systems development life cycle & applications system

1 / 125

Systems Development Life Cycle & Systems Development Life Cycle &

Applications SystemApplications System

Distributed by AGASS (http://www.agass.org)

2 / 125

Chapter 1 Chapter 1

Business Application Development Framework Business Application Development Framework


3 / 125

Learning GoalsLearning Goals

The need for structured system development The need for structured system development The various phases of Software Development The various phases of Software Development

Life Cycle - SDLC and their interrelationship in Life Cycle - SDLC and their interrelationship in brief brief

Feasibility Study Feasibility Study System Requirement Analysis System Requirement Analysis Hardware and software acquisition Hardware and software acquisition


4 / 125

IntroductionIntroduction

Logical starting point in the entire life cycle of a Logical starting point in the entire life cycle of a computerized system. computerized system.

Activities starts when :Activities starts when : decides to go for computerizationdecides to go for computerization migrate from existing computerized system to a new migrate from existing computerized system to a new

one one

Understanding of why and how systems are Understanding of why and how systems are deployed deployed


5 / 125

Introduction…Introduction…

A System can be defined as “a collection of inter-related A System can be defined as “a collection of inter-related components or sub-systems”. E.g. our solar system – consisting of components or sub-systems”. E.g. our solar system – consisting of Sun and planets, our body can be considered as a system of Sun and planets, our body can be considered as a system of collection of organs, bones, tissues, blood etc. collection of organs, bones, tissues, blood etc.

Business - collection of systems such as manufacturing, stores, Business - collection of systems such as manufacturing, stores, purchase, administration, accounts and so on. purchase, administration, accounts and so on.

Systems have a life span after which they will be replaced. Systems Systems have a life span after which they will be replaced. Systems will become obsolete due to..will become obsolete due to.. Technology may become outdatedTechnology may become outdated People using the system may changePeople using the system may change Government or other regulatory change may render the systems obsolete.Government or other regulatory change may render the systems obsolete. Business needs are expanded due to expansion of business, mergers, take-Business needs are expanded due to expansion of business, mergers, take-

overs etc.overs etc. With the increased use of computers, it is necessary to have more With the increased use of computers, it is necessary to have more

organized ways of developing systems and proceduresorganized ways of developing systems and proceduresDistributed by AGASS (http://www.agass.org)

6 / 125

Introduction …Introduction …

SDLC gives way to all other activities covered in SDLC gives way to all other activities covered in other modules such as :other modules such as : protection of IT assetsprotection of IT assets business continuity business continuity IS Audit Process etc.IS Audit Process etc.


7 / 125

Characteristics of a SystemCharacteristics of a System

Each system consists of inter-related sub-systems or Each system consists of inter-related sub-systems or componentscomponents

System has an identifiable boundary and works within it’s System has an identifiable boundary and works within it’s boundaryboundary

Each system will have Purpose of existenceEach system will have Purpose of existence Environment of the system – external to the systemEnvironment of the system – external to the system Interface to the system – for interaction with environmentInterface to the system – for interaction with environment Inputs to the system – e.g. dataInputs to the system – e.g. data Outputs generated by the system - informationOutputs generated by the system - information Constraints or business rules for the systemConstraints or business rules for the system


8 / 125

Business Application DevelopmentBusiness Application Development

Developing or acquiring and maintaining application systems which Developing or acquiring and maintaining application systems which will be used for various day-to-day business activities. will be used for various day-to-day business activities.

The effective management and control of this development. The effective management and control of this development.

The SDLC involves defined phases,the phases may be undertaken in The SDLC involves defined phases,the phases may be undertaken in a serial manner or in a parallel manner.a serial manner or in a parallel manner.


9 / 125

Need for Structured Systems Development Need for Structured Systems Development Methodology Methodology

Software is not a tangible product which can be put to use Software is not a tangible product which can be put to use immediately immediately

Software products are not manufactured but are developed Software products are not manufactured but are developed by developers. Therefore, their quality heavily depends on by developers. Therefore, their quality heavily depends on the quality of people carrying out system development. the quality of people carrying out system development.

Developing software products in an organized manner Developing software products in an organized manner means :means : software development should be treated as a Projectsoftware development should be treated as a Project Schedules of completion and deliverables in a time line for Schedules of completion and deliverables in a time line for

various phasesvarious phases Resources and cost estimation for all the phasesResources and cost estimation for all the phases Quality standards for comparing products of every phaseQuality standards for comparing products of every phase


10 / 125

Risks associated with SDLC Risks associated with SDLC Necessary to know these risks prior to undertaking SDLC Necessary to know these risks prior to undertaking SDLC

projects. projects. The objective is to :The objective is to :

Identify risksIdentify risks Discovering methods to eliminate or mitigate themDiscovering methods to eliminate or mitigate them Accepting residual risk and going ahead with the projectAccepting residual risk and going ahead with the project

Some of the Risks :Some of the Risks : Cumbersome for the development team due to lot of Cumbersome for the development team due to lot of

documentation documentation The users may find that the end product is not visible for a long The users may find that the end product is not visible for a long

time.time. Due to formal structured methodology, duration of project may Due to formal structured methodology, duration of project may

be longer, thus it may not be suitable for small and medium sized be longer, thus it may not be suitable for small and medium sized organizations. organizations.


11 / 125

Software development : distinct processes Software development : distinct processes

Identifying the need or problem for the development - Identifying the need or problem for the development - Project Initiation, Feasibility Studies Project Initiation, Feasibility Studies

Specifying the system - Requirements AnalysisSpecifying the system - Requirements Analysis The potential benefits from new system - Feasibility The potential benefits from new system - Feasibility

StudyStudy Identification and evaluation of factors which affect Identification and evaluation of factors which affect

business - Project Initiation, Feasibility Studiesbusiness - Project Initiation, Feasibility Studies Designing of the system - System DesignDesigning of the system - System Design Programming - Developing source codeProgramming - Developing source code Program testingProgram testing Implementation Implementation


12 / 125

Project InitiationProject Initiation

Whenever a business entity decides (i.e. stakeholders in the business Whenever a business entity decides (i.e. stakeholders in the business or senior management) to undertake computerization, a Project will or senior management) to undertake computerization, a Project will have to be initiated. This process is called as Project Initiation. have to be initiated. This process is called as Project Initiation.

E.g. A new business application is required to be developed to E.g. A new business application is required to be developed to address a new or existing business process e.g. a billing systemaddress a new or existing business process e.g. a billing system

The outcome of Project Initiation is a formal Project Initiation The outcome of Project Initiation is a formal Project Initiation Report which is presented to senior management or BOD. Report which is presented to senior management or BOD.

This will be accepted with or without modifications and then the This will be accepted with or without modifications and then the next phases of SDLC will be rolled out. next phases of SDLC will be rolled out.

In case of SMEs or very small organizations, a formal Project In case of SMEs or very small organizations, a formal Project Initiation Report may not be prepared. Initiation Report may not be prepared.


13 / 125

Phases in SDLC Phases in SDLC

Feasibility StudyFeasibility StudyRequirements AnalysisRequirements AnalysisSystems DesignSystems DesignProgramming / ConstructionProgramming / ConstructionTesting Testing ImplementationImplementationPost-ImplementationPost-Implementation


14 / 125

Phase 1 - Feasibility StudyPhase 1 - Feasibility Study

Organizations cannot give unlimited resources, unlimited budgets Organizations cannot give unlimited resources, unlimited budgets and unlimited time-frames for projects. and unlimited time-frames for projects.

Therefore this requires a Feasibility Study covering the following Therefore this requires a Feasibility Study covering the following aspects of a project..aspects of a project..

EconomicEconomic TimeTime TechnicalTechnical OperationalOperational ResourcesResources BehavirouralBehaviroural Legal Legal

It is done by identification of problem, identification of objectives, It is done by identification of problem, identification of objectives, delineation of scope, conducting feasibility studydelineation of scope, conducting feasibility study


15 / 125

Phase 2 – Requirements AnalysisPhase 2 – Requirements Analysis

Understanding RequirementsUnderstanding Requirements Study of history, structure and cultureStudy of history, structure and culture Study of Information flows Study of Information flows Eliciting user requirementsEliciting user requirements Structured AnalysisStructured Analysis

Context and Data Flow Diagrams (DFD)Context and Data Flow Diagrams (DFD) Entity-Relationship diagramEntity-Relationship diagram Data dictionariesData dictionaries Decision Table / Decision Tree / Structured EnglishDecision Table / Decision Tree / Structured English State Transition diagramState Transition diagram


16 / 125

Phase 2 – Requirements Analysis…Phase 2 – Requirements Analysis…

System charts / program flow chartsSystem charts / program flow charts Interface in form of data entry screens and dialogue boxesInterface in form of data entry screens and dialogue boxes Report layoutsReport layouts In the industry, the Requirement Analysis is known by different In the industry, the Requirement Analysis is known by different

names such as names such as Systems Requirements Specifications (SRS), Systems Requirements Specifications (SRS), Business Requirements Specifications (BRS), Business Requirements Specifications (BRS), Users Requirements Specifications (URS) or Users Requirement Users Requirements Specifications (URS) or Users Requirement

Document (URD). Document (URD). Strictly speaking, all these will give different aspects of Strictly speaking, all these will give different aspects of

requirementsrequirements


17 / 125

Software AcquisitionSoftware Acquisition

Software acquisition is not considered as a standard phase in SDLCSoftware acquisition is not considered as a standard phase in SDLC Requirements analysis should be carried out even if software acquisition is Requirements analysis should be carried out even if software acquisition is

plannedplanned Request for Proposal – RFP should be prepared which should give at a Request for Proposal – RFP should be prepared which should give at a

minimum :minimum : Product vs System requirementsProduct vs System requirements Customer ReferencesCustomer References Vendor viability and financial stabilityVendor viability and financial stability Availability of complete and reliable documentation about the new softwareAvailability of complete and reliable documentation about the new software Vendor supportVendor support Response timeResponse time Source code availabilitySource code availability Vendor’s experienceVendor’s experience A list of recent or planned enhancements to the product with datesA list of recent or planned enhancements to the product with dates List of current custom¬ersList of current custom¬ers Acceptance testing of productAcceptance testing of product


18 / 125

Roles involved in SDLCRoles involved in SDLC

Steering CommitteeSteering Committee Project ManagerProject Manager Systems AnalystSystems Analyst Team LeaderTeam Leader ProgrammerProgrammer DBADBA Quality AssuranceQuality Assurance TesterTester Domain SpecialistDomain Specialist Technology SpecialistTechnology Specialist Documentation SpecialistDocumentation Specialist IS AuditorIS Auditor


19 / 125

Chapter 2 Chapter 2

Phases in Software Development Phases in Software Development


20 / 125


A clear understanding of all the phases of SDLC A clear understanding of all the phases of SDLC except the phase involving feasibility study and except the phase involving feasibility study and system requirement analysis, which we have seen system requirement analysis, which we have seen in Chapter 1.in Chapter 1.

This chapter will cover the phases of This chapter will cover the phases of Programming, Testing, Implementation and Post Programming, Testing, Implementation and Post implementationimplementation


21 / 125

System Design PhaseSystem Design Phase

Based on the requirements analysis done by development Based on the requirements analysis done by development team, a system will be designed. team, a system will be designed.

As explained in Chapter 1, if Software Acquisition is As explained in Chapter 1, if Software Acquisition is planned, then the next 2 phases viz Systems Design and planned, then the next 2 phases viz Systems Design and Programming will not be undertaken. Programming will not be undertaken.

In the last chapter, we have seen how Requirements In the last chapter, we have seen how Requirements Analysis is carried out by using Structured Analysis Analysis is carried out by using Structured Analysis technique. technique.

The same technique is used for describing the Design of The same technique is used for describing the Design of the system. the system.

We will now study some other aspects of Systems DesignWe will now study some other aspects of Systems Design


22 / 125

Systems DesignSystems Design

Developing system flowcharts to illustrate how the information Developing system flowcharts to illustrate how the information shall flow through the system. E.g. DFDs. shall flow through the system. E.g. DFDs.

