03 - system and infrastructure life cycle management
TRANSCRIPT
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 1/15
System and InfrastructureSystem and InfrastructureLifeLife--Cycle ManagementCycle Management
1
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 2/15
Learning ObjectivesLearning Objectives
1. System Development Management Control
and IS Audit
2. Audit OS & DB Controls
3. GAS: Efficient and Effective Tool
4. Auditing Application Controls
5. Auditing System Development, Acquisition
and Maintenance
2
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 3/15
System Development Life CycleSystem Development Life Cycle
1. Systems planning
2. Systems analysis
3.Conceptual design
4. Systems evaluation and selection
5. Detailed design
6. Programming and testing systems7. Systems implementation
8. Systems maintenance
3
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 4/15
Auditing OS and Database ControlsAuditing OS and Database Controls
y Information needs to be secured to control specific risks
y Data physically reside on a hard disk
y Operating system envelops the hardware and primary link
between the software and the physical data
y The store keeper logs into a menu that allows receipt of
goods or issue of stocks
y User does not need to know what OS is being used, and the
user's only interaction is with the application software
4
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 5/15
Auditing OS and Database ControlsAuditing OS and Database Controls
-- Auditing OSAuditing OS --
y Evaluating whether the security features have been enabled and
parameters have been set to values consistent
y Some of the most common security parameters that can be
evaluated are password rules, such as minimum passwordlength, password history, password required, compulsory
password aging, lock-out on unsuccessful logins, login station,
and time restrictions.
y Ascertain whether access privileges given to various users are
appropriate
y Obtain the list of user IDs in the system and map these with
actual users 5
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 6/15
Auditing OS and Database ControlsAuditing OS and Database Controls
-- Auditing DatabaseAuditing Database --
y Frequent use of a database
y The data in the DBMS can be manipulated directly,
without the application. This can be done by using
DBMS utilities and features, such as SQL
(Structured Query Language)³if the user can gain
access to the DBMS
y Review security in the DBMS through a review of
user IDs, the privileges associated
6
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 7/15
Generalized Audit SoftwareGeneralized Audit Software
-- Effective and Efficient Tool for Today's IT AuditsEffective and Efficient Tool for Today's IT Audits --
y Experts say that generalized audit software (GAS) is the most
common computer-assisted audit tool (CAAT) used in recent years
y IT auditors of the profitable return on learning and using GAS
y Computerized antifraud audit procedures that are run regularly
against organizational databases
y GAS can be useful in testing internal controls embedded in
information systems
y Demands on IT and internal auditors are increasing
y
More efficient to fulfill all of the responsibilities 7
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 8/15
Benefits of Using a GASBenefits of Using a GAS
y auditor does not review a sample of the
data, but rather reviews or examines 100
percent of the data and transactions
y Using ACL to analyze transactions, or data
mine
y The data in ACL are locked down as read-
onlyy The commands in ACL are auditor-
friendly
8
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 9/15
Auditing Application ControlsAuditing Application Controlsy IS auditor·s tasks :
Identifying the significant application
Identifying the application control strengths
and evaluating the impact of the control
weaknesses
Reviewing application system documentation
to provide an understanding of the
functionality of the application 9
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 10/15
Data Integrity TestingData Integrity Testing
y Set of substantive tests that examines accuracy,
completeness, consistency and authorization of
data
y Will indicate failures in input or processing
controls
y Controls for ensuring the integrity of
accumulated data in a file can be exercised by
regularly checking data in the file
10
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 11/15
Data Integrity in Online TPSData Integrity in Online TPS
y Atomicity ³From a user perspective, a transaction is
either completed in its entirety (i.e., all relevant
database tables are updated) or not at all. If an error or
interruption occurs, all changes made up to that point
are backed out.
y Consistency ³All integrity conditions in the database
are maintained with each transaction, taking the
database from one consistent state into anotherconsistent state.
11
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 12/15
Data Integrity in Online TPSData Integrity in Online TPS
y Isolation ³Each transaction is isolated from other
transactions and hence each transaction only accesses
data that are part of a consistent database state.
y Dur ability ³If a transaction has been reported back to
a user as complete, the resulting changes to the
database survive subsequent hardware or software
failures.
12
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 13/15
Auditing System Development,Auditing System Development,
Acquisition and MaintenanceAcquisition and Maintenancey IS auditor·s tasks :
Meet with key systems development and user project
team members
Discuss to determine and rank the major risks
Identify controls to mitigate the risks
Evaluate the design of the system and implementation of
controls
13
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 14/15
Auditing System Development,Auditing System Development,
Acquisition and MaintenanceAcquisition and Maintenancey IS auditor·s tasks :
Periodically meet to monitor the systems development
process
Post implementation reviews
Review appropriate documentation
Discuss and examine supporting records to test
system
14
8/3/2019 03 - System and Infrastructure Life Cycle Management
http://slidepdf.com/reader/full/03-system-and-infrastructure-life-cycle-management 15/15
Auditing System Development,Auditing System Development,
Acquisition and MaintenanceAcquisition and Maintenancey IS auditor·s tasks :
Analyze test results and other audit evidence to evaluate
the system maintenance process to determine whether
control objectives were achieved.
Identify and test existing controls to determine the
adequacy of production library security to ensure the
integrity of the production resources
15