level:
o Novices have little or no experience with computers and are
embarrassed to ask.
o Occasional users once understood the system but have forgotten
some essential commands and procedures.
o Frequent light users are familiar with limited aspects of the system.
o Frequent power users understand the existing system and will
readily adapt to new systems.
- User handbook
- Online Documentation
a. Tutorials
b. Help features
Hall, Accounting Information Systems, 7e 32
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Implementation Phase VII

Database Conversion this is the transfer of

data from its current form to the format or medium
required by the new system.
The degree of conversion depends on the
technology leap from the old system to the new
one.
When conversion is risky, the ff. precaution should
be taken:
Validation
Reconciliation
Backup

Hall, Accounting Information Systems, 7e 33

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Implementation Phase VII

Converting to the New System

the process of converting from the old system to
the new one is called cutover. System cutover will
usually follow one of the three approaches:
Cold Turkey Cutover the firm switches to the new
system and simultaneously terminates the old system.
Phased Cutover begins operating the new system in
module.

Hall, Accounting Information Systems, 7e 34

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Implementation Phase VII

Parallel Operation Cutover involves running the old

system and the new system simultaneously for a period
of time.
Advantage: reduction of risk

Hall, Accounting Information Systems, 7e 35

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 System Implementation Phase VII
The Auditors Role in the System
Implementation:
Provide Technical Expertise
Specify Documentation Standards
Verify Control Adequacy
Post-Implementation Review
Systems Design Adequacy
Accuracy of Time, Cost, and Benefit Estimates
System Maintenance Phase VIII
System Maintenance is a formal process by which
application programs undergo changes to accommodate
changes in user needs.
Maintenance can also be extensive. Depending upon the
organization, System Maintenance period can last 5 yrs or longer.
Hall, Accounting Information Systems, 7e 36
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Controlling and Auditing the SDLC
The accuracy and integrity of these programs directly affects the
accuracy of the clients financial data.
A materially flawed financial application can corrupt financial
data, which are then incorrectly reported in the financial
statements.
Controlling New System Development: the first
five controllable activities
Systems Authorization Activities all system must be
authorized to ensure their economic justification and
feasibility.
User Specification Activities user should provide a
detailed written description of the logical needs that must
be satisfied by the system.
Technical Design Activities translate the user
specifications into a set of detailed technical
specifications of a system that meets the users needs.
Hall, Accounting Information Systems, 7e 37
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Controlling and Auditing the SDLC
Internal Audit Participation internal auditor can serve as liaison
between the users and the systems professionals to ensure an
effective transfer of knowledge.
User Test and Acceptance Procedure system must be tested as
a unified whole. Once the test team is satisfied that the system
meets its stated requirements, the system is formally accepted by
the user department.
Controlling Systems Maintenance
In this section, we see how uncontrolled program
changes can increase a firms exposure to
financial misstatement due to programming errors.
Maintenance Authorization, Testing and Documentation
Access to systems for maintenance purposes increases
the possibility of system errors. To minimize potential
exposure, all maintenance actions should require as a
minimum of four controls.
Hall, Accounting Information Systems, 7e 38
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Controlling and Auditing the SDLC
Four controls are:
Formal Authorization
Technical Specification of the Changes
Retesting the System
Updating the Documentation

Source Program Library Controls

In spite of the preceding maintenance procedures,
application integrity can be jeopardized by individuals
who gain an authorized access to programs.
Application program source code is stored on magnetic
disks called the source program library (SPL).
SPL is a sensitive area, which, to preserve integrity, must
be properly controlled.

Hall, Accounting Information Systems, 7e 39

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Controlling and Auditing the SDLC
The Worst-Case Situation: No Controls
SPL without control can create the ff. two serious forms of
exposure:
A. Access to program is completely unrestricted.
B. Because of these control weaknesses, programs are subject to
unauthorized changes.
Control is always in conflict with operational flexibility and
efficiency.

Hall, Accounting Information Systems, 7e 40

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Controlling and Auditing the SDLC
A Controlled SPL Environment

Hall, Accounting Information Systems, 7e 41

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Controlling and Auditing the SDLC
Control Techniques:
Password Control Assigning passwords provides one form of
access control over the SPL. Every financially significant
program stored in SPL can be assigned a separate password.
Separate Test Libraries Programs are copied into the
programmers library for maintenance and testing. Direct
access to the production SPL is limited to an authorized
librarian who must approve all requests to modify, delete, and
copy programs.
Audit Trail and Management Reports An important feature of
SPL Management software is the creation of reports that
enhance management control and the audit function. These
reports should be part of the documentation file of each
application to form an audit trail of program changes over the
life of the application.
Hall, Accounting Information Systems, 7e 42
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Controlling and Auditing the SDLC
Control Techniques:
Program Version Numbers the SPLMS assigns a version
number automatically to each program on the SPL. With each
modification to the program, the version number is increased
by 1. This feature, when combined with audit trail reports,
provides evidence for identifying unauthorized changes to
program modules.
Controlling Access to Maintenance Commands Maintenance
commands if not controlled, open the possibility of unrecorded,
and perhaps unauthorized program modifications. Hence,
access to the maintenance commands themselves should be
password-controlled, and the authority to use them should be
controlled by management or the security group.

Hall, Accounting Information Systems, 7e 43

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
 Thank You !

Hall, Accounting Information Systems, 7e 44

2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.