Defining the applications through a series of data or process flow Defining the applications through a series of data or process flow diagrams, showing various relationships from the top level down to diagrams, showing various relationships from the top level down to the detail. E.g. E-R diagrams, data dictionaries etc.the detail. E.g. E-R diagrams, data dictionaries etc.

Describing inputs and outputs, such as screen design and reports. Describing inputs and outputs, such as screen design and reports. We shall describe this later.We shall describe this later.

Determining the processing steps and computation rules for the new Determining the processing steps and computation rules for the new solution. E.g. Decision Tables / trees and Structured Englishsolution. E.g. Decision Tables / trees and Structured English

Determining data file or database system file design. E-R diagram Determining data file or database system file design. E-R diagram and data dictionaries will lead to design of the tableand data dictionaries will lead to design of the table

Preparing the program specifications for the various types of Preparing the program specifications for the various types of requirements or information criteria defined. This topic is also requirements or information criteria defined. This topic is also beyond our current scope.beyond our current scope.


23 / 125

Systems Design …Systems Design …

Thus, this phase deals with the way the proposed Thus, this phase deals with the way the proposed system can be transformed into a working model. system can be transformed into a working model.

The steps involved in this phase are:The steps involved in this phase are:Architectural designArchitectural designDesign of data / Information flowDesign of data / Information flowDesign of databaseDesign of databaseDesign of user interfaceDesign of user interfacePhysical designPhysical designSelection of appropriate hardware and softwareSelection of appropriate hardware and software


24 / 125

Architectural designArchitectural design

Architectural design deals with the organisation of applications in Architectural design deals with the organisation of applications in terms of hierarchy of modules and sub-modules.terms of hierarchy of modules and sub-modules.

It is necessary to identify :It is necessary to identify : Major modules e.g. Masters, Transactions, Reports etcMajor modules e.g. Masters, Transactions, Reports etc Function and scope of each moduleFunction and scope of each module Interface features of each moduleInterface features of each module Modules that each module can call directly or indirectlyModules that each module can call directly or indirectly Data received from / sent to / modified in other modulesData received from / sent to / modified in other modules

The architectural design is made with the help of a technique called The architectural design is made with the help of a technique called as functional decomposition wherein top level functions are as functional decomposition wherein top level functions are decomposed (i.e. broken into) and inner-level functions are decomposed (i.e. broken into) and inner-level functions are discovered. This process is continued till our context is met with. discovered. This process is continued till our context is met with.


25 / 125

Design of data / Information flowDesign of data / Information flow

We have already seen this in the last chapter thru We have already seen this in the last chapter thru Context and DFDsContext and DFDs


26 / 125

Design of databaseDesign of database

We have seen what are entities and E-R diagrams in the last chapter. We have seen what are entities and E-R diagrams in the last chapter. In designing database, entities are described in detail, with their In designing database, entities are described in detail, with their

structure. structure. E.g. an Employee entity, obvious structure elements (also called as E.g. an Employee entity, obvious structure elements (also called as

attributes, fields, columns) would be Employee ID, Name, Address, attributes, fields, columns) would be Employee ID, Name, Address, Date of Birth etc. Date of Birth etc.

Only those attributes which are of current interest w.r.t. the current Only those attributes which are of current interest w.r.t. the current system (or system module) are only considered. system (or system module) are only considered.

When design of all entities is over, they can be put in a repository to When design of all entities is over, they can be put in a repository to form a Data Dictionary so that, common entities across the system form a Data Dictionary so that, common entities across the system can be used by other development team members. can be used by other development team members.


27 / 125

Design of database…Design of database…

The design of database consists of 4 major The design of database consists of 4 major activitiesactivitiesConceptual modeling – E-R digrams giving relationship Conceptual modeling – E-R digrams giving relationship

between entitiesbetween entitiesData modeling – describing data types, lengthData modeling – describing data types, lengthStorage structure design – how to store data on a Storage structure design – how to store data on a

physical device e.g. hard diskphysical device e.g. hard diskPhysical layout design – hard disk track level design is Physical layout design – hard disk track level design is

donedone


28 / 125

Design of user interfaceDesign of user interface

This is nothing but designing of data entry screens, dialogue boxesThis is nothing but designing of data entry screens, dialogue boxes Important aspects are...Important aspects are...

Menu navigation should be easy and promote the users to use the softwareMenu navigation should be easy and promote the users to use the software Screens with soothing foreground and background colours should be Screens with soothing foreground and background colours should be

designeddesigned Place for company logos, dates etc should be uniform throughout the Place for company logos, dates etc should be uniform throughout the

screensscreens For multipage screen layout, it is better to have tabs with page numbers For multipage screen layout, it is better to have tabs with page numbers

indicating on which page the user isindicating on which page the user is Mandatory fields should be indicated explicitlyMandatory fields should be indicated explicitly If system is going to take time for processing after a user action, it should If system is going to take time for processing after a user action, it should

be clearly displayed intermittently on screenbe clearly displayed intermittently on screen Developers should design screen by keeping in mind computer awareness Developers should design screen by keeping in mind computer awareness

level of users.level of users.Distributed by AGASS (http://www.agass.org)

29 / 125

Physical DesignPhysical Design

The logical design needs to be ultimately mapped or implemented The logical design needs to be ultimately mapped or implemented on a Physical Design. on a Physical Design.

E.g.hardware, operating system, database management system and E.g.hardware, operating system, database management system and any other software needed. any other software needed.

Generally, following types of components need to be selected and Generally, following types of components need to be selected and finalized. finalized. Hardware – e.g. hardware for servers, desktops etc.Hardware – e.g. hardware for servers, desktops etc. Power Systems – such as UPS, generators, line conditioners etc. Power Systems – such as UPS, generators, line conditioners etc. Networking and telecommunication equipment – such as hubs, switches, Networking and telecommunication equipment – such as hubs, switches,

routers, repeaters etcrouters, repeaters etc Operating system – e.g. Windows (XP, Windows 2003 etc), Unix or LinuxOperating system – e.g. Windows (XP, Windows 2003 etc), Unix or Linux RDBMS – such as Oracle or Microsoft SQL Server or MySQL etc. RDBMS – such as Oracle or Microsoft SQL Server or MySQL etc. Web server software – for web based systems server will have this software Web server software – for web based systems server will have this software

which will interact with database and application software which are loaded which will interact with database and application software which are loaded on servers (called as database and application servers). E.g. Internet on servers (called as database and application servers). E.g. Internet Information Server (IIS), Apache etc.Information Server (IIS), Apache etc.


30 / 125

Physical Design…Physical Design…

Types of components …Types of components … Transactions processing software and message queuing software Transactions processing software and message queuing software

– These are classified under Middleware since they are neither – These are classified under Middleware since they are neither near user (client or front-end) nor near machine (such as OS or near user (client or front-end) nor near machine (such as OS or RDBMS). Their main function is to process a transaction and/or RDBMS). Their main function is to process a transaction and/or queue up transactions for further processing. queue up transactions for further processing.

Client software – This software will reside on desktop or client Client software – This software will reside on desktop or client machine. Depending upon type of system, a client software may machine. Depending upon type of system, a client software may have to be separately installed The client software will be have to be separately installed The client software will be connected to Application software when user invokes it.connected to Application software when user invokes it.


31 / 125

Development Phase: Programming Methods, Development Phase: Programming Methods, Techniques And LanguagesTechniques And Languages

The Development Phase takes the detailed design developed in the The Development Phase takes the detailed design developed in the Design Phase and begins with coding by using a programming Design Phase and begins with coding by using a programming language. language.

The responsibility of this phase is primarily that of the The responsibility of this phase is primarily that of the Programmers. Programmers.

The following are the key activities performed during this phase.The following are the key activities performed during this phase. Coding and developing programs and system level documentsCoding and developing programs and system level documents Testing and debugging continuously for improvements in program developedTesting and debugging continuously for improvements in program developed Developing programs for conversion of the data in the legacy system to new Developing programs for conversion of the data in the legacy system to new

systemsystem Formulating the procedures for the transition of the software by the various Formulating the procedures for the transition of the software by the various

usersusers Training the selected users on the new systemTraining the selected users on the new system In case of vendor supplied software, documenting the modifications carried In case of vendor supplied software, documenting the modifications carried

out to ensure that future updated versions of the vendor's code can be applied.out to ensure that future updated versions of the vendor's code can be applied.


32 / 125

Programming Methods & TechniquesProgramming Methods & Techniques

For effective and efficient software product, For effective and efficient software product, following techniques should be used…following techniques should be used…Adoption of the Program Coding StandardsAdoption of the Program Coding StandardsStructured programmingStructured programmingOnline Programming FacilitiesOnline Programming Facilities

Use of suitable Programming Language and Use of suitable Programming Language and methodmethodProcedural programming – past trendProcedural programming – past trendObject Oriented Programming Technique – current Object Oriented Programming Technique – current

trendtrendDistributed by AGASS (http://www.agass.org)

33 / 125

Program DebuggingProgram Debugging

Debugging is the most primitive form of testing activity. Debugging is the most primitive form of testing activity. Programmers usually debug their programs while Programmers usually debug their programs while

developing their source codes by activating the compiler developing their source codes by activating the compiler and searching for implementation defects at the source and searching for implementation defects at the source code level. code level.

The need for extensive debugging is often an indication of The need for extensive debugging is often an indication of poor workmanship. poor workmanship.

Debugging software tools assist the programmer in fine Debugging software tools assist the programmer in fine tuning, fixing and debugging the program under tuning, fixing and debugging the program under development. development.


34 / 125

Program Debugging…Program Debugging…

Debugging tools help programmers in debugging activityDebugging tools help programmers in debugging activity These tools fall in the following three categories…These tools fall in the following three categories…

Logic Path Monitors: Logic Path Monitors: provide logic errors by reporting on the provide logic errors by reporting on the sequence of events achieved by the programsequence of events achieved by the program

Trace: Trace: This lists the changes in selected variables at different This lists the changes in selected variables at different stages of the program.stages of the program.

Memory Dumps: Memory Dumps: provides a picture of the internal memory provides a picture of the internal memory content at the point where the program has abruptly ended, content at the point where the program has abruptly ended, providing the clues to the programmer on the inconsistencies in providing the clues to the programmer on the inconsistencies in data and parameter values.data and parameter values.

Output Analyzer: Output Analyzer: checks the accuracy of the output which is checks the accuracy of the output which is the result of processing the input through that program by the result of processing the input through that program by comparing the ac tual results with the expected results.comparing the ac tual results with the expected results.


35 / 125

Software Testing PhaseSoftware Testing Phase

Software testing is the process of testing software in a Software testing is the process of testing software in a controlled manner to ensure it meets the specifications. controlled manner to ensure it meets the specifications.

During testing, the developer should give up preconceived During testing, the developer should give up preconceived notions of the correctness of the software developed. notions of the correctness of the software developed.

Testing is carried out in the Test Environment. Testing is carried out in the Test Environment. For some large and complex systems, development and For some large and complex systems, development and

testing environment may be separate.testing environment may be separate. Objectives of testingObjectives of testing

Testing is a process of executing a program to identify an error. Testing is a process of executing a program to identify an error. AA good test case is one that has high probability of finding an good test case is one that has high probability of finding an

error. error. A successful test is one that uncovers an error.A successful test is one that uncovers an error.


36 / 125

Levels of testingLevels of testing

Every software normally goes through the Every software normally goes through the following levels of tests: following levels of tests:

Unit testing Unit testing System testingSystem testing


37 / 125

Unit testingUnit testing Unit testing is the process of testing individual units (i.e. individual Unit testing is the process of testing individual units (i.e. individual

programs or functions or objects) of software in isolation. programs or functions or objects) of software in isolation. A program unit is usually small and the programmer who de veloped A program unit is usually small and the programmer who de veloped

it can test it in a great detail. it can test it in a great detail. There are four categories of tests that a programmer typically There are four categories of tests that a programmer typically

performs on a program unit: performs on a program unit: Functional tests Functional tests - These tests check whether programs do what they are - These tests check whether programs do what they are

supposed to do. supposed to do. Performance tests Performance tests - These should be designed to verify the response time, - These should be designed to verify the response time,

the execution time, the throughput, primary and secondary memory utilisation the execution time, the throughput, primary and secondary memory utilisation and the traffic rates on data channels and communication linksand the traffic rates on data channels and communication links

Stress tests Stress tests - These are designed to overload a program in various ways. The - These are designed to overload a program in various ways. The purpose of a stress test is to determine the limitations of the program. purpose of a stress test is to determine the limitations of the program.

