Review of Information Systems Development

Similar documents
ISO 9001:2015 Internal Audit Checklist 7.0 Support

Managing Contractors (Scotland)

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

Project Management Auditing Guide

Certificate in Internal Audit 3. Advanced Audit Techniques

Corporate Governance Statement

Group Technology Committee Charter

Australasian Health Facility Guidelines. Part E - Building Services and Environmental Design Introduction

JOB DESCRIPTION & PERSON SPECIFICATION

Corporate Governance Statement

File No: PERMANENT AUDIT FILE INDEX Annual update confirmation. Business details 1. Background to client

Audit and Risk Assurance Committee Effectiveness Checklist

Analysing client requirements

CORPORATE GOVERNANCE King III - Compliance with Principles Assessment Year ending 31 December 2016

Project Management based on the Project Management book of knowledge

POSITION DETAILS. ORGANOGRAM (Adjust as necessary. Include line manager, line manager s manager, all subordinates and colleagues. Include job grades)

The IIA toolbox.

Part E - Building Services and Environmental Design

The Institute of Directors of South Africa ( IoDSA ) is the convener of the King Committee and the custodian of the King reports and practice notes.

VACANCY ANNOUNCEMENT

COUNTYWIDE RISK ASSESSMENT AND AUDIT PLAN SUMMIT COUNTY, OHIO

Quantitative Benefit Methodology. July 2012

1. Directly responsible to the Head Teacher 2. Joins Senior Leadership Team meetings as appropriate 3. Delegates to Admin Team and Premises Team.

Organisation Details:

EAST SUSSEX FIRE AUTHORITY Job Description

Global Manager Group

Compliance assurance programmes

Supplementary Guidance Authorisation for Dealing Activities

Phumelela Gaming and Leisure Limited

Financial CIA-I. Certified Internal Auditor (CIA) Download Full Version :

Portfolio, Programme and Project Management (P3M3) Maturity Questionnaire

EAST SUSSEX FIRE AUTHORITY Job Description

Integrated Clause-byclause Guidance

PROJECT BOARD TERMS OF REFERENCE. Roles and Responsibilities

SUPPLIERS AND SUBCONTRACTORS

Grade F. 1. Identify, collate and provide relevant information (including pre-construction information) to other duty holders.

Carbon Minerals Limited ABN Corporate governance statement

Albion Water Limited. Environmental Management System Manual

APPENDIX T.2 SACPCMP The South African Council for the Project and Construction Management Professions

BOARD STANDING AND AD HOC COMMITTEES

Risk Management Policy and Framework

ISO 9001:2008, ISO 14001:2004, OHSAS

Office of the Police and Crime Commissioner Devon & Cornwall

AUSTRALIAN ENGINEERING COMPETENCY STANDARDS STAGE 2 - EXPERIENCED PROFESSIONAL ENGINEER IN LEADERSHIP AND MANAGEMENT

CORPORATE GOVERNANCE King III - Compliance with Principles Assessment Year ending 31 December 2015

Risk Oversight and Management

Financial Reporting On the Internet

OVERVIEW OF KING III PRINCIPLES

Australian Trusted Trader

Statement on February 2014 Auditing Standards 128. Using the Work of Internal Auditors

Corporate Governance in the NHS. Code of Conduct Code of Accountability

Audit and Risk Management Committee Policy Ecosave Holdings Limited ACN

AUDIT & RISK COMMITTEE CHARTER

COSCSMO05 SQA Unit Code H99M 04 Prepare and agree a project brief and outline programme in construction management

A Guide To ISO 45001:2018. The new international standard for Occupational Health & Safety. Version 1.1 Page 1 of 7

Sub-section Content. 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx

EAST SUSSEX FIRE AUTHORITY Job Description

Certificate in Internal Audit IV

This Board Charter (Charter) is the foundation document which sets out the Board s role and responsibilities in

Audit Committee Forum TM

Overview COSCSMO14. Manage project processes in construction management. Manage project processes in construction management

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

A Primer for the Project Management Process by David W. Larsen 1. Table of Contents

Chapter 1 : Ethical leadership and corporate citizenship. Principle 1.1: The board should provide effective leadership based on an ethical foundation.

KING IV GOVERNANCE PRINCIPLES APPLICATION BY MURRAY & ROBERTS FY The governing body should lead ethically and effectively (Leadership)

The Corporate Governance Statement is accurate and up to date as at 30 June 2018 and has been approved by the board.

