INTRODUCTION TO SYSTEMS DEVELOPMENT Systems Analysis and Design
55 Slides2.48 MB
INTRODUCTION TO SYSTEMS DEVELOPMENT Systems Analysis and Design
Introduction IS Project INTRODUCE YOURSELF IS Development Other Approaches Agile Methods OO / UML This Course Introduce yourself briefly to your instructor and the class Education Work history Experience with Information Systems Development Goal for the class
Introduction IS Project COURSE BLOG IS Development Other Approaches Agile Methods OO / UML This Course https://community.mis.temple.edu/mis5214sec702spring2021/
Introduction IS Project SCHEDULE IS Development Unit Other Approaches 2 3 Business Case & Feasibility Analysis 2/4 Planning Project Management 1/28 Agile Methods Weekly Readings Intro 1 Introduction 1/21 4 5 Process Modeling 2/18 6 This Course Analysis OO / UML Requirement Determination 2/11 Data Modeling 2/28 7 3/4 8 Database 3/11 9 Design Software 3/18 MSAD Ch. 1, Ch. 2 “Systems Development Environment” CISA Ch. 3 “Systems Development Methodologies” CISA Ch. 3 “SDLC Models” CISA Ch. 3 “SDLC Phases” MSAD Ch.1 “Project Management” CISA Ch. 3 “Project Management and Governance” MSAD Ch. 4 “Identifying and Selecting Projects” MSAD Ch. 5 “Initiating and Planning Information Systems Projects” CISA Ch. 3 “Business Case and Feasibility Analysis” MSAD Ch. 6 “Determining Systems Requirements” CISA Ch. 3 “Requirements Definition” SSD “Security Requirements” MSAD Ch. 7 “Structured System Process Requirements” CISA Ch. 3 “Structured Techniques” SSD “Vulnerability Mapping” MSAD Ch. 8 “Structured System Data Requirements” CISA Ch. 3 “Entity Relationship Diagrams” SSD “SDLS and SSD” MSAD Ch. 9 “Database Design” CISA Ch. 3 “Control Identification and Design” CISA Ch. 3 “Relational and Embedded Databases” SSD “Class Security Analysis” SSD “Procedural Security” SSD “Modular Programming” SSD “Sensitive Data Mapping” SSD “Reducing the System Attack Surface” CISA Ch. 3 “Software Development Methods” CISA Ch. 3 “System Development Tools and Productivity Project (60%) Exam (30%) IS Auditors Role in Business Case Development IS Auditor’s Role in the SDLC Planning & Analysis IS Auditor’s Role in Systems Design Aids” CISA Ch. 3 “Control Identification and Design” MSAD Ch. 10 “Designing Forms and Reports” MSAD Ch. 11 “Designing Interfaces and Dialogues” 10 Human-Computer Interaction 3/25 11 4/1 12 Design Architecture 4/8 14 Migration & Deployment 4/22 15 4/29 Implementation 13 Software Development & Testing 4/15 MSAD Chapter 13 “System Implementation” CISA Chapter 3.5 “Business Application Development” CISA Chapter 3.6 CISA Chapter 3.9 ISACA “Auditing Risks in Virtual IT Systems” ISACA “IT Audits of Cloud and SaaS” MSAD Ch. 12 “Designing Distributed and Internet Systems” CISA Ch. 3 “Infrastructure Development and Acquisition IS Auditor’s Role in Process Reengineering Practices” CISA Ch. 3 “Hardware and Software Acquisition” SSD “Secure Architectures” MSAD Ch. 13 “Systems Implementation” CISA Ch. 3 “IS Auditors Role in Project Management” CISA Ch. 3 “Software Development Methodologies” CISA Ch. 3 “Software Testing” SSD “Secure Architectures” IS Auditor’s Role in Reviewing Application Controls Implementatio n