Structural tests Structural tests - These are concerned with examining the internal - These are concerned with examining the internal processing logic of a software system.processing logic of a software system.

Parallel Tests Parallel Tests - By using the same test data in the new and old system, the - By using the same test data in the new and old system, the output results are compared.output results are compared.


38 / 125

Types of unit testsTypes of unit tests

Static analysis testsStatic analysis tests Desk CheckDesk Check: This is done by the programmer himself. He checks for : This is done by the programmer himself. He checks for

logical syntax errors, and deviation from coding standards.logical syntax errors, and deviation from coding standards. Structured walk-throughStructured walk-through: The application developer leads other : The application developer leads other

programmers through the text of the program and explanationprogrammers through the text of the program and explanation Code inspectionCode inspection: The program is reviewed by a formal committee. : The program is reviewed by a formal committee.

Review is done with formal checklists. The procedure is more formal Review is done with formal checklists. The procedure is more formal than a walk-through.than a walk-through.

Dynamic analysis testsDynamic analysis tests Black Box TestBlack Box Test: Assumes no knowledge of internal logic of programs: Assumes no knowledge of internal logic of programs White Box TestWhite Box Test: Assumes knowledge of internal logic of programs: Assumes knowledge of internal logic of programs


39 / 125

Integration / Interface testingIntegration / Interface testing The objective is to evaluate the connection of two or more components that pass The objective is to evaluate the connection of two or more components that pass

information from one area to another. information from one area to another. This is carried out in the following manner.This is carried out in the following manner.

Bottom-up integration: Bottom-up integration: Bottom-up integration is the traditional strategy used to integrate the components of a Bottom-up integration is the traditional strategy used to integrate the components of a

software system into a functioning whole. software system into a functioning whole. It consists of unit testing, followed by sub-sys tem testing, and then testing of the entire It consists of unit testing, followed by sub-sys tem testing, and then testing of the entire

system. system. Top-down integration: Top-down integration:

Top-down integration starts with the main rou tine, and stubs are substituted, for the Top-down integration starts with the main rou tine, and stubs are substituted, for the modules directly subordinate to the main module. modules directly subordinate to the main module.

An incomplete portion of a program code that is put under a function in order to allow An incomplete portion of a program code that is put under a function in order to allow the function and the program to be compiled and tested, is referred to as a stub. the function and the program to be compiled and tested, is referred to as a stub.

Regression tests: Regression tests: Each time a new module is added as part of integration testing, the software changes. Each time a new module is added as part of integration testing, the software changes. These changes may cause problems with functions that previously worked flawlessly. These changes may cause problems with functions that previously worked flawlessly. In the context of the integration testing, the regression tests ensure that changes or In the context of the integration testing, the regression tests ensure that changes or

corrections have not introduced new errors. corrections have not introduced new errors. The data used for the regression tests should be the same as the data used in the The data used for the regression tests should be the same as the data used in the

original test.original test.


40 / 125

System testingSystem testing System testing is a process in which software and other system elements are System testing is a process in which software and other system elements are

tested as a whole. tested as a whole. System testing begins either when the software as a whole is operational or System testing begins either when the software as a whole is operational or

when the well defined subsets of the software's functionality have been when the well defined subsets of the software's functionality have been implemented. implemented.

The purpose of system testing is to ensure that the new or modified system The purpose of system testing is to ensure that the new or modified system functions properly. functions properly.

These test procedures are often performed in a non- production test en These test procedures are often performed in a non- production test en vironment.vironment.

The following types of testing might be carried out. The following types of testing might be carried out. Recovery Testing : Recovery Testing : Checking the ability of recovery of the system after the failure Checking the ability of recovery of the system after the failure

of hardware or software.of hardware or software. Security Testing: Security Testing: Ensuring the existence and proper execution of ac cess controls Ensuring the existence and proper execution of ac cess controls

in the new system. in the new system. Stress or Volume Testing: Stress or Volume Testing: Testing the application with large quantity of data Testing the application with large quantity of data

during peak hours to test its performance.during peak hours to test its performance. Performance Testing: Performance Testing: Comparing the new system's performance with that of Comparing the new system's performance with that of

similar systems using well defined benchmarks.similar systems using well defined benchmarks.


41 / 125

Final Acceptance Testing or Users Acceptance TestingFinal Acceptance Testing or Users Acceptance Testing Final Acceptance testing is conducted when the system is just ready Final Acceptance testing is conducted when the system is just ready

for implementation. for implementation. During this testing, it is ensured that the new system satisfies the During this testing, it is ensured that the new system satisfies the

quality standards adopted by the business and the system satisfies quality standards adopted by the business and the system satisfies the users. the users.

Thus the final acceptance testing has two major parts:Thus the final acceptance testing has two major parts: Quality Assurance TestingQuality Assurance Testing: ensures that the new systems satisfies the : ensures that the new systems satisfies the

prescribed quality standards and the development process is as per the prescribed quality standards and the development process is as per the organisation's quality assurance methodology. organisation's quality assurance methodology.

User Acceptance TestingUser Acceptance Testing: ensures that the functional aspects expected by the : ensures that the functional aspects expected by the users has been well addressed in the new system. users has been well addressed in the new system.

There are two types of the user acceptance testing. There are two types of the user acceptance testing. Alpha TestingAlpha Testing: is the first stage, often performed by the users within the : is the first stage, often performed by the users within the

organizationorganization Beta TestingBeta Testing : is the second stage, generally performed by the external users. : is the second stage, generally performed by the external users.

This is the last stage of testing, and normally involves sending the product This is the last stage of testing, and normally involves sending the product outside the development environment for real world exposure.outside the development environment for real world exposure.


42 / 125

Implementation of SoftwareImplementation of Software

Planning of the implementation should be commenced much before Planning of the implementation should be commenced much before actual date of the implementationactual date of the implementation

The implementation plan as developed in the Design Phase should The implementation plan as developed in the Design Phase should be used with the modifications if required. be used with the modifications if required.

There are four types of implementation strategies:There are four types of implementation strategies: Direct implementation / Abrupt change-over : Direct implementation / Abrupt change-over : The old system is The old system is

suspended on a specific day and the new system is tried out. suspended on a specific day and the new system is tried out. Parallel implementation : Parallel implementation : Both the old and new systems are run in parallel Both the old and new systems are run in parallel

to verify if their output is the same. Then the old system is suspended.to verify if their output is the same. Then the old system is suspended. Phased implementation : Phased implementation : The new system is implemented in parts. This The new system is implemented in parts. This

makes implementation more manageable.makes implementation more manageable. Pilot implementation : Pilot implementation : The new systems is first implemented in a small, The new systems is first implemented in a small,

non-critical unit and then moved to larger unit.non-critical unit and then moved to larger unit.


43 / 125

Activities during Implementation StageActivities during Implementation Stage Major activities during implementation are:Major activities during implementation are:

Installation of new hardware / softwareInstallation of new hardware / software Data conversion: Following steps are necessary.Data conversion: Following steps are necessary.

Determining what data can be converted through software and what data manually.Determining what data can be converted through software and what data manually. Performing data cleansing before data conversion Performing data cleansing before data conversion Identifying the methods to access the accuracy of conversion like record counts and Identifying the methods to access the accuracy of conversion like record counts and

control totalscontrol totals Designing exception reports showing the data which could not be converted through Designing exception reports showing the data which could not be converted through

software.software. Establishing responsibility for verifying and signing off and accepting overall Establishing responsibility for verifying and signing off and accepting overall

conversion by the system ownerconversion by the system owner Actual conversionActual conversion

User Final Acceptance testingUser Final Acceptance testing User trainingUser training

Manager's training on overview and MISManager's training on overview and MIS Operational user training on how to use the software, enter the data, generate the Operational user training on how to use the software, enter the data, generate the

output output IT department’s training on the technical aspectsIT department’s training on the technical aspects


44 / 125

Post Implementation ReviewPost Implementation Review

In PIR, after the system stabilizes, a check should be done to ensure that the In PIR, after the system stabilizes, a check should be done to ensure that the system has fulfilled the objectives. Otherwise, move back to the appro priate stage system has fulfilled the objectives. Otherwise, move back to the appro priate stage of the development cycle. of the development cycle.

The PIR should be performed …The PIR should be performed … jointly by the project development team and the appropriate end usersjointly by the project development team and the appropriate end users an independent group not associated with the development process, either internal or an independent group not associated with the development process, either internal or

externalexternal Audit should be conducted to meet the following objectives: Audit should be conducted to meet the following objectives:

Whether the system met management's objectives and user requirementsWhether the system met management's objectives and user requirements Whether the access controls have been adequately implemented and actually workingWhether the access controls have been adequately implemented and actually working Evaluation and comparison of the actual Cost Benefit or ROI as against the same Evaluation and comparison of the actual Cost Benefit or ROI as against the same

projected in the feasibility study phase.projected in the feasibility study phase. Recommend on the system's inadequacies and deficienciesRecommend on the system's inadequacies and deficiencies Develop a plan for implementing the accepted recommendationsDevelop a plan for implementing the accepted recommendations Evaluate the system development project processEvaluate the system development project process


45 / 125

Post Implementation Review…Post Implementation Review…

Maintenance is also part of the post implementation Maintenance is also part of the post implementation review. It can be categorized into four types:review. It can be categorized into four types: Corrective maintenance : Corrective maintenance : Correcting errors that may surface Correcting errors that may surface

during the running of the applica tion.during the running of the applica tion. Adaptive maintenance : Adaptive maintenance : Rapid changes in technology may Rapid changes in technology may

cause an application to be run in a new technical environment in cause an application to be run in a new technical environment in the user site. Web enabling a legacy application would fall in the user site. Web enabling a legacy application would fall in this category.this category.

Perfective maintenance : Perfective maintenance : Perfective maintenance is required Perfective maintenance is required when the user wants additional functionalities. Extending the when the user wants additional functionalities. Extending the purchase order system to cover service orders will fall in this purchase order system to cover service orders will fall in this category.category.

Preventive maintenance : Preventive maintenance : When the software is changed to suit When the software is changed to suit future maintainability, it is called preventive maintenance.future maintainability, it is called preventive maintenance.


46 / 125

Chapter 3 Chapter 3

Alternative Methodologies of Software DevelopmentAlternative Methodologies of Software Development


47 / 125


To provide an understanding of:To provide an understanding of:Different approaches to system development - Different approaches to system development -

advantages, problems encountered and selection criteriaadvantages, problems encountered and selection criteriaDifferent aspects involved in maintenance of Different aspects involved in maintenance of

information systemsinformation systems


48 / 125

Traditional SDLC ModelsTraditional SDLC Models

Waterfall ModelWaterfall Model

Spiral ModelSpiral Model

Today’s trend of OOP and web-based systems Today’s trend of OOP and web-based systems demands that Alternative Development demands that Alternative Development methodologies be adopted instead of traditional methodologies be adopted instead of traditional methods.methods.


49 / 125

Data Oriented Systems DevelopmentData Oriented Systems Development

Data oriented system development focuses on data Data oriented system development focuses on data structure and not data flow while processing. structure and not data flow while processing.

Systems that optimize data usage are classified as data-Systems that optimize data usage are classified as data-oriented systems. oriented systems.

This approach considers data independently of the This approach considers data independently of the processing that transforms the data. processing that transforms the data.

Management Information Systems (MIS) and Data Management Information Systems (MIS) and Data Warehousing applications fall in this category. Warehousing applications fall in this category.