The Audit of Procurement

MACQUARIE TELECOM GROUP LIMITED CORPORATE GOVERNANCE

Centerwide System Level Procedure

The FP7 Audit Process Handbook

Title Departmental Property Officer Job Purpose. Department Property. Post Ref.

JOB DESCRIPTION. Job title. Senior Procurement Manager. 2-year fixed term contract. Band 2. 52,312-64,208 per annum. Main purpose of the job:

THE COMPLETE GUIDE TO ISO14001

Loch Lomond & The Trossachs National Park Authority and Cairngorms National Park Authority

SANTAM GROUP RISK COMMITTEE CHARTER

Invitation to tender for internal audit services

1. Membership of the Committee

Annual Governance Statement

Advanced Audit Techniques

WESDOME GOLD MINES LTD. MANDATE OF THE BOARD OF DIRECTORS

AIB Group plc (Holding Company)

Audit and Risk Management Committee Charter

As part of the tasks and responsibilities of project control, the aspect of (time) control during the course of a project can be applied in many ways.

Digital Delivery, Quality and Innovation Project Officer Job Description and Person Specification

Terms of Reference for Financial Audit of Implementing Partners

ISO 45001:2018 CLIENT GAP ANALYSIS TOOL (TR006)

SAMOA INSTITUTE OF ACCOUNTANTS QUALITY ASSURANCE (QA) FOR AUDIT REVIEWER (CONTRACTOR SERVICES)

Project Pr Health Checks Check and and Audits Week 8

Quality Management System Guidance. ISO 9001:2015 Clause-by-clause Interpretation

QUILTER PLC ( Quilter or the Company ) BOARD RISK COMMITTEE TERMS OF REFERENCE

Improving the RFP and Contracts Process With COBIT 5

Board Charter Z Energy Limited


Final Report. Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP) EBA/GL/2017/05.

FINANCE ADMINISTRATIVE OFFICER ORGANOGRAM. Director (Professor) Deputy Director (PC12) Receptionist (PC05)

Control of Internal Auditing

A leader for all seasons?

3410N Assurance engagements relating to sustainability reports

HSC Business Services Organisation Board

2017 CORPORATE GOVERNANCE STATEMENT.

Transcription:

Name of entity: Year of account Completed/updated by (Initials and date) Reviewed by Assignment Manager (Initials and date) Reviewed by Assignment Director (Initials and date) Purpose This review is in two parts and follows on from the Review of Information System Controls (NAO 905, Parts 1-3). The first part deals with information systems development and procurement while the second part is concerned with strategic planning and project management. Information Systems Development and Procurement (Part 1) The purpose of the information systems development and procurement review is to assist the entity s management in taking all necessary steps to ensure that new financial information systems are secure, auditable and in all other respects fit for their intended use. When and How to Review Information Systems Development and Procurement The Assignment Director should ensure that Part 1 of this package is completed where a new financial information system is to be developed or procured. The questionnaire should be completed at an early stage during the project planning phase and updated as necessary during project implementation. Responsibility The Assignment Director and Manager are responsible for the review of information systems development and for ensuring that the results of the review are reported to the entity s management. A member of the Information Technology Audit Group (ITAG) may advise the audit team on the conduct of specific aspects of the in-depth review of the entity s installation controls. However, the involvement of ITAG members does not affect the overall responsibility of the Assignment Director and Manager for the conduct, conclusions and reporting of the results of the review. Strategic Planning and Project Management (Part 2) Purpose To ensure that the entity s information systems satisfy, and are justified in terms of, business needs. When and How to Review Strategic Planning and Project Management C:\temp\Review of System Development - checklist.doc

This checklist is optional, and should only be completed where the Assignment Director believes its completion will assist client service and add-value. Responsibility As for Information Systems Development and Procurement above. 2

Part 1: Information Systems Development and Procurement Information systems should be secure, auditable and in other respects fit for their intended use Control action What are management s procedures to ensure controls operates effectively? Ref. 1.1 Information systems should be of sufficient quality for the business needs of the organisation 1.2 Adequate controls and audit facilities should be built into the system 1.3 Appropriate and workable continuity plans should exist to cover prolonged system failure and disaster 1.4 Staff who are to be involved with the new system should receive training appropriate to their particular role 1.5 Any data to be transferred to the new system from an existing system should be transferred completely and accurately 1.6 Auditing requirements should be taken into account in the formulation of outsourcing contracts 1.7 Systems and software developed by endusers for business use should comply with appropriate corporate development standards 3

