Understanding the Software Development Life Cycle — IT Certificate

             TOPIC 5: AUDITING DEVELOPMENT PROJECT REVIEWS

            Overview

            Internal auditors often participant in IT projects in a consulting capacity. They also are asked to
            conduct assessment engagements pre or poet implementation.

            Sometimes, you may combine pre- and post-work together by testing some key functionality prior to
            launching, and then testing the remaining key control points after launching.

            Internal audit participation is directly dependent upon resource levels and management requests,
            and can include both assessment and consulting activities.

            Assessing Project Related Risks

            Internal auditing can contribute to the success of system development projects by assessing project-
            related risks as supported by IIA Standard 2100: Nature of Work. Standard 2100 states, “The internal
            audit activity must evaluate and contribute to the improvement of the organization’s governance,
            risk management, and control processes using a systematic, disciplined, and risk-based approach.
            Internal audit credibility and value are enhanced when auditors are proactive, and their evaluations
            offer new insights and consider future impact.”

            To be able to audit systems in development, the “Internal auditors must have sufficient knowledge
            of key information technology risks and controls and available technology-based audit techniques
            to perform their assigned work. However, not all internal auditors are expected to have the expertise
            of an internal auditor whose primary responsibility is information technology auditing,” as stated in
            IIA Standard 1210.A3: Proficiency.

            Internal auditors can contribute to the success of system development projects by focusing on areas,
            such as security controls, or they can play a role in evaluating compliance with the SDLC.

            Internal Audit — Project Engagement

            Internal auditors can add significant value to a project by engaging early and supporting the project
            team throughout the project life cycle. They may be asked to support the project in various
            capacities, ranging from consultative reviews to formal audits. Multiple roles can create the
            potential for perceived impairment of auditor independence.

            The IT auditor should provide reasonable assurance that his or her interest will not impair the
            objectivity of the review, and by participating, he or she is providing advice without being
            responsible for making decisions as supported by IIA Standard 1220: Individual Objectivity. Standard
            1220 states, “Internal auditors must have an impartial, unbiased attitude and avoid any conflict of
            interest.”


            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.