Process-oriented approach specifies how data is moved Process-oriented approach specifies how data is moved and / or changed in the systemand / or changed in the system


50 / 125

Object Oriented Systems DevelopmentObject Oriented Systems Development

In this method, the system is analyzed in terms of objects and classes and the In this method, the system is analyzed in terms of objects and classes and the relationship between objects and their interaction. relationship between objects and their interaction.

Objects are defined as entities that have both data structure and some behaviour. Objects are defined as entities that have both data structure and some behaviour. E.g. employee record is an object having properties : employee name, employee E.g. employee record is an object having properties : employee name, employee

ID etc. and behaviour such as AddEMployee, RemoveEmployee, ID etc. and behaviour such as AddEMployee, RemoveEmployee, TransferEmployee etc.TransferEmployee etc.

Major advantages of this approach are:Major advantages of this approach are: Ability to manage a variety of data typesAbility to manage a variety of data types Ability to manage complex relationshipsAbility to manage complex relationships Capacity to meet demands of a changing environmentCapacity to meet demands of a changing environment Reusability of logical elements Reusability of logical elements Data SecurityData Security

Object Oriented technology is widely used in:Object Oriented technology is widely used in: Computer Aided Engineering (CAE)Computer Aided Engineering (CAE) Systems softwareSystems software


51 / 125

PrototypingPrototyping

When a customer defines a set of general objectives for the When a customer defines a set of general objectives for the software, but not detailed input, processing and output software, but not detailed input, processing and output requirements, prototyp ing may be the best approach.requirements, prototyp ing may be the best approach.

The following are the steps in the prototyping approach :The following are the steps in the prototyping approach : Requirements gathering : The developer gets the initial requirements from the Requirements gathering : The developer gets the initial requirements from the

users.users. Quick design : The emphasis is on visible aspects such as input screens and Quick design : The emphasis is on visible aspects such as input screens and

output reports.output reports. Construction of prototype: by the developer on the basis of inputs from the Construction of prototype: by the developer on the basis of inputs from the

users.users. Users evaluation of prototype : The users accepts the screens and op tions as Users evaluation of prototype : The users accepts the screens and op tions as

shown to them.shown to them. Refinement of prototype: Prototype is refined by fine tuning the us ers Refinement of prototype: Prototype is refined by fine tuning the us ers

requirements.requirements. The last two steps are iterated till the user is fully satisfied with the The last two steps are iterated till the user is fully satisfied with the

pro totype.pro totype.Distributed by AGASS (http://www.agass.org)

52 / 125

Prototyping …Prototyping … The drawbacks of the prototyping approach are:The drawbacks of the prototyping approach are:

The user sees the 'working' version of the software, without realising that the The user sees the 'working' version of the software, without realising that the processing logic is still not ready. processing logic is still not ready.

Design strategy may be very weakDesign strategy may be very weak The capability of the prototype to accommodate changes may lead to some The capability of the prototype to accommodate changes may lead to some

problems.problems. Difficult to keep track of changes in the controls of prototype model.Difficult to keep track of changes in the controls of prototype model. Changes in design and development keep happening so quickly in this Changes in design and development keep happening so quickly in this

approach that formal change control procedures may be vio lated.approach that formal change control procedures may be vio lated. Advantages …Advantages …

IS auditor should be aware about the above risksIS auditor should be aware about the above risks IS auditor should also be aware that this method of system development can IS auditor should also be aware that this method of system development can

provide the organization with substantial saving in time and cost. provide the organization with substantial saving in time and cost. Similarly, since users are giving approval to data entry screens and report Similarly, since users are giving approval to data entry screens and report

layouts early in SDLC life cycle, chances of meeting user requirements are layouts early in SDLC life cycle, chances of meeting user requirements are very high in this model.very high in this model.


53 / 125

Rapid Application Development - RADRapid Application Development - RAD RAD is an incremental model which has a short development cycle. RAD is an incremental model which has a short development cycle. Requirements have to be clearly understood and the scope has to be Requirements have to be clearly understood and the scope has to be

well defined. well defined. RAD leverages the following techniques to keep the develop ment RAD leverages the following techniques to keep the develop ment

cycle short: cycle short: Multiple small teams Multiple small teams Modular applications Modular applications Evolutionary prototype Evolutionary prototype Automated tools Automated tools Design workshops Design workshops Component- based development Component- based development Fourth generation languages Fourth generation languages Rigid time framesRigid time frames

Adopted only for individual strategically important systems and not Adopted only for individual strategically important systems and not for ERP kind of systems. for ERP kind of systems.


54 / 125

RAD …RAD … This approach should be undertaken only if the following 4 pillars This approach should be undertaken only if the following 4 pillars

of an organization are strong :of an organization are strong : Management – should give quick decisions to development and user teamsManagement – should give quick decisions to development and user teams People – in user team and development teamPeople – in user team and development team Methodology – proven methodology should be used and not recently inventedMethodology – proven methodology should be used and not recently invented Tools – proven integrated tools such as VB / Delphi etc should be used.Tools – proven integrated tools such as VB / Delphi etc should be used.

The four stages in this approach are: The four stages in this approach are: Definition of scope Definition of scope Creation of a functional design Creation of a functional design Construction of applicationConstruction of application DeploymentDeployment The drawbacks of RAD are:The drawbacks of RAD are:

For mission critical applications, where quality and reliability as For mission critical applications, where quality and reliability as sume higher importance than time of development, this approach is sume higher importance than time of development, this approach is not recommended.not recommended.


55 / 125

ReengineeringReengineering

Used for systems working satisfactorily but are not efficient due to Used for systems working satisfactorily but are not efficient due to poor design or take advantage of new technology. poor design or take advantage of new technology.

It is difficult to migrate these huge mission critical applications to It is difficult to migrate these huge mission critical applications to new systems quickly. new systems quickly.

In such cases, the reengineering approach is suggested. In such cases, the reengineering approach is suggested. This is quite like remodeling / rebuilding an old house.This is quite like remodeling / rebuilding an old house. Software reengineering consists of six activities:Software reengineering consists of six activities: Inventory analysis: Inventory analysis: Inventorise of all applications that it uses. This Inventorise of all applications that it uses. This

should include details such as size, age, business criticality. should include details such as size, age, business criticality. Document restructuring: Document restructuring: In many legacy applications, In many legacy applications,

documentation is sketchy, or may not exist at all. In a large documentation is sketchy, or may not exist at all. In a large application environment, documentation must be carefully planned, application environment, documentation must be carefully planned, taking into account the resources available.taking into account the resources available.


56 / 125

Reverse engineeringReverse engineering

This is the technique of drawing design specifications from the This is the technique of drawing design specifications from the actual product by studying its source code. actual product by studying its source code.

In software reverse engineering, the program is first analyzed and In software reverse engineering, the program is first analyzed and then design specifications are worked out. then design specifications are worked out.

This process can be carried out in several ways: This process can be carried out in several ways: Decomposing the object or executable code into source code and using it to Decomposing the object or executable code into source code and using it to

analyse the program analyse the program Utilizing the reverse engineering application as a black box test and unveiling Utilizing the reverse engineering application as a black box test and unveiling

its functionality by using test data.its functionality by using test data. The advantages of the reverse engineering are faster development of The advantages of the reverse engineering are faster development of

a system and improvement in the present system by using reverse a system and improvement in the present system by using reverse engineering. engineering.

The IS auditor should look into software license agreements – some The IS auditor should look into software license agreements – some may prohibit reverse engineeringmay prohibit reverse engineering


57 / 125

Web-based Application DevelopmentWeb-based Application Development

Web-based systems and applications become integrated in Web-based systems and applications become integrated in business strategies for small and large companies. business strategies for small and large companies.

The following are the attributes of the Web based The following are the attributes of the Web based applications.applications. Network Intensive: Network Intensive: By its nature, a web based application is By its nature, a web based application is

network intensive. It resides on a network and must serve the network intensive. It resides on a network and must serve the needs of diverse community of clients. A web based application needs of diverse community of clients. A web based application may reside on the internet or intranet or extranetmay reside on the internet or intranet or extranet

Content Driven: Content Driven: In many cases, the primary function of a web In many cases, the primary function of a web based application is to use hypermedia to present text, graphics, based application is to use hypermedia to present text, graphics, audio, and video contents to the end user.audio, and video contents to the end user.

Continuous evolution: Continuous evolution: Unlike conventional application Unlike conventional application software that evolves over a series of planned, chronologically software that evolves over a series of planned, chronologically spaced releases, web based applications evolve continuously.spaced releases, web based applications evolve continuously.


58 / 125

Categories of web-based applicationsCategories of web-based applications

Informational: Informational: Read only content is provided with simple navigation and linksRead only content is provided with simple navigation and links Download: Download: A user downloads information from the appropriate serverA user downloads information from the appropriate server Customization: Customization: The user customizes contents to specific needs The user customizes contents to specific needs Interaction: Interaction: Communication among a community of users occurs via chat-room, Communication among a community of users occurs via chat-room,

bulletin boards, or instant messaging.bulletin boards, or instant messaging. User Input: User Input: Forms based input is the primary mechanism for com municating Forms based input is the primary mechanism for com municating

needneed Transaction oriented: Transaction oriented: The user makes a request (e.g. places an order) that is The user makes a request (e.g. places an order) that is

fulfilled by the web based applicationfulfilled by the web based application Service Oriented: Service Oriented: The application provides a service to the user (e.g. assists the The application provides a service to the user (e.g. assists the

user in calculating the EMI of loan)user in calculating the EMI of loan) Portal: Portal: The application channels the user to other web content or ser vices outside The application channels the user to other web content or ser vices outside

the domain of the portal applicationthe domain of the portal application Database Access: Database Access: The user queries a large database and extracts infor mation The user queries a large database and extracts infor mation Data Warehousing: Data Warehousing: The user queries a collection of large databases and extracts The user queries a collection of large databases and extracts

informationinformation


59 / 125

Agile DevelopmentAgile Development Refers to a family of similar development processes that involves a non Refers to a family of similar development processes that involves a non

traditional way of developing a complex system.traditional way of developing a complex system. It is termed as "agile" because they are designed with flexibility to It is termed as "agile" because they are designed with flexibility to

handle changes to the system being developed or the project team that handle changes to the system being developed or the project team that is performing the development.is performing the development.

Agile development process involves:Agile development process involves: Setting of small subprojects or iterations on the basis of which next iteration is Setting of small subprojects or iterations on the basis of which next iteration is

planned.planned. Replanning the project at the end of each iteration involving resetting priorities, Replanning the project at the end of each iteration involving resetting priorities,

identification of new priorities etcidentification of new priorities etc The teams are generally small, cohesive and comprise of both business and The teams are generally small, cohesive and comprise of both business and

technical representatives.technical representatives. In case of some agile development, two programmers code the same part of the In case of some agile development, two programmers code the same part of the

system as a means of knowledge sharing and quality improvement.system as a means of knowledge sharing and quality improvement. Unlike a normal project manager has the role of planning the proj ect, allocating Unlike a normal project manager has the role of planning the proj ect, allocating

the tasks and monitoring the progress of the project, the project manager has a job the tasks and monitoring the progress of the project, the project manager has a job of facilitator and advocate.of facilitator and advocate.


60 / 125

Information Systems Maintenance PracticesInformation Systems Maintenance Practices

Systems undergo changes right through their Systems undergo changes right through their life cycle. life cycle.

These changes often create problems in the These changes often create problems in the functionality and other characteristics of a functionality and other characteristics of a system. system.

So it is necessary that a procedure for change is So it is necessary that a procedure for change is formalized.formalized.