Introduction IS Project Textbooks READINGS Valacich J.S. and George J.F., 2019, Modern Systems Analysis and Design, Ninth Edition, Pearson Education, Inc., ISBN-13: 978-0135172759 CISA Review Manual 27th Edition, 2019, ISACA, ISBN 978-1-60420-767-5 “ COBIT 2019: Framework Introduction and Metho dology ”, ISACA, 978-1-60420-763-7 “COBIT 5:ISBN Enabling Processes”, 2012, ISACA, ISBN 978-1-60420-241-0 IS Development Chaudhuri, A., von Solms, SH, Chaudhuri, D. (2011), “Auditing Risks in Virtual IT Systems” Gelbstein, E. (2015) “ Auditors and Large Software Projects, Part 1” Gelbstein, E. (2015) “ Auditors and Large Software Projects, Part 2” Other Approaches Agile Methods Gelbstein, E. (2015) “ Auditors and Large Software Projects, Part 3” ISACA Helskanen, A.LJK (2012) “ Project Portfolio Management” Kancharia, M. and Bhattacharjee, S. (2010) “ Realizing Benefits of IT Investments: Overcoming the Silver-bullet View ” Raval, V. and Sharma, R. (2017) “ Mitigating the Risk Factors of IT Project Failure” OO / UML Singleton, T. (2014) “ The Logical Reason for Consideration of IT” Singleton, T. (2014) “The Core of IT Auditing” Singleton, T. (2012) “ Auditing Applications, Part 1” This Course Singleton, T. (2012) “ Auditing Applications, Part 2” Singleton, T. (2011) “ Understanding the New SOC Reports” FedRAMP FIPS Singleton, T. (2010) “IT Audits of Cloud and SaaS ” “ CSP Authorization Playbook – Getting Started wit h FedRAMP ” PUB 199 “Standards for Security Categorization of Federal information System and Information S ystems” Special Publication 800-34 Revision 1 “Contingen cy Planning Guide for Federal Information Syste ms” NIST Special Publication 800-53A Revision 4 “Assessin g Security and Privacy Controls in Federal Inform ation Systems and Organizations” Special Publication 800-53 Revision 4 “Security a nd Privacy Controls for Federal information Syste ms and Organizations” SANS Misc. Special Publication 800-64 Revision 2 “Security C onsiderations in the System Development Life C ycle” (SDLC) Hein, R. (2004) “The Application Audit Process – A Guide for Info rmation Security Professionals” INTOSAI (2008) “Why IT Projects fail, Best Practic es Guide” Peppard, J. (2016) “ A Tool to Map Your Next Digital Initiative”, Harvard Business Review
Introduction IS Project GRADING IS Development Item Weigh t Assignments 60% Agile Methods Participation Exams OO / UML Total Other Approaches This Course Grading Scale 100 – 93 A 10% 92 – 90 A- 30% 89 – 87 B 86 – 83 B 82 – 80 B- 79 – 77 C 76 – 73 C 72 – 70 C- 69 – 67 D 66 – 63 D 62 – 60 D- 59 – 0 F 100%
Introduction IS Project LEARNING OBJECTIVES IS Development Other Approaches Define information systems analysis and design. Agile Methods Describe the information systems development life cycle (SDLC). OO / UML This Course Explain computer-aided software engineering (CASE) tools. Describe Agile Methodologies and eXtreme Programming. Explain object-oriented analysis and design and the Rational Unified Process (RUP).
