05. The Nature and Evaluation of IT General Controls
05.02. IS Acquisition and Development
Briefly reflect on the following before we begin:
- What are the key considerations when acquiring and developing information systems?
- How do third-party vendor controls impact the security and reliability of IS?
- How can organizations ensure their IS acquisition aligns with security and operational needs?
The acquisition and development of IS are critical stages in the lifecycle of any organization’s IT infrastructure. Effective IS auditors must understand the intricacies of selecting and implementing IS to evaluate how those systems align with an organization’s objectives and requirements.
A key element in this area is the evaluation of third-party vendor controls, as many organizations rely on external vendors for their information systems needs. We discuss the underlying risks and how to scrutinize vendor-provided systems for security, reliability, and compliance with standards. Secure software development practices are another focal point of this section. The way software is developed has a significant impact on the security and functionality of the final product. We will delve into best practices in software development, including secure coding, testing, and implementing security features from the outset. Finally, data privacy is an increasingly important concern in IS development. With regulations like GDPR and CCPA, ensuring data privacy has become an organization’s priority. Thus, we will explore how to evaluate data privacy considerations in IS development. This includes understanding legal requirements, data handling practices, and implementing privacy-enhancing technologies.
The IS Acquisition Process
IS acquisition and development refer to the processes and controls involved in procuring and developing IS within an organization. This area is not merely about choosing and building IT systems; it encapsulates a strategic approach that aligns these systems with business goals, ensures their reliability, and safeguards them against various risks. The acquisition phase of IT systems involves evaluating, selecting, and purchasing hardware, software, or services from external vendors. It sets the foundation for how well the IT systems align with the organization’s requirements. Conversely, the development phase focuses on creating or customizing software applications to meet specific organizational needs through in-house development, IT outsourcing, or a combination of both.
The process typically begins with a thorough assessment of the organization’s needs and objectives, which helps in defining the scope and requirements of the new information system. It involves engaging stakeholders, such as end-users, managers, and IT experts, to gather insights and input. Precise requirements are critical to avoid scope creep and ensure the final system aligns with the organization’s goals. Once the requirements are well-defined, organizations proceed to the design phase, where system architects and designers create a detailed blueprint of the information system, outlining its structure, functionality, and user interface. Considerations like scalability, security, and usability are paramount to ensure the system can adapt to evolving business needs and provide a positive user experience. Next, organizations move on to the development phase, where programmers and developers bring the system to life through coding, testing, and iterative refinement to ensure that the software or application functions as intended and is free from critical defects. Rigorous testing, including user acceptance testing (UAT), helps identify and rectify issues before deployment. Once development is complete, the system undergoes a thorough evaluation and validation process. This ensures that it meets all quality standards, adheres to security protocols, and aligns with regulatory requirements if applicable. It’s also a time when user training and documentation are developed to facilitate a seamless transition to the new system. The deployment phase marks when the information system becomes operational within the organization. It involves careful planning to minimize disruptions and downtime during the transition. Post-implementation, organizations closely monitor the system’s performance, gather user feedback, and make necessary adjustments to optimize functionality and address unforeseen issues. The final phase of the IS acquisition and development process involves ongoing maintenance and support through regular updates, patches, and enhancements to keep the system up-to-date and aligned with changing business needs. It also encompasses troubleshooting and help desk support to promptly address user inquiries and issues.
A critical aspect of effective IS acquisition and development is risk assessment. Organizations must assess various risks before acquiring new IT systems or embarking on development projects. These risks include compatibility with existing systems, adherence to industry standards, potential security vulnerabilities, and the financial stability of vendors. By addressing these risks proactively, organizations can avoid costly mistakes and ensure that their IT infrastructure remains secure and efficient. One way to accomplish this is through adherence to industry standards and best practices. This adherence is particularly relevant in the development phase, where coding standards, testing methodologies, and documentation practices come into play. By following established standards and practices, organizations can ensure their software is reliable, maintainable, and secure. Furthermore, compliance with legal and regulatory requirements is essential, especially for heavily regulated industries such as finance and healthcare. IT systems must meet business needs and comply with stringent regulatory standards in such sectors. Failure to comply can result in legal penalties, reputational damage, and financial losses.