This is called as Change control or Change This is called as Change control or Change ManagementManagement


61 / 125

Change ManagementChange Management

Request for change by the user must be submitted to the IS department along with Request for change by the user must be submitted to the IS department along with the reasons for change. This is a Change Request the reasons for change. This is a Change Request

The user request is then assessed by the relevant application developer. The user request is then assessed by the relevant application developer. He evaluates the impact of the modifications on other programs and prepares He evaluates the impact of the modifications on other programs and prepares

schedule of change to be carried outschedule of change to be carried out Every organisation should have a defined Change Control Authority (CCA) - a Every organisation should have a defined Change Control Authority (CCA) - a

person or a committee - which is the final authority to approve changes.person or a committee - which is the final authority to approve changes. Once approved by CCA, programmer then makes the approved changes, and the Once approved by CCA, programmer then makes the approved changes, and the

programs go through all the tests that they had gone through, when they were programs go through all the tests that they had gone through, when they were initially developed. initially developed.

The CCA then reviews the changes made to programs, data and documents and The CCA then reviews the changes made to programs, data and documents and approve them. approve them.

Then the systems administrator moves the changed version into the production Then the systems administrator moves the changed version into the production environment and informs all users of the change and the revised version number.environment and informs all users of the change and the revised version number.

After running the new version of the application the user who requested the After running the new version of the application the user who requested the change should certify that the change requested by him has been fulfilled.change should certify that the change requested by him has been fulfilled.


62 / 125

Library control softwareLibrary control software The purpose of the library control software is to separate production The purpose of the library control software is to separate production

libraries from test libraries.libraries from test libraries. 'I he following are the functions of this software:'I he following are the functions of this software:

It prevents programmers from accessing source and object programs in the It prevents programmers from accessing source and object programs in the production directory.production directory.

It does not permit program to be updated in bulk.It does not permit program to be updated in bulk. It enforces discipline: The programmer after making the requested change in It enforces discipline: The programmer after making the requested change in

the source code and testing it hands it over to the official authorised by the the source code and testing it hands it over to the official authorised by the organisation to update the production directory - control group or systems organisation to update the production directory - control group or systems administrator. administrator.

The production directory is then updated with the revised version of the code The production directory is then updated with the revised version of the code - source and object.- source and object.

It provides read-only access to the source code. Any modification has to be It provides read-only access to the source code. Any modification has to be authorized by the change control procedure detailed earlier.authorized by the change control procedure detailed earlier.

It maintains clear distinction between programs in production and test It maintains clear distinction between programs in production and test directories.directories.


63 / 125

Executable and source code integrityExecutable and source code integrity

At any point of time, the current version of the source code and At any point of time, the current version of the source code and object code should match. object code should match.

In a manual program migration practice, the changed source code In a manual program migration practice, the changed source code may be moved to the production directory, but compilation is may be moved to the production directory, but compilation is omitted. omitted.

Some of the controls the auditor should use to check in code Some of the controls the auditor should use to check in code integrityintegrity The time stamp on the object code should always be same or later than that of The time stamp on the object code should always be same or later than that of

the corresponding source code.the corresponding source code. Users and application programmers should not have access to the production Users and application programmers should not have access to the production

source code.source code. In an automated environment, where the users themselves develop In an automated environment, where the users themselves develop

applications, controls may be lax. So auditors should focus on evaluating applications, controls may be lax. So auditors should focus on evaluating controls in such applicationscontrols in such applications


64 / 125

Configuration ManagementConfiguration Management

Configuration management involves various procedures throughout Configuration management involves various procedures throughout the life cycle of the software to identify, define and baseline the life cycle of the software to identify, define and baseline software items in the system thus providing a basis for problem software items in the system thus providing a basis for problem management, change management and release management.management, change management and release management.

It involves identification of items like programs, documentation and It involves identification of items like programs, documentation and data. data.

Once handed over to the configuration management team, the item Once handed over to the configuration management team, the item cannot be changed without a formal change control processcannot be changed without a formal change control process

The process of moving an item to the controlled environment is The process of moving an item to the controlled environment is called checking in. called checking in.

When a change is required, the item will be checked out by the When a change is required, the item will be checked out by the configuration manager. configuration manager.

Once the change is made, it is checked in by a different version Once the change is made, it is checked in by a different version number.number.


65 / 125

Configuration Management…Configuration Management…

The job profile of the CM maintainer involves the The job profile of the CM maintainer involves the following task steps:following task steps: Develop the configuration management planDevelop the configuration management plan Baseline the code and associated documentsBaseline the code and associated documents Analyse and report on the results of configuration controlAnalyse and report on the results of configuration control Develop the reports that provide configuration status informationDevelop the reports that provide configuration status information Develop release proceduresDevelop release procedures Perform configuration control activities, such as identification Perform configuration control activities, such as identification

and recording of the requestand recording of the request Update the configuration status accounting databaseUpdate the configuration status accounting database


66 / 125

Chapter 3 Chapter 3

Project Management Tools and TechniquesProject Management Tools and Techniques


67 / 125


To provide a clear understanding of:To provide a clear understanding of: What is meant by Project Management in context of IT ProjectsWhat is meant by Project Management in context of IT Projects Software size estimation techniques - The significance of Software size estimation techniques - The significance of

budgets and schedules in system developmentbudgets and schedules in system development PERT (Program Evaluation Review Technique) as a project PERT (Program Evaluation Review Technique) as a project

manage ment toolmanage ment tool Various kinds of tools and techniques available for project Various kinds of tools and techniques available for project

management such as Critical Path Method (CPM), Time Box management such as Critical Path Method (CPM), Time Box Management etc.Management etc.

Computer Aided Software Engineering - CASEComputer Aided Software Engineering - CASE


68 / 125

Project Management Tools and TechniquesProject Management Tools and TechniquesSoftware :Software :

is designed, programmedis designed, programmedis used and managed by people is used and managed by people Use hardware and softwareUse hardware and software

Software development :Software development :a complex processa complex processmanaging resources e.g people, machines etc.managing resources e.g people, machines etc.engineering principles and practices are applicableengineering principles and practices are applicable

All Project Management tools and techniques are All Project Management tools and techniques are applicable.applicable.


69 / 125

Project Management Project Management

Project Management is application of Knowledge & Project Management is application of Knowledge & practices, Skills and tools & techniques…practices, Skills and tools & techniques… Knowledge & practices involves risk based approach for…Knowledge & practices involves risk based approach for…

Project InitiationProject InitiationProject Planning Project Planning Project ExecutionProject ExecutionProject Control – Quantitative & QualitativeProject Control – Quantitative & QualitativeProject Closing Project Closing

Skills can be inherent but enhanced through …Skills can be inherent but enhanced through …TrainingTrainingExperienceExperience


70 / 125

Project Management…Project Management…

Tools and techniques cane be…Tools and techniques cane be…General Project ManagementGeneral Project ManagementSoftware size estimationSoftware size estimationBudgets & SchedulesBudgets & SchedulesSoftware cost estimationSoftware cost estimationSoftware configuration managementSoftware configuration managementDocumentationDocumentationOffice automationOffice automation


71 / 125

Budgets an SchedulesBudgets an Schedules Two critical problems in software development are: Time and cost over runs need Two critical problems in software development are: Time and cost over runs need

to be addressed by a project manager. to be addressed by a project manager. These problems arise because of poor estimation of effort required and hence cost These problems arise because of poor estimation of effort required and hence cost

involved in developing an application. involved in developing an application. Budgeting involves estimating human and machine / software efforts in each task. Budgeting involves estimating human and machine / software efforts in each task. Machine efforts refers to any piece of hardware which would be required to Machine efforts refers to any piece of hardware which would be required to

develop a system.develop a system. Gross person-month effort has to be considered for details, such as: Gross person-month effort has to be considered for details, such as:

What are the activities in the project? E.g. Requirements Analysis, programming, data What are the activities in the project? E.g. Requirements Analysis, programming, data entry of masters etcentry of masters etc

In which sequence will these activities be performed? Serially or simultaneously (in In which sequence will these activities be performed? Serially or simultaneously (in parallel)parallel)

How will the total person-month effort be distributed over these activitiesHow will the total person-month effort be distributed over these activities On which date will each activity start and finish?On which date will each activity start and finish? What additional resources are required to complete the activity?What additional resources are required to complete the activity? What will be the measure that assesses the completion of an activity?What will be the measure that assesses the completion of an activity?

What will be the points in which the management will review the project?What will be the points in which the management will review the project?


72 / 125

Software size estimationSoftware size estimation

In order to arrive at a cost of software, it is necessary to In order to arrive at a cost of software, it is necessary to determine size of the software. determine size of the software.

In early days, when procedural programming was used In early days, when procedural programming was used (mostly COBOL), count of number of lines of source code (mostly COBOL), count of number of lines of source code (SLOC – Source Lines Of Code) was used(SLOC – Source Lines Of Code) was used

However, this method did not work well with complex However, this method did not work well with complex programs as well as with newer techniques of programs as well as with newer techniques of programming. programming.

Therefore, Function Point Analysis was developed by Therefore, Function Point Analysis was developed by researchers. researchers.


73 / 125

Function Point AnalysisFunction Point Analysis

A function point represents the size and complexity of the A function point represents the size and complexity of the applicationapplication

This is computed on the basis of number of inputs, This is computed on the basis of number of inputs, outputs, files, queries and interfaces that the application is outputs, files, queries and interfaces that the application is likely to have. likely to have.

This estimate is arrived at in terms of person-months This estimate is arrived at in terms of person-months required to de velop the application. required to de velop the application.

Function point is then calculated based on reliability, Function point is then calculated based on reliability, criticality, complexity and reusability expected from the criticality, complexity and reusability expected from the system. system.

e.g. Productivity = FP / Person-Month, Quality = Defects / e.g. Productivity = FP / Person-Month, Quality = Defects / FP , Cost = Rupees / FP.FP , Cost = Rupees / FP.


74 / 125

Other costsOther costs

Apart from software size estimation, some other components of cost Apart from software size estimation, some other components of cost should be taken into consideration for other phases of the project. should be taken into consideration for other phases of the project. These are :These are :

Main storage constraintsMain storage constraints Data storage constraintsData storage constraints Execution Time constraintsExecution Time constraints Staff experienceStaff experience Computer accessComputer access Security environmentSecurity environment Source code languageSource code language Target machine used for developmentTarget machine used for development


75 / 125

Gantt ChartsGantt Charts

Gantt Charts are prepared to schedule the tasks Gantt Charts are prepared to schedule the tasks involved in a project. involved in a project.

It shows… It shows… when tasks should begin and endwhen tasks should begin and endwhat tasks can be undertaken concurrently, and what what tasks can be undertaken concurrently, and what

tasks have to be done serially. tasks have to be done serially. They help to identify the consequences of early and late They help to identify the consequences of early and late

completion of the tasks.completion of the tasks.


76 / 125

Gantt Chart example : Schedule of a ProjectGantt Chart example : Schedule of a Project


77 / 125

Gantt Chart example : Gantt chartGantt Chart example : Gantt chart

ActivityJuly Aug Sept Oct Nov Dec Jan Feb

Project InititationFinalisation of ProjectFeasibility StudyAcceptance of FSSRSAcceptance of SRSProgrammingTestingImplementationGo Live

Months 2007-2008


78 / 125

Program Evaluation Review Technique (PERT)Program Evaluation Review Technique (PERT) PERT represents activities in a project as a network. It indicates PERT represents activities in a project as a network. It indicates

the sequential and parallel relationship between activities.the sequential and parallel relationship between activities. PERT terminology :PERT terminology :

ActivityActivity An activity is a portion of the project, which requires resources and time to An activity is a portion of the project, which requires resources and time to

complete. The activity is represented by an arrow. complete. The activity is represented by an arrow. EventEvent

An event is the starting or end point of an activity. It does not consume An event is the starting or end point of an activity. It does not consume resources or time. It is represented by a circleresources or time. It is represented by a circle

Predecessor activityPredecessor activity Activities that must be completed before another activity can begin, are called Activities that must be completed before another activity can begin, are called

predecessor activities for that activity. predecessor activities for that activity. Successor activitySuccessor activity

Activities that are carried out after an activity is completed, are known as Activities that are carried out after an activity is completed, are known as successor activities. successor activities.


79 / 125

Program Evaluation Review Technique (PERT)Program Evaluation Review Technique (PERT)……

PERT terminology : PERT terminology : (contd..)(contd..)

SlackSlackSlack is the difference between earliest and latest completion time Slack is the difference between earliest and latest completion time

of an activityof an activity DummyDummy

Dummy activity is that activity which requires no resources. A Dummy activity is that activity which requires no resources. A dummy activity does not have any real life significance. dummy activity does not have any real life significance.

Dummy activities are required in PERT, because as per the rules of Dummy activities are required in PERT, because as per the rules of PERT, not more than one activity can have the same preceding and PERT, not more than one activity can have the same preceding and succeeding activity. To represent this, dummy activities are succeeding activity. To represent this, dummy activities are included.included.


80 / 125

Program Evaluation Review Technique (PERT)Program Evaluation Review Technique (PERT)……

Time estimateTime estimatePERT recognizes the estimates cannot be precise, and PERT recognizes the estimates cannot be precise, and

hence allows a weighted average of different estimates hence allows a weighted average of different estimates such as pessimistic, optimistic and most likely. such as pessimistic, optimistic and most likely.

A heavier weightage is given to the most likely estimate A heavier weightage is given to the most likely estimate and the calculation is as follows:and the calculation is as follows:tto - optimistic estimate - optimistic estimate ttp - pessimistic estimate - pessimistic estimate ttm - most likely estimate - most likely estimate Expected time = (tExpected time = (to + 4t + 4tm + t + tp) / 6) / 6


81 / 125

Critical Path Method (CPM)Critical Path Method (CPM)

In a network, critical path represents the path In a network, critical path represents the path which has the highest duration of time. which has the highest duration of time.

It is the shortest time in which the project can be It is the shortest time in which the project can be completed. completed.

Maximum control is required on the completion of Maximum control is required on the completion of any activity on Critical Path any activity on Critical Path

If any activity on critical path is delayed, the whole If any activity on critical path is delayed, the whole project will be delayed.project will be delayed.

Activities in the critical path have zero slack Activities in the critical path have zero slack


82 / 125

Critical Path Method (CPM)…Critical Path Method (CPM)…

The critical path is found by working forward through the The critical path is found by working forward through the networknetwork

Computing the earliest possible completion time for each Computing the earliest possible completion time for each activityactivity

Thus earliest possible completion time for the project is Thus earliest possible completion time for the project is found. found.

Now, taking this as the completion time of the project, Now, taking this as the completion time of the project, working backwards the latest completion time of each working backwards the latest completion time of each activity is found. activity is found.

The path on which activities have the same earliest and The path on which activities have the same earliest and latest completion time is the critical path or in other words latest completion time is the critical path or in other words slack is zero.slack is zero.


83 / 125

System Development Tools and Productivity Aids System Development Tools and Productivity Aids

These help in better productivity from programmers and These help in better productivity from programmers and better quality if properly used.better quality if properly used.

Code generatorsCode generators Code generators generate program code on the basis of Code generators generate program code on the basis of

parameters defined by system analyst or data flow diagrams. parameters defined by system analyst or data flow diagrams. These aid in improv ing programmer efficiency. These aid in improv ing programmer efficiency.

Such tools, which help in automation of software life Such tools, which help in automation of software life cycle activities are included in CASE (Computer Aided cycle activities are included in CASE (Computer Aided Software Engineering) tools.Software Engineering) tools.

Computer Aided Software Engineering (CASE)Computer Aided Software Engineering (CASE) CASE is an attempt to automate all activities associated with the CASE is an attempt to automate all activities associated with the

software development life cycle.software development life cycle.


84 / 125

CASE ToolsCASE Tools

Classification of CASE tools : 3 categoriesClassification of CASE tools : 3 categoriesUpper CASEUpper CASE: Useful in the early stages of SDLC. : Useful in the early stages of SDLC.

Tools that help in defining application requirements fall Tools that help in defining application requirements fall in this category.in this category.

Middle CASEMiddle CASE: These address the needs in the middle : These address the needs in the middle levels of SDLC such as Design. Those that help in levels of SDLC such as Design. Those that help in designing screen and report layouts, data and process designing screen and report layouts, data and process design falls in this category.design falls in this category.

Lower CASELower CASE: The later parts of the life cycle make use : The later parts of the life cycle make use of these tools. These tools use design information to of these tools. These tools use design information to generate program codes.generate program codes.


85 / 125

Integrated CASE environmentsIntegrated CASE environments

It is possible to use separate CASE tools for individual activities but It is possible to use separate CASE tools for individual activities but an integrated CASE (I CASE) tool is used for better efficiency.an integrated CASE (I CASE) tool is used for better efficiency.

CASE database (Repository)CASE database (Repository) contains the following data: contains the following data: Enterprise information such as Organisational structure, Business area Enterprise information such as Organisational structure, Business area

analysis etc.analysis etc. Application design information such as data structures, menu trees, Application design information such as data structures, menu trees,

processing logic etcprocessing logic etc Construction / Programs information such as source code, object code etcConstruction / Programs information such as source code, object code etc Testing information such as Test plan, Test results etcTesting information such as Test plan, Test results etc Project management details such as Project plan, Work breakdown structure, Project management details such as Project plan, Work breakdown structure,

Estimates, schedules etcEstimates, schedules etc Documentation details such as Systems requirements specifications, Design Documentation details such as Systems requirements specifications, Design

document, User manualsdocument, User manuals


86 / 125

Advantages and limitations in using CASEAdvantages and limitations in using CASE

Benefits of using CASEBenefits of using CASE Since CASE strictly follows SDLC, use of CASE enforces the disci pline in Since CASE strictly follows SDLC, use of CASE enforces the disci pline in

steps of SDLC.steps of SDLC. The standardization / uniformity of processes can be achieved.The standardization / uniformity of processes can be achieved. Since CASE tools generate inputs of each stage from the outputs of previous Since CASE tools generate inputs of each stage from the outputs of previous

stage, consistency of application quality can be ensured.stage, consistency of application quality can be ensured. Tasks such as diagramming need not be done by the programmer, and can be Tasks such as diagramming need not be done by the programmer, and can be

left to the CASE tool.left to the CASE tool. Programmer can devote time for more productive tasks; thus the development Programmer can devote time for more productive tasks; thus the development

time can be shortened and cost economy can be achieved time can be shortened and cost economy can be achieved Since stage outputs and related documentation are created by the tool.Since stage outputs and related documentation are created by the tool.

Disadvantages of CASEDisadvantages of CASE CASE tools are costly, particularly ones that address the early stages of the CASE tools are costly, particularly ones that address the early stages of the

life cycle.life cycle. Use of CASE tools requires extensive trainingUse of CASE tools requires extensive training


87 / 125

Chapter 5 Chapter 5

Specialized SystemsSpecialized Systems


88 / 125


An understanding of Artificial Intelligence (AI) that includes An understanding of Artificial Intelligence (AI) that includes Characteristic features of AI applicationsCharacteristic features of AI applications AI applications like expert systems, neural systems, robotics etc.AI applications like expert systems, neural systems, robotics etc. An insight on expert systems, its components, merits and shortcom ingsAn insight on expert systems, its components, merits and shortcom ings

An overview of data warehouse, data mining and its conceptAn overview of data warehouse, data mining and its concept An understanding on Decision Support systems (DSS) that includes An understanding on Decision Support systems (DSS) that includes

DSS frameworksDSS frameworks Design, development and implementation issues in DSSDesign, development and implementation issues in DSS DSS trendsDSS trends

Point of Sale systemsPoint of Sale systems ATMsATMs EDI, E-Commerce, ERP SystemsEDI, E-Commerce, ERP Systems


89 / 125

Artificial Intelligence (AI)Artificial Intelligence (AI)

Designing human like thinking ability by computers is called AIDesigning human like thinking ability by computers is called AI Computer are very good and speedy in performing calculations Computer are very good and speedy in performing calculations

which are of repetitive nature. which are of repetitive nature. Artificial Intelligence does this on the basis of predetermined set of Artificial Intelligence does this on the basis of predetermined set of

rules. rules. Human is better than computer (since it is a living animal) in Human is better than computer (since it is a living animal) in

following aspects..following aspects.. Thinking and reasoningThinking and reasoning Using reason to solve problemsUsing reason to solve problems Learning from experienceLearning from experience Exhibiting creativity and imaginationExhibiting creativity and imagination Handling ambiguous or incomplete information Handling ambiguous or incomplete information

AI tries to achieve the same through computer.AI tries to achieve the same through computer.


90 / 125

AI applicationsAI applications

The applications of AI can be classified into three major categories: The applications of AI can be classified into three major categories: Cognitive Science, Robotics and Natural LanguagesCognitive Science, Robotics and Natural Languages

Cognitive ScienceCognitive Science: : This is an area based on research in disciplines such as biology, neurology, This is an area based on research in disciplines such as biology, neurology,

psychology, mathematics and allied disciplines. psychology, mathematics and allied disciplines. It focuses on how human brain works and how humans think and learn. It focuses on how human brain works and how humans think and learn.

Applications of AI in the cognitive science are:Applications of AI in the cognitive science are: Expert SystemsExpert Systems: :

These are information systems with reasoning ca pability. These are information systems with reasoning ca pability. Learning SystemsLearning Systems::

These are the systems that can modify their be haviour based on information These are the systems that can modify their be haviour based on information they acquire as they operate. they acquire as they operate.


91 / 125

AI applications…AI applications…

Fuzzy logicFuzzy logic: : These are systems that can process data that are ambiguous and incomplete.These are systems that can process data that are ambiguous and incomplete. This permits them to solve unstructured problems. This permits them to solve unstructured problems. These systems are 'trained' to learn imprecise terminology such as those These systems are 'trained' to learn imprecise terminology such as those

normally used by humans in their interactions (e.g. cooler, faster etc). normally used by humans in their interactions (e.g. cooler, faster etc). Many embedded systems such as in washing machines, refrigerators, auto-Many embedded systems such as in washing machines, refrigerators, auto-

focus cameras and energy efficient air-conditioners use fuzzy logic.focus cameras and energy efficient air-conditioners use fuzzy logic. Neural networksNeural networks: :

These are computing systems modelled after the human brain. These are computing systems modelled after the human brain. This is with reference to the mesh like network of interconnected processing This is with reference to the mesh like network of interconnected processing

elements. elements. Though the architecture is much simpler than the human brain, it permits Though the architecture is much simpler than the human brain, it permits

them to recognize patterns. Such patterns get more and more refined with data them to recognize patterns. Such patterns get more and more refined with data input. input.


92 / 125

Some AI examplesSome AI examples

Intelligent agentsIntelligent agents: Intelligent agents are software that use built-in : Intelligent agents are software that use built-in and learned knowledge base about a person or process to make de and learned knowledge base about a person or process to make de cisions and accomplish tasks in a way that fulfils the intentions of cisions and accomplish tasks in a way that fulfils the intentions of user. E.g. Word processing softwareuser. E.g. Word processing software

RoboticsRobotics: This technology produces robot machines with computer : This technology produces robot machines with computer intelligence and human-like physical capabilities. Robotics find intelligence and human-like physical capabilities. Robotics find expensive application in computer aided manufacturing.expensive application in computer aided manufacturing.

Natural languages: Being able to 'converse' with computers in Natural languages: Being able to 'converse' with computers in human languages is the goal of research in this area. E.g. Interactive human languages is the goal of research in this area. E.g. Interactive voice response, virtual realityvoice response, virtual reality

Virtual realityVirtual reality: Virtual reality involves using multi sensory human-: Virtual reality involves using multi sensory human-computer interfaces that enable humans to experience computer computer interfaces that enable humans to experience computer simulated objects, space and activities, as they actually exist. Flight simulated objects, space and activities, as they actually exist. Flight simulation for training pilots, surgery simulation for training doc tors simulation for training pilots, surgery simulation for training doc tors are some of the applications of virtual reality.are some of the applications of virtual reality.


93 / 125

Expert SystemsExpert Systems

Most practical and widely implemented Most practical and widely implemented applications. applications.