Introduction IS Project INTRODUCTION IS Development Other Approaches Agile Methods OO / UML This Course Information Systems Analysis and Design Complex organizational process Used to develop and maintain computer-based information systems Used by a team of business and systems professionals Application Software Computer software designed to support organizational functions or processes Systems Analyst Organizational role most responsible for analysis and design of information systems
Introduction IS Project INTRODUCTION (CONT.) IS Development Other Approaches Agile Methods OO / UML This Course An organizational approach to systems analysis and design is driven by methodologies, techniques, and tools. Sources: Mitarart/Fotolia, PaulPaladin/Fotolia
Introduction IS Project IS Development IT AUDITORS’ RESPONSIBILITIES Providing assurance that enterprise objectives are being met by Other Approaches information systems and infrastructure management practices Agile Methods OO / UML Identifying which elements may represent greatest risk, and which controls are most effective at mitigating this risk This Course Understanding which methodologies are in use for: Systems development, acquisition and maintenance Identifying potential vulnerabilities and points requiring control Advising project team and senior management of deficiencies and best practices within each of these processes
Introduction IS Project IT AUDITORS’ ROLE IS Development Two alternative approaches Other Approaches Review end-stage deliverables throughout the development process, without becoming Agile Methods OO / UML This Course part of the process Auditor reviews each stage’s deliverables to ensure: What was planned from the previous stage has been accomplished and the planning of the next stage has been refined appropriately Planning of the next stage has been refined appropriately Internal control consultant, becoming part of the systems development process Auditor provides ongoing proactive recommendations by participating in selected project-management meetings including: risk-assessment, systems-design, development, and systems delivery meetings Auditor’s independence may be compromised, but this is mitigated by another auditor who should find a system with well-designed controls incorporated Produce and provide formal audit reports to the appropriate business managers including: 1. Overall assessment of the controlled progress of the project 2. Areas requiring improvement to complete the project, as specified, within budget and at an appropriate level of quality Requires an in-depth understanding of both: 1. The overall information systems development processes adopted 2. The business processes being computerized
REQUIRED TOOLS You will need both: Microsoft Project Microsoft Visio Software is available at the link below. Login with your TU credentials: https://azureforeducation.microsoft.com/devtools
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course A MODERN APPROACH TO SYSTEMS ANALYSIS AND DESIGN 1950s: focus on efficient automation of existing processes 1960s: advent of procedural third generation languages (3GL) faster and more reliable computers 1970s: system development becomes more like an engineering discipline 1980s: major breakthrough with 4GL, CASE tools, object-oriented methods 1990s: focus on system integration, GUI applications, client/server platforms, Internet The new century: Web application development, wireless PDAs and smart phones, component-based applications, per-use cloud-based application services.
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course DEVELOPING INFORMATION SYSTEMS System Development Methodology is a standard process followed in an organization to conduct all the steps necessary to analyze, design, implement, and maintain information systems.
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC) Traditional methodology used to develop, maintain, and replace information systems Phases in SDLC: Planning Analysis Design Implementation Maintenance
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course STANDARD AND EVOLUTIONARY VIEWS OF SDLC Systems development life cycle Evolutionary model
Introduction IS Project IS Development SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC) (CONT.) Other Approaches Planning – an organization’s total information system needs are identified, analyzed, prioritized, and arranged Agile Methods Analysis – system requirements are studied and structured OO / UML Design – a description of the recommended solution is converted into logical and then physical system specifications This Course Logical design – all functional features of the system chosen for development in analysis are described independently of any computer platform Physical design – the logical specifications of the system from logical design are transformed into the technology-specific details from which all programming and system construction can be accomplished Implementation – the information system is coded, tested, installed and supported in the organization Maintenance – an information system is systematically repaired and improved
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course
Introduction IS Project IS Development Other Approaches A SPECIALIZED SYSTEMS DEVELOPMENT LIFE CYCLE Microsoft’s Security Development Lifecycle (SDL) Agile Methods OO / UML This Course These are like traditional Training focuses on SDLC’s analysis, design, and implementation. security. Verification focuses on product quality assurance. Release makes product available for general use. (Source: http://www.microsoft.com/security/sdl/default.aspx. Used by permission.) Response deals with security problems that come up after product release.
Introduction IS Project IS Development THE HEART OF THE SYSTEMS DEVELOPMENT PROCESS Analysis–design–code–test loop The heart of systems development Other Approaches Agile Methods OO / UML This Course Current practice combines analysis, design, and implementation into a single iterative and parallel process of activities.