Part 2: Information Systems Development: Strategic Planning and Project Management Information systems should satisfy, and be justified in terms of, business requirements Control action What are management s procedures to ensure controls operate effectively? Ref. 2.1 Investment in information and communications technology should be clearly linked to defined business needs 2.2 Top management should approve investment in information and communications technology, monitor progress and evaluate the outcome 2.3 The development and use of information and communications technology should follow a consistent direction 2.4 Projects should be adequately resourced 2.5 Project aims should be clearly stated and understood, and there should be an effective management framework for delivering them 2.6 Project risks should be assessed and appropriate management action taken 2.7 Project expenditure should be monitored and controlled 2.8 Project outputs should meet defined quality criteria. 4

Implication of findings for audit strategy Assessment of control risk Design of audit procedures Issues to be reported to management 5

Review of Information Systems Development and Procurement: Points of focus 1. Information systems should be of sufficient quality for the business needs of the organisation Consider, for example, the following topics: What action the organisation is taking to ensure that the system will be of adequate quality in terms of its: - Functionality; - Data processing performance; - Responsiveness to on-line users; - Ease of use; - Ease of operation; - Ease of maintenance; - Ability to interface with other systems. How the project plan requires end-users to be fully involved in: - Specifying the system; - Evaluating design proposals; - Acceptance testing; - Significant project management decisions. 2. Adequate controls and audit facilities should be built into the system Consider, for example, the following key topics: The adequacy of the Project Plan to ensure that: - Risks to information security are identified and assessed for likelihood and potential impact; - Appropriate controls are implemented to reduce such risks to acceptable levels; - Controls are documented and tested before live use. How Internal and External Audit satisfy themselves that basic internal control objectives will be met (e.g. system access controls, data processing controls, financial audit trail, backup and recovery). The procedures for the review and approval of the system s overall security characteristics by the IT Security Officer. How management appoints the System Owner and System Administrator to oversee day-to-day security management in the operational system. 6

Review of Information Systems Development and Procurement: Points of focus 3.Appropriate and workable continuity plans should exist to cover prolonged system failure and disaster Consider, for example, the following key issues: How the criticality of the system, in terms of the maximum tolerable times to restore emergency and full processing, has been established and agreed with the System Owner. The backing up strategy defined and agreed with the System Owner. How the business continuity plan has been defined in the Project Plan. What the responsibilities of the Business Continuity Plan owner are, eg maintenance and testing of the Plan. The suitability of the off-site facility for the storage of backup media and emergency equipment. 4. Staff who are to be involved with the new system should receive training appropriate to their particular role Consider for example the following key issues: The extent to which the new and existing systems and working practices differ, and hence the need for training. How staff training needs are identified in the project plan. How the quality of training is to be monitored, in terms of its: - Timing; - Relevance, duration and content; - Delivery. How the training programme is designed to address the particular needs of: - The System Owner and System Administrator; - Managers and senior managers; - Other end-users; - ICT support staff; - System security staff; - Auditors. 7

Review of Information Systems Development and Procurement: Points of focus 5. Any data to be transferred to the new system from an existing system should be transferred completely and accurately Consider, for example: The need for the Project Plan to include timing in respect of transferring (or migrating ) data. How data transfer is to be controlled in respect of: - The completeness and accuracy of the data transferred; - Correct accounting (e.g. differing charts of accounts). What procedures are in place to ensure that data cannot be subject to unauthorised change during the transfer process. How the data is to be kept up-to-date during the period following transfer but before live operation. 6. Auditing requirements should be taken into account in the formulation of outsourcing contracts Where financial data is processed under contract, consider, for example, the need for the contract to be formulated to specify: Access for auditing purposes to: - System facilities, data and documentation; - Process control records; - Contractor's staff (for interview). That the contractor provide and maintain: - An adequate standard of information security; - Appropriate backup, recovery and standby procedures and facilities; - Adequate process control records. The facilities which allow data to be elected and downloaded from the system. 8

Review of Information Systems Development and Procurement: Points of focus 7. Systems and software developed by end-users for business use should comply with appropriate corporate development standards Consider, for example: The awareness of management of the extent of its reliance on end-user produced software and systems. How management ensures that systems and software built by end-users are not vulnerable to the risk of key staff (i.e. only the designer knows where they are, or how they work). In particular, how management ensures that end-user built systems and software are: - documented; - of acceptable quality (i.e. are fit for purpose); - secure (software, data and documentation is protected from unauthorised use or change); - adequately backed up, including a copy in remote storage; - accessible by all those who have legitimate need to use it. The procedures to ensure that end-user produced reports are: - Clearly distinguishable from those produced by the core system; - Clearly attributable to the end-user who produced them. Where reports and files are produced by report writers, how a copy of the record selection parameters is included in the output. Note: if you are relying on the integrity of end-user produced reports in your audit you will need to be satisfied about the third bullet point above. 9

