System and Infrastructure LifeLife-Cycle Management

Learning Objectives
1.

System Development Management Control and IS Audit

2. 3. 4. 5.

Audit OS & DB Controls GAS: Efficient and Effective Tool Auditing Application Controls Auditing System Development, Acquisition and Maintenance
2

System Development Life Cycle

1. 2. 3. 4. 5. 6. 7. 8.

Systems planning Systems analysis Conceptual design Systems evaluation and selection Detailed design Programming and testing systems Systems implementation Systems maintenance
3

Auditing OS and Database Controls

y

Information needs to be secured to control specific risks Data physically reside on a hard disk Operating system envelops the hardware and primary link between the software and the physical data The store keeper logs into a menu that allows receipt of goods or issue of stocks User does not need to know what OS is being used, and the user's only interaction is with the application software
4

Auditing OS and Database Controls - Auditing OS y

Evaluating whether the security features have been enabled and parameters have been set to values consistent Some of the most common security parameters that can be evaluated are password rules, such as minimum password length, password history, password required, compulsory password aging, lock-out on unsuccessful logins, login station, and time restrictions. Ascertain whether access privileges given to various users are appropriate Obtain the list of user IDs in the system and map these with actual users
5

Auditing OS and Database Controls - Auditing Database y

Frequent use of a database The data in the DBMS can be manipulated directly, without the application. This can be done by using DBMS utilities and features, such as SQL (Structured Query Language)if the user can gain access to the DBMS Review security in the DBMS through a review of user IDs, the privileges associated
6

Generalized Audit Software - Effective and Efficient Tool for Today's IT Audits y

Experts say that generalized audit software (GAS) is the most common computer-assisted audit tool (CAAT) used in recent years IT auditors of the profitable return on learning and using GAS Computerized antifraud audit procedures that are run regularly against organizational databases GAS can be useful in testing internal controls embedded in information systems Demands on IT and internal auditors are increasing More efficient to fulfill all of the responsibilities
7

Benefits of Using a GAS

auditor does not review a sample of the data, but rather reviews or examines 100 percent of the data and transactions y Using ACL to analyze transactions, or data mine y The data in ACL are locked down as readonly y The commands in ACL are auditorfriendly
y
8

Auditing Application Controls

y

IS auditors tasks :
Identifying the significant application Identifying the application control strengths and evaluating the impact of the control weaknesses Reviewing application system documentation to provide an understanding of the functionality of the application
9

Data Integrity Testing

y

Set of substantive tests that examines accuracy, completeness, consistency and authorization of data Will indicate failures in input or processing controls Controls for ensuring the integrity of accumulated data in a file can be exercised by regularly checking data in the file
10

Data Integrity in Online TPS

y

AtomicityFrom a user perspective, a transaction is either completed in its entirety (i.e., all relevant database tables are updated) or not at all. If an error or interruption occurs, all changes made up to that point are backed out. ConsistencyAll integrity conditions in the database are maintained with each transaction, taking the database from one consistent state into another consistent state.

11

Data Integrity in Online TPS

y

IsolationEach transaction is isolated from other transactions and hence each transaction only accesses data that are part of a consistent database state. DurabilityIf a transaction has been reported back to a user as complete, the resulting changes to the database survive subsequent hardware or software failures.

12

Auditing System Development, Acquisition and Maintenance

y

IS auditors tasks : Meet with key systems development and user project team members Discuss to determine and rank the major risks Identify controls to mitigate the risks Evaluate the design of the system and implementation of controls

13

Auditing System Development, Acquisition and Maintenance

y

IS auditors tasks : Periodically meet to monitor the systems development process

Post implementation reviews Review appropriate documentation Discuss and examine supporting records to test system
14

Auditing System Development, Acquisition and Maintenance

y

IS auditors tasks : Analyze test results and other audit evidence to evaluate the system maintenance process to determine whether control objectives were achieved. Identify and test existing controls to determine the adequacy of production library security to ensure the integrity of the production resources

15