Poorly chosen or developed systems can lead to numerous problems, such as inefficiencies, increased costs, security vulnerabilities, and even complete project failures. Conversely, well-executed acquisition and development processes can enhance productivity and improve customer satisfaction and a robust security posture. IT projects often involve multiple stakeholders, including business units, IT teams, vendors, and sometimes customers. Effective communication and collaboration among these stakeholders are essential for the success of IT projects. It ensures that everyone’s needs are considered, potential issues are identified early, and the final product aligns well with the users’ requirements.
Relevant Risks
In IS acquisition and development, part of IT General Controls (ITGC), organizations face several primary risks that can significantly impact their operations and strategic objectives. Understanding these risks is vital for effective risk management and ensuring successful acquisition and development of information systems. Let’s consider some of these risks.
- Misalignment with Business
- When IT systems or software are acquired or developed without a clear understanding of business requirements, the result can be systems that do not meet the organization’s needs. This misalignment can lead to inefficiencies, wasted resources, and missed opportunities for business enhancement.
- Overspending or Under-budgeting
- IT projects, particularly in acquisition and development, are often prone to cost overruns. Overspending can strain an organization’s financial resources, while under-budgeting may lead to incomplete or inadequate systems.
- Security Vulnerabilities
- Security vulnerabilities present a significant risk in acquiring and developing IT systems. New systems, especially those developed in-house or customized, can have security weaknesses that expose the organization to cyber threats.
- Vendor Dependency
- Relying on a single vendor for critical systems or services can create a dependency that may impact the organization negatively if the vendor fails to deliver or ceases operations. Organizations should consider diversifying their vendor base and establishing contingency plans to mitigate this risk.
- Incompatibility with Existing Systems
- Incompatibility with existing systems is a risk that can lead to integration issues, data silos, and operational inefficiencies. New systems that do not integrate well with existing infrastructure can create more problems than they solve.
- Regulatory Non-Compliance
- Failure to comply with relevant laws and regulations in developing or acquiring IT systems can result in legal penalties, financial losses, and reputational damage. This risk necessitates that organizations stay abreast of legal requirements and incorporate compliance checks into their acquisition and development processes.
- Inadequate User Integration
- Inadequate user acceptance and training can lead to underutilization of new systems. If end-users are adequately trained or the system needs to meet user expectations, the organization may realize the full benefits of the investment.
- Technological Obsolescence
- In the fast-evolving tech landscape, systems can quickly become outdated. Organizations must ensure that the systems they acquire or develop are scalable and adaptable to future technological advancements.
- Poor Project Management
- Lastly, project management issues, such as poor planning, inadequate resource allocation, and lack of clear leadership, can lead to project delays, failures, or abandonment.
Effectively managing these risks requires careful planning, a clear understanding of business requirements, robust security measures, effective project management, and ongoing monitoring and adaptation. To address these risks, organizations must ensure that their IT systems and software investments add value, enhance operational efficiency, and support their strategic goals securely and competently.
Relevant IT General Controls Objectives and Activities
In IS Acquisition and development, a subset of IT General Controls (ITGC), several crucial controls ensure information systems’ effective management and implementation. These controls are vital in aligning IT projects with business objectives, managing risks, and ensuring successful outcomes. Let’s consider the primary ITGC objectives for this category.
Requirements Analysis and Definition Control
The primary objective is to ensure that all business requirements for new IT systems or enhancements are thoroughly identified, documented, and accurately reflected in system specifications. This objective involves gathering input from stakeholders, analyzing business processes, and meticulously documenting functional and technical specifications to provide a clear roadmap for system development.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Conduct regular stakeholder meetings to gather and validate business requirements.
- Establish version control and change management procedures for requirement documents.
- Implement automated requirement tracing tools to ensure consistency and completeness in documentation.