An expert system (ES) is a knowledge based An expert system (ES) is a knowledge based information system that uses its knowledge about a information system that uses its knowledge about a specific, complex application area to act as an specific, complex application area to act as an expert consultant. expert consultant.

Provide answers in the specific application area, Provide answers in the specific application area, and also explain their reasoning process and and also explain their reasoning process and conclusions conclusions


94 / 125

Components of expert systemsComponents of expert systems

User interfaceUser interface: : This allows the user to interact with the system. This allows the user to interact with the system. The user presents the problem for which solutions are The user presents the problem for which solutions are

delivered to him.delivered to him.Interface engineInterface engine: :

This part reasons and determines the application of This part reasons and determines the application of knowledge in the knowledge base to the facts presented knowledge in the knowledge base to the facts presented in the user interface. in the user interface.

Interface engine is the active component of an expert Interface engine is the active component of an expert system and its main job is to mimic human reasoningsystem and its main job is to mimic human reasoning


95 / 125

Components of expert systems…Components of expert systems…

Knowledge baseKnowledge base: : Important element of an expert system since it holds the Important element of an expert system since it holds the

expert problem solving knowledge. expert problem solving knowledge. The key to the knowledge base is the way knowledge is The key to the knowledge base is the way knowledge is

represented. represented. Knowledge representation deals with structuring of Knowledge representation deals with structuring of

information and ways to manipulate it to infer information and ways to manipulate it to infer additional data. additional data.


96 / 125

Advantages of expert systemsAdvantages of expert systems

The knowledge and experience of the expert is The knowledge and experience of the expert is captured before he leaves the organizationcaptured before he leaves the organization

The codified knowledge in a central repository The codified knowledge in a central repository makes it easy to share it with the less experienced makes it easy to share it with the less experienced in the application areain the application area

This ensures consistent and quality decisionsThis ensures consistent and quality decisionsIt also enhances personnel productivityIt also enhances personnel productivity


97 / 125

Limitations of expert systems Limitations of expert systems

Expert systems perform well in solving specific types of problems Expert systems perform well in solving specific types of problems in a limited domain. When the problems involve multiple domains, in a limited domain. When the problems involve multiple domains, expert systems become difficult to constructexpert systems become difficult to construct

They do not have the capacity to learn and from that point of view They do not have the capacity to learn and from that point of view are static in their knowledge. E.g. in above cited example, a new are static in their knowledge. E.g. in above cited example, a new disease (say Dengue) which also may have similar symptoms like disease (say Dengue) which also may have similar symptoms like Malaria may not be predicted unless some more questions are asked Malaria may not be predicted unless some more questions are asked and some more knowledge is updated in knowledge base.and some more knowledge is updated in knowledge base.

Usage of specialised languages render maintenance of expert sys Usage of specialised languages render maintenance of expert sys tems difficulttems difficult

Development costs of expert systems are high. This obvious Development costs of expert systems are high. This obvious because one may have to work with multiple experts to update because one may have to work with multiple experts to update knowledge base.knowledge base.


98 / 125

Data WarehouseData Warehouse

Data Warehouse as defined by researcher W. H. Inmon Data Warehouse as defined by researcher W. H. Inmon states that “It is a Subject - oriented, integrated, time-states that “It is a Subject - oriented, integrated, time-variant, non-volatile, collection of data in support of variant, non-volatile, collection of data in support of management’s decision making process”management’s decision making process”

Another definition given by Wayne Eckerson says that “It Another definition given by Wayne Eckerson says that “It is a Central Repository of clean, consistent, integrated & is a Central Repository of clean, consistent, integrated & summarised information, extracted from multiple summarised information, extracted from multiple operational systems, for on-line query processing”operational systems, for on-line query processing”


99 / 125

Features of Data WarehouseFeatures of Data Warehouse

It is a Stand-alone application It is a Stand-alone application It has a repository of information which may be integrated It has a repository of information which may be integrated

from several, heterogeneous operational databasesfrom several, heterogeneous operational databases It stores large volumes of data which are frequently used It stores large volumes of data which are frequently used

for DSSfor DSS It is physically stored separately from organisation’s It is physically stored separately from organisation’s

databasesdatabases It is relatively static, and has infrequent updatesIt is relatively static, and has infrequent updates It is “Read-Only” applicationIt is “Read-Only” application


100 / 125

Preparation of Data WarehousePreparation of Data Warehouse

Data is copied from ERP or other Transaction processing systems Data is copied from ERP or other Transaction processing systems and before uploading it in Data Warehouse, it is aggregated, and before uploading it in Data Warehouse, it is aggregated, summarised & filtered for suitable analysis. summarised & filtered for suitable analysis.

End users run queries against this data to identify trends, patterns & End users run queries against this data to identify trends, patterns & correlations hidden in the data.correlations hidden in the data.

The following is a complete life cycle of a Data Warehouse.The following is a complete life cycle of a Data Warehouse. Prepare dataPrepare data Transform dataTransform data Load dataLoad data Model dataModel data Establish Access – This gives to Data Warehouse dataEstablish Access – This gives to Data Warehouse data Retrieve dataRetrieve data Analyse dataAnalyse data Archive dataArchive data Destroy data from Data WarehouseDestroy data from Data Warehouse


101 / 125

Data MiningData Mining

Data Mining is a process of recognizing the Data Mining is a process of recognizing the patterns among the data in the data warehouse. patterns among the data in the data warehouse.

IS Auditors can place more reliance on the data IS Auditors can place more reliance on the data mining technique to assess audit risk and to collect mining technique to assess audit risk and to collect and evaluate audit risk by :and evaluate audit risk by :Detecting errors and irregularitiesDetecting errors and irregularitiesKnowledge discovery by better assessing safeguarding Knowledge discovery by better assessing safeguarding

of assets, data integrity and effective and efficient of assets, data integrity and effective and efficient operation of the systemoperation of the system


102 / 125

Decision Support Systems (DSS)Decision Support Systems (DSS)

These are information systems that provide interactive These are information systems that provide interactive information support to managers with the use of analytical information support to managers with the use of analytical models. models.

DSS are designed to be adhoc systems, modelled for DSS are designed to be adhoc systems, modelled for specific decisions of individual managers. specific decisions of individual managers.

These system satisfy such queries which are not answered These system satisfy such queries which are not answered by the transactions processing systems. by the transactions processing systems.

Typical examples could be:Typical examples could be: Comparative sales figures between two consecutive months for Comparative sales figures between two consecutive months for

dif ferent products with the percentage variation to total salesdif ferent products with the percentage variation to total sales Revenue and Cost projections on the basis of certain product mixRevenue and Cost projections on the basis of certain product mix Evaluation of different alternatives, leading to selection of the Evaluation of different alternatives, leading to selection of the

best one.best one.Distributed by AGASS (http://www.agass.org)

103 / 125

Point of Sale Systems (POS)Point of Sale Systems (POS)

A POS system is intended to capture data at the time and A POS system is intended to capture data at the time and place of transaction which is being initiated by a business place of transaction which is being initiated by a business user. user.

It is often attached to scanners to read bar codes and It is often attached to scanners to read bar codes and magnetic cards for credit card payment and electronic magnetic cards for credit card payment and electronic sales. sales.

POS provide significant cost and time saving as compared POS provide significant cost and time saving as compared to the manual methods. to the manual methods.

Also eliminate errors that are inherent in manual system Also eliminate errors that are inherent in manual system POS may involve batch processing or an online POS may involve batch processing or an online

processing. processing.


104 / 125

Automatic Teller Machines (ATM)Automatic Teller Machines (ATM)

An automated teller machine is a specialized form of the point of sale An automated teller machine is a specialized form of the point of sale terminal. terminal.

This is designed for unattended use by a customer of a financial This is designed for unattended use by a customer of a financial institution. institution.

The ATMs generally allow cash deposits, cash with drawals and a range of The ATMs generally allow cash deposits, cash with drawals and a range of banking operations like cheque book requisition, requesting account banking operations like cheque book requisition, requesting account statement etc. statement etc.

ATMs are generally used for use after the closing hours of the financial ATMs are generally used for use after the closing hours of the financial institution and can be located either adjacent to the location of the institution and can be located either adjacent to the location of the financial institution or may be at a distant place. financial institution or may be at a distant place.

The facility of ATM can be within a bank, across local banks and amongst The facility of ATM can be within a bank, across local banks and amongst the banks outside a region. the banks outside a region.

ATMs transfer the information and money over communication lines. ATMs transfer the information and money over communication lines. These systems must provide a high level of logical and physical security These systems must provide a high level of logical and physical security

for both the customer and the ATM machine.for both the customer and the ATM machine.


105 / 125

Electronic Data Interchange (EDI Systems)Electronic Data Interchange (EDI Systems) Electronic Data Interchange is the oldest form of Electronic Data Interchange is the oldest form of

transmitting business transactions between the business transmitting business transactions between the business partners with dissimilar computer systems. partners with dissimilar computer systems.

EDI is used to transmit and exchange business documents EDI is used to transmit and exchange business documents like purchase orders, request for proposals, invoices and like purchase orders, request for proposals, invoices and shipping notices in a standard machine readable format.shipping notices in a standard machine readable format.

The advantages of EDI are:The advantages of EDI are: Reduction in paperworkReduction in paperwork Improved flow of informationImproved flow of information No necessity of reeking of dataNo necessity of reeking of data Less errors while transmitting / exchange of informationLess errors while transmitting / exchange of information Speed in communication due to electronic transmissionSpeed in communication due to electronic transmission Improvement in carrying out a business process.Improvement in carrying out a business process.


106 / 125

How does the EDI system function?How does the EDI system function?

The EDI comprises of the following three elements:The EDI comprises of the following three elements: Communication Software : Communication Software :

moves the data from one point to anothermoves the data from one point to another marks the start and the end of the EDI transmission marks the start and the end of the EDI transmission decides how the acknowledgements are transmitted and reconciled.decides how the acknowledgements are transmitted and reconciled.

Translation Software Translation Software : : involves conversion of data from a business application translated into a involves conversion of data from a business application translated into a

standard format, to be transmitted over the communication networkstandard format, to be transmitted over the communication network convert this data back from the EDI format into the proprietary format of convert this data back from the EDI format into the proprietary format of

the receiver organization.the receiver organization. EDI standard EDI standard : :

which specifies the standards for the transmittal of the business which specifies the standards for the transmittal of the business documents like invoices, purchase orders etc.documents like invoices, purchase orders etc.


107 / 125

How does the EDI system function?...How does the EDI system function?...

Traditional EDI process generally involves three functions within Traditional EDI process generally involves three functions within each trading partner's computer system.each trading partner's computer system. Communication handler : Communication handler : Process for transmitting and receiving elec tronic Process for transmitting and receiving elec tronic

documents between trading partners via Dial up lines, Public switched documents between trading partners via Dial up lines, Public switched network, Multiple dedicated lines or a value added network. network, Multiple dedicated lines or a value added network.

EDI Interface : EDI Interface : Interface function manipulates and routes the data between the application Interface function manipulates and routes the data between the application

system and the communications handler. system and the communications handler. EDI interface may generate and send the functional acknowledgements, EDI interface may generate and send the functional acknowledgements,

verify the identity of the partners and check the validity of the verify the identity of the partners and check the validity of the transactions by checking the transmission information against the trading transactions by checking the transmission information against the trading partner master file. partner master file.

The interface consists of two components : EDI Translator & The interface consists of two components : EDI Translator & Applications InterfaceApplications Interface

Application System Application System : The programs that process the data sent to, received : The programs that process the data sent to, received from, the trading partner. E.g. Purchase orders from purchasing system.from, the trading partner. E.g. Purchase orders from purchasing system.


108 / 125

EDI standardsEDI standards

There are two competing and mutually incompatible standards for EDI in existence today. There are two competing and mutually incompatible standards for EDI in existence today. They are the ANSI ASCX.12 (American National Standards Institute-Accredited They are the ANSI ASCX.12 (American National Standards Institute-Accredited Standards Committee) and UN/EDIFACT (United Nations / Electronic Data Interchange Standards Committee) and UN/EDIFACT (United Nations / Electronic Data Interchange for Administration Commerce and Trade) standards.for Administration Commerce and Trade) standards.