Introduction IS Project IS Development TRADITIONAL WATERFALL SDLC Other Approaches Agile Methods One phase begins when another completes, with little backtracking and looping. OO / UML This Course Traditional waterfall SDLC
IS Development PROBLEMS WITH WATERFALL APPROACH Other Approaches Feedback ignored, milestones lock in design specs even when conditions change Agile Methods Limited user involvement (only in requirements phase) OO / UML Too much focus on milestone deadlines of SDLC phases to the detriment of sound development practices Introduction IS Project This Course
Introduction IS Project IS Development DIFFERENT APPROACHES TO IMPROVING DEVELOPMENT Other Approaches Agile Methods OO / UML CASE Tools This Course Agile Methodologies eXtreme Programming
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course COMPUTER-AIDED SOFTWARE ENGINEERING (CASE) TOOLS Diagramming tools enable graphical representation. Computer displays and report generators help prototype how systems “look and feel”. Analysis tools automatically check for consistency in diagrams, forms, and reports. A central repository provides integrated storage of diagrams, reports, and project management specifications. Documentation generators standardize technical and user documentation. Code generators enable automatic generation of programs and database code directly from design documents, diagrams, forms, and reports.
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course CASE TOOLS (CONT.)
Introduction IS Project IS Development Other Approaches AGILE METHODOLOGIES Motivated by recognition of software development as fluid, unpredictable, and dynamic Agile Methods Three key principles OO / UML Adaptive rather than predictive Emphasize people rather than roles Self-adaptive processes This Course
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course The Agile Methodologies group argues that software development methodologies adapted from engineering generally do not fit with realworld software development.
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course WHEN TO USE AGILE METHODOLOGIES If your project involves: Unpredictable or dynamic requirements Responsible and motivated developers Customers who understand the process and will get involved
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course
Introduction IS Project EXTREME PROGRAMMING IS Development Other Approaches Agile Methods OO / UML This Course Short, incremental development cycles Automated tests Two-person programming teams Coding, testing, listening, designing Coding and testing operate together Advantages: Communication between developers High level of productivity High-quality code
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course OBJECT-ORIENTED ANALYSIS AND DESIGN (OOAD) Based on objects rather than data or processes Object: a structure encapsulating attributes and behaviors of a real-world entity
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course OBJECT-ORIENTED ANALYSIS AND DESIGN (OOAD) (CONT.) Object class: a logical grouping of objects sharing the same attributes and behaviors Inheritance: hierarchical arrangement of classes enable subclasses to inherit properties of superclasses
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course RATIONAL UNIFIED PROCESS (RUP) An object-oriented systems development methodology Establishes four phase of development: inception, elaboration, construction, and transition Each phase is organized into a number of separate iterations.
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course Phases of OOSAD-based development
Introduction IS Project IS Development Other Approaches Agile Methods OO / UML This Course OUR APPROACH TO SYSTEMS DEVELOPMENT Criticisms of SDLC Forcing timed phases on intangible processes (analysis and design) is doomed to fail Too much formal process and documentation slows things down Cycles are not necessarily waterfalls And yet the concept of a cycle is in all methodologies. So, SDLC is a valuable model that has many variations.
Introduction SUMMARY IS Project IS Development Other Approaches In this presentation you learned how to: Agile Methods Define information systems analysis and design. OO / UML Describe the information systems development life cycle (SDLC). This Course Explain computer-aided software engineering (CASE) tools. Describe Agile Methodologies and eXtreme Programming. Explain object-oriented analysis and design and the Rational Unified Process (RUP).