Vendor Assessment and Selection Control
This objective systematically evaluates and selects external vendors to ensure they align with organizational criteria such as reliability, compliance, and capability. The aim is to choose vendors that best meet the organization’s needs and standards by reviewing vendor proposals, assessing their track record, and conducting due diligence.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Develop a comprehensive vendor evaluation matrix that includes reliability, compliance, and capability criteria.
- Create a vendor due diligence checklist and perform thorough background checks on potential vendors.
- Implement a vendor scorecard system to compare and rank vendor proposals objectively.
Project Management Control
The primary goal is applying project management principles to oversee the development or acquisition process effectively. This objective involves planning project activities, allocating resources, managing schedules, and tracking budgets to ensure that projects are completed on time, within budget, and to the desired quality standards.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Develop a detailed project plan with well-defined milestones, deliverables, and timelines.
- Establish a project governance framework with regular status meetings and progress reporting.
- Implement project management software to track and manage resources, schedules, and budgets.
Testing and Quality Assurance Control
The objective is to validate the system complies with specified requirements and functions correctly before deployment. It involves developing comprehensive test plans, executing test cases, and rigorously documenting test results to identify and rectify issues, ensuring a reliable and high-quality system.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Define a standardized testing methodology and create a comprehensive test plan for each project.
- Conduct independent peer reviews of test cases and scripts to ensure thorough coverage.
- Implement automated testing tools to execute test cases and generate detailed test reports.
Security and Compliance Control
This objective aims to ensure that newly developed systems are secure and compliant with relevant laws and regulations. It involves integrating security and compliance considerations into the system design process, conducting security assessments, ensuring legal compliance, and implementing security features to protect sensitive data and uphold legal requirements.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Conduct regular security risk assessments and penetration tests to identify vulnerabilities.
- Establish and enforce access control policies and conduct periodic access reviews.
- Maintain a compliance calendar to track and address regulatory requirements and deadlines.
Change Management Control
The primary objective of change management is to handle system requirements or project scope changes effectively. This objective includes reviewing change requests, assessing their impacts, and thoroughly updating project documentation to ensure all changes are evaluated, approved, and well-documented.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Establish a Change Control Board (CCB) with representatives from various departments to review and approve change requests.
- Implement a standardized change request form and workflow for tracking change approvals and documenting impacts.
- Regularly update project documentation and maintain a change log to track all changes made during the project lifecycle.
User Training and Documentation Control
This objective involves preparing end-users for the new system and providing user-friendly documentation. The aim is to ensure that users are adequately trained and have access to necessary resources. This involves developing comprehensive training materials, conducting practical training sessions, and creating user-friendly documentation, including user guides, to facilitate seamless system adoption.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Develop user training materials, including online courses and video tutorials, to cater to different learning styles.
- Conduct user training sessions with hands-on exercises and simulations to enhance user understanding.
- Provide a user-friendly self-service portal for accessing user guides, FAQs, and troubleshooting resources to support ongoing user needs.
Summarized Audit Program
As discussed in Chapter 3, an audit program is a structured and comprehensive plan that outlines the procedures and activities to assess the effectiveness of an organization’s control environment. Based on the core concepts of IS acquisition and development ITGCs discussed above, presented below is a summarized audit program highlighting select relevant risks, corresponding ITGCs, and potential ways (audit procedures) to assess the operating effectiveness of such ITGCs. Please note that this is not an exhaustive audit program covering all applicable risks and controls and is provided for your reference only.