Features of ANSI ASCX.12:Features of ANSI ASCX.12: This standard was developed by ANSI, and has been adopted in the USA and some pacific Rim This standard was developed by ANSI, and has been adopted in the USA and some pacific Rim

countries)countries) Standards for 250 transactions are currently available.Standards for 250 transactions are currently available. It is relatively rigid and inflexible when compared to EDIFACTIt is relatively rigid and inflexible when compared to EDIFACT

Features of UN/ EDIFACT:Features of UN/ EDIFACT: This standard was originally developed in Europe and adopted by United Nations.This standard was originally developed in Europe and adopted by United Nations. They are relatively flexible when compared to X.12They are relatively flexible when compared to X.12 Flexibility has lead to frequent versions. Different Companies may have different versions Flexibility has lead to frequent versions. Different Companies may have different versions

leading to conflictsleading to conflicts Adopted in areas where X.12 was not adoptedAdopted in areas where X.12 was not adopted Both the above standards are relatively expensive and have found the acceptance in large Both the above standards are relatively expensive and have found the acceptance in large

organizations and do not address to the needs of the small and medium size enterprises.organizations and do not address to the needs of the small and medium size enterprises.


109 / 125

Web Based EDIWeb Based EDI

Web based EDI has become popular becauseWeb based EDI has become popular becauseSubstantial reduction in the cost for small size Substantial reduction in the cost for small size

organizations be cause the trade partners can use VPN organizations be cause the trade partners can use VPN on Internet as against dedi cated communication lines.on Internet as against dedi cated communication lines.

Its ability to attract new partners via web based sitesIts ability to attract new partners via web based sitesImprovement in the traditional EDI formatImprovement in the traditional EDI formatNew security products are available to address issues of New security products are available to address issues of

confidenti ality, integrity, authentication and non confidenti ality, integrity, authentication and non repudiation.repudiation.


110 / 125

Electronic Commerce (e-Commerce):Electronic Commerce (e-Commerce):

e-Commerce involves, information sharing, e-Commerce involves, information sharing, payment, fulfillment and service and support.payment, fulfillment and service and support.

It has 4 functions :It has 4 functions :Information SharingInformation SharingPaymentPaymentFulfillmentFulfillmentService and SupportService and Support


111 / 125

The Advantages of the E Commerce are:The Advantages of the E Commerce are:

Savings in CostSavings in CostSaving in transaction timeSaving in transaction timeNo limitations of the geographical boundaries.No limitations of the geographical boundaries.Larger availability of the customer base for the Larger availability of the customer base for the

suppliers and larger choice to the customerssuppliers and larger choice to the customersNo restriction of timingsNo restriction of timingsStorage or holding cost can be greatly reducedStorage or holding cost can be greatly reducedDifferent roles for the intermediariesDifferent roles for the intermediaries


112 / 125

Types of E Commerce ModelsTypes of E Commerce Models

Business to Business (B to B) relationshipBusiness to Business (B to B) relationshipBusiness to consumer (B to C) relationshipBusiness to consumer (B to C) relationshipBusiness to Employee (B to E) relationshipBusiness to Employee (B to E) relationshipBusiness to Government (B to G) relationshipBusiness to Government (B to G) relationshipConsumers to Consumers (C to C) relationshipConsumers to Consumers (C to C) relationshipCitizen to Government (C to G) relationshipCitizen to Government (C to G) relationshipExchange to Exchange (X to X) relationshipExchange to Exchange (X to X) relationship


113 / 125

Enterprise Resource Planning Systems (ERP Systems)Enterprise Resource Planning Systems (ERP Systems)

Enterprise Resource Planning (ERP) are fully integrated Enterprise Resource Planning (ERP) are fully integrated corporate solutions focusing on the business applications corporate solutions focusing on the business applications like finance and control, pro duction planning, sales, like finance and control, pro duction planning, sales, warehousing and logistics etc. warehousing and logistics etc.

Presently, there are many ERPs available in the market Presently, there are many ERPs available in the market like SAP, Oracle Applications, BAAN, People Soft etc. like SAP, Oracle Applications, BAAN, People Soft etc.

The ERPs save lot of time by recording the business The ERPs save lot of time by recording the business transaction only once and at the first instance only. transaction only once and at the first instance only.


114 / 125

Chapter 6 Chapter 6

Auditing the System Development ProcessAuditing the System Development Process


115 / 125

IS Auditor's Role in Systems Development, IS Auditor's Role in Systems Development, Acquisition and MaintenanceAcquisition and Maintenance

Identifying subsystems and modules, their goals and user Identifying subsystems and modules, their goals and user function ality expectations function ality expectations

Checking if the control recommendations are appropriate Checking if the control recommendations are appropriate for the risks identified for the risks identified

Advising the design team on incorporating control Advising the design team on incorporating control measures measures

Verifying if the recommendations he has made are Verifying if the recommendations he has made are properly imple mented properly imple mented

To ensure that the systems help to meet the organisational To ensure that the systems help to meet the organisational objectives objectives


116 / 125

IS Auditor's Role in Systems Development, IS Auditor's Role in Systems Development, Acquisition and MaintenanceAcquisition and Maintenance

To ensure the qual ity of the deliverables.To ensure the qual ity of the deliverables.

Reviewing the change management process Reviewing the change management process To assess the effectiveness of the system in the To assess the effectiveness of the system in the

post implementation phase.post implementation phase. Reviewing the maintenance procedureReviewing the maintenance procedure To ensure adequate documentation To ensure adequate documentation Ensuring production source integrity during the Ensuring production source integrity during the

maintenance phasemaintenance phase


117 / 125

IS Auditor's Role in Reviewing Developmental IS Auditor's Role in Reviewing Developmental Phases of SDLC Phases of SDLC

Has to review all the phases of the system develop ment life Has to review all the phases of the system develop ment life cycle, such as:cycle, such as: Feasibility studyFeasibility study

has to ensure that the suggested technology is viable before has to ensure that the suggested technology is viable before implementing it in the de velopment process.implementing it in the de velopment process.

can provide a valuable inputs in evaluating the cost-benefit analysis.can provide a valuable inputs in evaluating the cost-benefit analysis. System requirement definitionSystem requirement definition

To review problem definitionTo review problem definition To review Information flowsTo review Information flows To evaluate the methodology employed and the compliance To evaluate the methodology employed and the compliance

level.level. To check use of CASE tools , be cause the quality of work is To check use of CASE tools , be cause the quality of work is

likely to be better in CASE environ ments likely to be better in CASE environ ments


118 / 125

IS Auditor's Role in Reviewing Developmental IS Auditor's Role in Reviewing Developmental Phases of SDLCPhases of SDLC

Software acquisitionSoftware acquisition The decision to acquire the software should flow from the feasibility studyThe decision to acquire the software should flow from the feasibility study The auditor should also ensure that the software acquired would meet the The auditor should also ensure that the software acquired would meet the

overall design goals of the proposed system.overall design goals of the proposed system. RFP (Request for proposal) should be checked for adequacy.RFP (Request for proposal) should be checked for adequacy. Should check the criteria for pre-qualification of vendors.Should check the criteria for pre-qualification of vendors. To check justification for the selection of the final vendor / product.To check justification for the selection of the final vendor / product. availability of sufficient documentation to support the above decision.availability of sufficient documentation to support the above decision. The auditor may also collect information on vendor viability, support The auditor may also collect information on vendor viability, support

infrastructure, service record and the like.infrastructure, service record and the like. Should thoroughly review the contract signed with the vendor Should thoroughly review the contract signed with the vendor


119 / 125


Detailed design and programmingDetailed design and programmingIn non-CASE environ ments, the auditor may have to undertake a In non-CASE environ ments, the auditor may have to undertake a

detailed design review:detailed design review:The design diagrams should be checked for compliance with stan The design diagrams should be checked for compliance with stan

dardsdardsTo check for appropriate approvals for any change that has been To check for appropriate approvals for any change that has been

incorporated in the design stageincorporated in the design stageTo check the design for modularity.To check the design for modularity.To review the input, processing and output controls of systems.To review the input, processing and output controls of systems.To check the user interface design for usability, appropriateness, To check the user interface design for usability, appropriateness,

compliance with standards and acceptance by users.compliance with standards and acceptance by users.


120 / 125


Availability of Audit trails.Availability of Audit trails.To check compatibility, interoperability and To check compatibility, interoperability and

scalability for selected hardware and softwarescalability for selected hardware and softwareTo check Flow charts and other such tools To check Flow charts and other such tools To check their implementation in programs To check their implementation in programs To focus on Exception data handling To focus on Exception data handling To test the design and program for such data.To test the design and program for such data.To ensure that the 'bugs' have been fixed.To ensure that the 'bugs' have been fixed.


121 / 125


TestingTesting To review the test plans for completeness.To review the test plans for completeness. To verify Cyclical processing such as month-end reports etc.To verify Cyclical processing such as month-end reports etc. To verify Security functions of the system.To verify Security functions of the system.

ImplementationImplementation The documentation on parallel run, if available, should be reviewed for The documentation on parallel run, if available, should be reviewed for

effectiveness.effectiveness. Operating procedures should be checked for clarity and accuracyOperating procedures should be checked for clarity and accuracy System and user documents should be checked for adequacy, claritySystem and user documents should be checked for adequacy, clarity and currency.and currency. It should be ensured that data conversion has been completed and all past data It should be ensured that data conversion has been completed and all past data

are available in a format readable by the new software.are available in a format readable by the new software.


122 / 125


Post-implementation and maintenancePost-implementation and maintenanceSystem's ability to fulfill ob jectives that were specified System's ability to fulfill ob jectives that were specified

initially. initially. Compliance with change control procedureCompliance with change control procedureFunctioning of controls in accordance with designFunctioning of controls in accordance with designReview of operator error logsReview of operator error logs


123 / 125


System change procedures and program migration processSystem change procedures and program migration process

On a periodic basis, the auditor should check the following :On a periodic basis, the auditor should check the following : Procedures for authorising, prioritising and tracking system chang esProcedures for authorising, prioritising and tracking system chang es Appropriateness of authorisations for selected change requestsAppropriateness of authorisations for selected change requests Existence of program change historyExistence of program change history The match program and documentation versionsThe match program and documentation versions Access control procedures on source and executable codes in pro duction Access control procedures on source and executable codes in pro duction

directorydirectory Procedure for emergency changesProcedure for emergency changes Security of emergency login ids.Security of emergency login ids. The match between current version of source code and executable code in The match between current version of source code and executable code in

production directoryproduction directory


124 / 125

IS Auditor's Role in Project ManagementIS Auditor's Role in Project Management Objective : Objective :

The risk management process includes… The risk management process includes… the measures undertaken to mitigate the risks at costs the measures undertaken to mitigate the risks at costs

commensurate with the level of risks. commensurate with the level of risks. Not recognising risks or providing exorbitantly costly mitigation Not recognising risks or providing exorbitantly costly mitigation

measures for trivial risks should be avoided measures for trivial risks should be avoided IS Auditor should :IS Auditor should :

Collect documentation of each phase and check for adequacy Collect documentation of each phase and check for adequacy and completion.and completion.

Attend project meetings to check the compliance of the develop Attend project meetings to check the compliance of the develop ment process.ment process.

Advise the team on adequate and cost effective control Advise the team on adequate and cost effective control measures.measures.

Represent the management interest in the team by continuously Represent the management interest in the team by continuously as sessing the ability of the team to meet targets that have been as sessing the ability of the team to meet targets that have been set.set. Distributed by AGASS (http://www.agass.org)

125 / 125

!!! End of Module - IV !!!!!! End of Module - IV !!!


systems development life cycle & applications system

Documents

agass http

system of collection

structured system development

boundaryeach system

systemeach system

system external

introductiona system

solar system