ADDENDUM
STATE OF THE MARKET * Only 47% believe internal audit department is “sufficiently resourced” 51% report that technical skills is the greatest challenge for sourcing 64% report internal auditors difficult to find; 71% report it is difficult to recruit Barclay Simpson Governance Recruitment Market Report 2016: Internal Audit. * 38
CORPORATE STRUCTURES Shareholders Governance Level: Board of Directors External Director CFO CEO Legal Counsel External Director Responsible for: Evaluate Direct Monitor Internal Directors Management Level : Management Human Resources Operations Sales and Marketing Information Technology Finance Responsible for: Plan Build Run Monitor
CORPORATE GOVERNANCE “Leadership, organizational structures and processes that ensure the enterprise sustains and extends strategies and objectives.” (ISACA Glossary). Corporate governance helps to: Set Strategic Direction to ensures goals and objectives are achievable Risks are properly addressed Resources (People, Time, Monies) are properly utilized 40
WHAT IS THE OBJECTIVE OF GOVERNANCE? Drive Stakeholde r Needs Governance Objective: Value Creation Risk Resource Benefit Optimizatio Optimizatio Realization n n 41
Financial Stewardship Balanced Scorecard A strategic planning and management system used extensively to align business activities to the vision and strategy of the organization improve internal and external communications, monitor performance against strategic goals.” balancedscorecard.org “Financial Performance” Customer/ Stakeholder “Satisfaction” Vision and Strateg y Internal Business Process “Efficiency” Organizatio nal Capacity “Knowledge and Innovation Strategic Objectives Strategy Map Performance Measurements and Targets Strategic Initiatives 42
ENTERPRISE GOALS COBIT 5 IT Goals COBIT 5 Enterprise Goals BSC Dimension Financial Customer Internal Learning and Growth Enterprise Goal 1. Stakeholder value of business investments 2. Portfolio of competitive products and services 3. Managed business risk (safeguarding assets) 4. Compliance with external laws and regulations 5. Financial transparency 6. Customer-oriented service culture 7. Business service continuity and availability 8. Agie responses to changing business environment 9. Information-based strategic decision making 10. Optimisation of service delivery costs 11. Optimisation of business process functionality 12. Optimisation of business process costs 13. Managed business change programs 14. Operational and staff productivity 15. Compliance with internal policies 16 Skilled and motivated people 17. Product and business innovation culture BSC Dimension Financial IT Goal 1. Alignment of IT and business strategy 2. IT Compliance and support for business compliance with external laws and regulations 3. Commitment of executive management for making IT-related decisions 4. Managed IT-related business risk 5. Realised benefits from IT-enabled investments and services portfolio 6. Transparency of IT costs, benefits and risk Customer 7. Delivery of IT services in line with business requirements 8. Adequate use of applications, information and technoloty solutions Internal 9. IT Agility 10. Security of information, processing infrastructure and applications 11. Optimisation of IT assets, resources and capabilities 12. Enablement and support of business processes by integrating applications and technology into business processes 13. Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards 14. Availability of reliable and useful informatino for decision making 15. IT compliance with internal policies Learning and Growth 16. Competent and motivated business and IT personnel 17. Knowledge, exprtise and initiatives for business innovation 43
ENTERPRISE GOALS COBIT 5 Enterprise Goals COBIT 5 Enterprise Goals BSC Dimension Financial Customer Internal Learning and Growth Enterprise Goal 1. Stakeholder value of business investments 2. Portfolio of competitive products and services 3. Managed business risk (safeguarding assets) 4. Compliance with external laws and regulations 5. Financial transparency 6. Customer-oriented service culture 7. Business service continuity and availability 8. Agie responses to changing business environment 9. Information-based strategic decision making 10. Optimisation of service delivery costs 11. Optimisation of business process functionality 12. Optimisation of business process costs 13. Managed business change programs 14. Operational and staff productivity 15. Compliance with internal policies 16 Skilled and motivated people 17. Product and business innovation culture BSC Dimension Financial IT Goal 1. Alignment of IT and business strategy 2. IT Compliance and support for business compliance with external laws and regulations 3. Commitment of executive management for making IT-related decisions 4. Managed IT-related business risk 5. Realised benefits from IT-enabled investments and services portfolio 6. Transparency of IT costs, benefits and risk Customer 7. Delivery of IT services in line with business requirements 8. Adequate use of applications, information and technoloty solutions Internal 9. IT Agility 10. Security of information, processing infrastructure and applications 11. Optimisation of IT assets, resources and capabilities 12. Enablement and support of business processes by integrating applications and technology into business processes 13. Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards 14. Availability of reliable and useful informatino for decision making 15. IT compliance with internal policies Learning and Growth 16. Competent and motivated business and IT personnel 17. Knowledge, exprtise and initiatives for business innovation 44
ENTERPRISE GOALS COBIT 5 Enterprise Goals COBIT 5 Enterprise Goals BSC Dimension Financial Customer Internal Learning and Growth Enterprise Goal 1. Stakeholder value of business investments 2. Portfolio of competitive products and services 3. Managed business risk (safeguarding assets) 4. Compliance with external laws and regulations 5. Financial transparency 6. Customer-oriented service culture 7. Business service continuity and availability 8. Agile responses to changing business environment 9. Information-based strategic decision making 10. Optimisation of service delivery costs 11. Optimisation of business process functionality 12. Optimisation of business process costs 13. Managed business change programs 14. Operational and staff productivity 15. Compliance with internal policies 16 Skilled and motivated people 17. Product and business innovation culture BSC Dimension Financial IT Goal 1. Alignment of IT and business strategy 2. IT Compliance and support for business compliance with external laws and regulations 3. Commitment of executive management for making IT-related decisions 4. Managed IT-related business risk 5. Realised benefits from IT-enabled investments and services portfolio 6. Transparency of IT costs, benefits and risk Customer 7. Delivery of IT services in line with business requirements 8. Adequate use of applications, information and technology solutions Internal 9. IT Agility 10. Security of information, processing infrastructure and applications 11. Optimisation of IT assets, resources and capabilities 12. Enablement and support of business processes by integrating applications and technology into business processes 13. Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards 14. Availability of reliable and useful informatino for decision making 15. IT compliance with internal policies Learning and Growth 16. Competent and motivated business and IT personnel 17. Knowledge, exprtise and initiatives for business innovation 45
ENTERPRISE GOALS COBIT 5 Enterprise Goals COBIT 5 Enterprise Goals BSC Dimension Financial Customer Internal Learning and Growth Enterprise Goal 1. Stakeholder value of business investments 2. Portfolio of competitive products and services 3. Managed business risk (safeguarding assets) 4. Compliance with external laws and regulations 5. Financial transparency 6. Customer-oriented service culture 7. Business service continuity and availability 8. Agie responses to changing business environment 9. Information-based strategic decision making 10. Optimisation of service delivery costs 11. Optimisation of business process functionality 12. Optimisation of business process costs 13. Managed business change programs 14. Operational and staff productivity 15. Compliance with internal policies 16 Skilled and motivated people 17. Product and business innovation culture BSC Dimension Financial IT Goal 1. Alignment of IT and business strategy 2. IT Compliance and support for business compliance with external laws and regulations 3. Commitment of executive management for making IT-related decisions 4. Managed IT-related business risk 5. Realised benefits from IT-enabled investments and services portfolio 6. Transparency of IT costs, benefits and risk Customer 7. Delivery of IT services in line with business requirements 8. Adequate use of applications, information and technoloty solutions Internal 9. IT Agility 10. Security of information, processing infrastructure and applications 11. Optimisation of IT assets, resources and capabilities 12. Enablement and support of business processes by integrating applications and technology into business processes 13. Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards 14. Availability of reliable and useful informatino for decision making 15. IT compliance with internal policies Learning and Growth 16. Competent and motivated business and IT personnel 17. Knowledge, exprtise and initiatives for business innovation 46