Review of Information Systems Strategic Planning and Project Management: Points of focus 1. Investment in information and communications technology should be clearly linked to defined business needs. Consider, for example, the following key issues: How the organisation s overall business aims and objectives are documented in the business plan. The regularity with which senior management reviews the organisation s information needs within the context of: - the stated business aims and objectives. - Known risks and constraints. 2. Top management should approve investment in information and communications technology, monitor progress and evaluate the outcome. Consider, for example, the following key issues: How the strategy for satisfying corporate information needs is defined. If there is no strategic plan, how management plans to meet its information needs. Consider, for example: - the comprehensiveness of its approach; - its procedures for examining alternative solutions; - its procedures for examining risks and assumptions; - its knowledge of costs and benefits; - its knowledge of lead times. If there is a strategic plan : - What the process is for senior management approval; - How management ensures it is kept up-to-date; - How the business case supports the plan by examining and explaining: important planning assumptions; alternative solutions; business and technical risks; costs and benefits; delivery times. 10

Review of Information Systems Strategic Planning and Project Management: Points of focus How management ensures that the strategy covers foreseeable information requirements (e.g. over the next 3-5 years). Senior management s procedures for: - Monitoring delivery of the strategy; - Evaluating the return on its investment in ICT. 3. The development and use of information and communications technology should follow a consistent direction. Consider, for example, how management ensures that: It provides adequate direction and guidance to project teams on the development of new systems. New systems will be able to exchange data with existing systems, and with trading partners systems where necessary. Suitable methods are used for designing and building new systems. The range of technical and managerial skills required is kept to a minimum. New systems can be maintained efficiently in operational use. New systems will be of acceptable quality. Adequate attention is paid to information security and business continuity during system development. Bought-in systems and equipment will interface adequately with those that already exist. 4. Projects should be adequately resourced. Consider, for example, the following key issues: The procedures for drawing up and approving a comprehensive estimate of project costs in line with the original business case. How the following costs have been evaluated in the estimate: - Training; - Testing (parallel running ought to be considered); - Data migration; - Security/continuity. 11

Review of Information Systems Strategic Planning and Project Management: Points of focus Whether the project management team considers project funding to be adequate. If not, consider the basis of its reservations. How management ensures that the project backed by sufficient skill and experience in: - project management; - information and communications technology; - procurement/contracting; - project accounting; - end-user requirements and activities. - the client s willingness and ability to buy additional skills where necessary. 5. Project aims should be clearly stated and understood, and there should be an effective management framework for delivering them Consider, for example, how management ensures that: There is a clear and common understanding of: - what the project is to achieve; - within what constraints; - project risks. All significant stakeholders in the project will participate: - in key project management decisions; - in project activities, where appropriate. There is a single, recognised manager to control day-to-day activities with adequate authority to control resources. The roles and responsibilities of project team members are clearly defined. The project will be monitored in terms of: - Expenditure; - Quality of outputs; - Progress against deadline. The main steps to be taken during the project are documented in a Project Plan, which has been approved at an appropriate management level. 12

Review of Information Systems Strategic Planning and Project Management: Points of focus 6. Project risks should be assessed and appropriate management action taken Consider, for example, the following key issues: How project risks have been identified and assessed in terms of their likelihood and impact on project goals. The procedures for ensuring that the risk assessment is: - Comprehensive; - Periodically reviewed and updated. How the project management team consider risk management recommendations made and the action to be taken. 7. Project expenditure should be controlled Consider, for example, the following key issues: How management ensures that reliable information on the costs of project activities and procurement is readily available. How budgets have been set up for individual project outputs. The procedures for comparing expenditure with budget on a regular basis. How regular project outturn reports are communicated to management. The adequacy of the separation of roles between the project management, procurement, and project accounting functions 8. Project outputs should meet defined quality criteria Consider, for example, the following key issues: How quality criteria for project outputs are specified. The procedures for ensuring that quality criteria are consistent with the organisation s system development standards. How management ensures that project outputs (which may be services, rather than hard deliverables) meet these criteria. How management controls changes to: - Defined quality criteria; - sub-standard outputs. 13

Review of Information Systems Strategic Planning and Project Management: Points of focus The appropriateness of end-users involved in specifying quality criteria and in monitoring the quality of project outputs. 14

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback