Page 46 - ITGC_Audit Guides
P. 46

Regardless of which project management methodology is followed, three activities must be
                   accomplished to develop a reliable application:

                   1.  Strategic planning and design.
                   2.  Development and testing.

                   3.  Implementation and maintenance.

                   Practicing a disciplined application development approach strengthens an organization’s
                   capability maturity from an ad hoc manual activity to optimized systematic practices. Done well,
                   application development can have a positive impact by:

                      Enhancing ongoing engagement with external (e.g., customer and supplier) and internal (e.g.,
                       direct report and cross organizational) relationships.
                      Determining data integrity, through logic and business rules that ensure data is authorized,
                       complete, and accurate.
                      Ensuring information is available and communicated timely to take decisive action.
                   A structured approach will help accelerate transformative change in a controlled way:
                      Access controls safeguard the transition from strategic design through code development and
                       implementation.
                      Protecting source code advances the application changes as approved by management.

                      Robust testing gives assurance that the design functions with reliability, and operates with
                       interdependent technologies, according to management’s expectations.
                      Documentation and training provide for the suitable and consistent use of the application.

                   Ongoing maintenance keeps applications fit-for-
                   purpose and ensures system availability, security,    Resources
                   and integrity.
                                                                         For more information on change
                   Changes to applications and controls                  management in relation to
                   Whether computer programs are developed internally    applications, please see IIA GTAG
                   or by others to the organization’s specifications,    “IT Change Management: Critical
                   controls are necessary to ensure that application     for Organizational Success, 3rd
                   changes are designed appropriately and                Edition.”
                   implemented effectively. This protects an
                   application’s production (live) environment.
                   Changes should follow management’s change protocols. Each should be requested, scoped, and
                   approved by the appropriate business function. Change initiatives should be evaluated for benefit
                   and priority and tracked with a service order or ticket number. The impact and risk posed by the
                   change should be considered when scoping the effort and timing of the project, and appropriate
                   resources with expertise should be assigned to carry out the change.

                   Change requests should be designed based on documented requirements directed by the
                   appropriate business unit, and proper segregation of duties controls should exist throughout the






                   38 — theiia.org
   41   42   43   44   45   46   47   48   49   50   51