| Detailed Description of the Risk and Its Impact |
Relevant IT General Control Activity |
Detailed Test of Controls Audit Procedure |
|---|---|---|
| Inadequate assessment of business needs in system acquisition or development can lead to underperforming systems and operational inefficiencies. | The control activity involves conducting a thorough business needs analysis for each IT project, where responsibilities include identifying system requirements, ensuring alignment with business objectives, and documentation. This is carried out at the initiation of each project. | The audit procedure involves testing five random project documents. The auditor will review project initiation documents and business needs analysis using the inspection technique to ensure alignment with business objectives. |
| Budget overruns in system acquisition or development can cause significant financial strain on the organization. | Budget control and regular financial monitoring for IT projects are implemented monthly. The process includes tracking budget usage, reporting variances, and obtaining approvals for deviations. | The auditor will review five budget records, comparing actual spending against budgeted amounts and inspecting budget approval documents, using analysis techniques to check for adherence to budget and investigating any significant variances. |
| Non-compliance with legal and regulatory requirements in system acquisition or development risks legal penalties and reputational damage. | Compliance checks are integrated into each project to ensure compliance with relevant laws and regulations. This includes reviewing compliance requirements and conducting regular compliance audits. | The audit involves examining five compliance checklists and confirming adherence through document inspection, using confirmation techniques to ensure all regulatory and legal standards are met. |
| Security vulnerabilities in new IT systems increase the risk of data breaches and cyberattacks. | Security assessments are conducted for each system implementation, including vulnerability testing and security reviews. This includes responsibilities for conducting and documenting these assessments. | The audit procedure includes testing five newly implemented systems through vulnerability scans and security assessments, using reperformance techniques to identify and document any security vulnerabilities. |
| Insufficient user training on new systems leads to low productivity and underutilization of systems. | User training for new systems includes developing training materials and conducting training sessions for each new system deployment. | The audit will observe 25 training sessions to assess the effectiveness of the training program, using observation techniques to ensure comprehensive coverage of necessary skills and knowledge. |
| Poor project management leading to project delays causes increased costs and potential project failure. | Effective project management practices are conducted weekly, including overseeing project timelines and resource allocation. Responsibilities include monitoring project progress and reporting any delays. | The audit involves reviewing five project progress reports, using inspection techniques to check for adherence to project timelines and identifying any significant delays or issues. |
| Failure to adequately test new systems results in potential system failures post-implementation. | Comprehensive testing of new systems is carried out for each system deployment. This includes developing test plans, executing tests, and documenting the results. | The audit procedure includes inspecting the test results of 5 system implementations to verify comprehensive testing, using inspection techniques to ensure the testing meets project criteria and system requirements. |
In the Spotlight
For additional context on IS acquisition and development, please read the article titled “A Novel Approach for Government Acquisition and Procurement: Agile Risk Tolerance”[opens a new tab].
Moyer, S., Dubs, R., Skalamera, R., Kepner, R., & Meyer, M. (2021). A novel approach for government acquisition and procurement: Agile risk tolerance. ISACA Journal, 3. https://www.isaca.org/resources/isaca-journal/issues/2021/volume-3/a-novel-approach-for-government-acquisition-and-procurement
Knowledge Check
Review Questions
- What is the primary purpose of conducting a thorough business needs analysis in the IS acquisition and development process?
- How can budget overruns in system acquisition or development be mitigated according to the control activity?
- Why is compliance with legal and regulatory requirements crucial in system acquisition and development, and how is it ensured?
- What is the critical responsibility related to security assessments in the context of IT system implementation, and why is it important?
- How can the effectiveness of user training on new systems be assessed, and why is this assessment critical?
Mini Case Study
Imagine you are the lead auditor for a financial services organization planning to acquire a new core banking system. The organization’s top management is concerned about potential risks related to the acquisition and wants to ensure a smooth transition while safeguarding sensitive financial data and maintaining compliance with financial regulations. As the lead auditor, your task is to identify and propose the three most appropriate IT General Controls (ITGCs) to mitigate these risks and design a robust audit procedure to evaluate the effectiveness of these controls.
Required: Based on the scenario provided, please identify and propose the three most appropriate IT General Controls (ITGCs) that should be implemented to mitigate the risks of acquiring a new core banking system. Additionally, outline a robust audit procedure for each of these controls to evaluate their effectiveness in addressing the organization’s concerns.
The use of external service providers to effectively deliver IT-enabled business processes, application services, and infrastructure solutions.
Controls related to the acquisition and development of information systems, including evaluating vendor reliability, secure software development practices, and data privacy considerations during development.
In ITGCs, aims to ensure newly developed systems are secure and compliant with relevant laws and regulations