ENTERPRISE GOALS COBIT 5 Enterprise Goals COBIT 5 Enterprise Goals BSC Dimension Financial Customer Internal Learning and Growth Enterprise Goal 1. Stakeholder value of business investments 2. Portfolio of competitive products and services 3. Managed business risk (safeguarding assets) 4. Compliance with external laws and regulations 5. Financial transparency 6. Customer-oriented service culture 7. Business service continuity and availability 8. Agie responses to changing business environment 9. Information-based strategic decision making 10. Optimisation of service delivery costs 11. Optimisation of business process functionality 12. Optimisation of business process costs 13. Managed business change programs 14. Operational and staff productivity 15. Compliance with internal policies 16 Skilled and motivated people 17. Product and business innovation culture BSC Dimension Financial IT Goal 1. Alignment of IT and business strategy 2. IT Compliance and support for business compliance with external laws and regulations 3. Commitment of executive management for making IT-related decisions 4. Managed IT-related business risk 5. Realised benefits from IT-enabled investments and services portfolio 6. Transparency of IT costs, benefits and risk Customer 7. Delivery of IT services in line with business requirements 8. Adequate use of applications, information and technoloty solutions Internal 9. IT Agility 10. Security of information, processing infrastructure and applications 11. Optimisation of IT assets, resources and capabilities 12. Enablement and support of business processes by integrating applications and technology into business processes 13. Delivery of programmes delivering benefits, on time, on budget, and meeting requirements and quality standards 14. Availability of reliable and useful informatino for decision making 15. IT compliance with internal policies Learning and Growth 16. Competent and motivated business and IT personnel 17. Knowledge, expertise and initiatives for business innovation 47
CREATING VALUE IS A BALANCING ACT! Risk Impact X Probability Market Risk Financial Risk Operations Risk Regulatory Risk Controls Enterprise Resources Policies and Procedures Standards and Guidelines Laws and Regulations (People, Time, Money) 48
Non-compliance with regulations Non-compliance with software licenses Legal and Regulatory Unsupported applications Critical system failures Unable to handle load Configuration issues Damage to servers Inflexible IT architecture Theft Obsolete technology Poor Service Data Leakage Inadequate Support Lack of Assurance Vendors and Outsourcin g Programs, Projects and change manageme nt IT Risk Univer se Application s and Databases Infrastruct ure Data Security& Privacy Physical Environme nt Staffing Budget overruns Significant delays Poor quality of deliverables Ineffective change control Intrusion of malware Virus attacks Web site attacks Poor patch management Utilities Failures Natural Disasters Labor Strikes Environmental Sanctions Operations Disclosure of sensitive data Corruption of data Unauthorized access Failure to mine information Operator errors during backup or maintenance Breakdown of operational processes Loss of key IT resources Inability to recruit IT staff Skills mismatch Lack of business knowledge 49
THE ROLE OF THE AUDIT AND ASSURANCE PROFESSIONAL Audit - Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. Assurance – pursuant to an accountability relationship between two or more parties, an IT audit and assurance professional may be engaged to issue a written communication expressing a conclusion about the subject matters to the accountable party. Assurance engagements can include: support for audited financial statements, reviews of controls, compliance with required standards and practices, and compliance with agreements, licenses, legislation and regulation. 50
FIVE COMPONENTS OF AUDIT AND ASSURANCE 1. Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional 51
FIVE COMPONENTS OF AUDIT AND ASSURANCE 1. Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional User of assurance report 52
1. FIVE COMPONENTS OF AUDIT AND ASSURANCE Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional Accountable Party 53
FIVE COMPONENTS OF AUDIT AND ASSURANCE 1. Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional 54
FIVE COMPONENTS OF AUDIT AND ASSURANCE 1. Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional 2. Subject matter – the area within the audit universe that are under review in the assurance assignment. 3. Suitable criteria – reference against which the subject is evaluated Usually established by Management Design evaluated by assurance professional 4. Assurance Process – structured approach for execution of engagement 5. Conclusions and recommendations Based on observations, facts and documentation Identify control weaknesses and root causes Substantiate the risks Make recommendations 55
