Internal Control – Management Control Riya Widayanti Sistem Informasi - FASILKOM

Overview of Tasks for Domain 3

  

3.1 Evaluate proposed system development/acquisition to ensure that it

meets the business goals.

  3.2 Evaluate the project management framework and project

governance practices to ensure that business objectives are achieved in

a cost-efective manner

  

3.3 Perform reviews to ensure that a project is progressing in accordance

with project plans and project management regulation.

  3.4 Evaluate proposed control mechanisms for systems and/or

infrastructure during specifcation, development/acquisition, and testing.

  3.5 Evaluate the processes by which systems and/or infrastructure are

developed/ acquired and tested to ensure that the deliverables meet the

organization’s objectives.

  3.6 Evaluate the readiness of the system and/or infrastructure for implementation and migration into production.

  

3.7 Perform post-implementation review and periodic reviews of systems

and/or infrastructure to ensure that they meet the organization’s objectives and are subject to efective internal control.

  3.8 Evaluate the process by which systems and/or infrastructure are maintained to ensure the continued support of the organization’s objectives and are subject to efective internal control.

  3.9 Evaluate the process by which systems and/or infrastructure are

Overview of skill and knowledge for Domain 3

  3.1 benefts management practices 3.2 project governance mechanisms (e.g., steering committee) 3.3 project management practices, tools, and control frameworks 3.4 risk management practices applied to projects 3.5 project success criteria and risks 3.6 confguration, change and release management in relation to development and maintenance of systems and/or infrastructure 3.7 control objectives and techniques that ensure the completeness, accuracy, validity, and authorization of transactions and data within IT systems applications 3.8 enterprise architecture related to data, applications, and technology (e.g., distributed applications, web-based applications, web services, n-tier applications) 3.9 requirements analysis and management practices 3.10 acquisition and contract management processes (e.g., evaluation of vendors, preparation of contracts, vendor management, escrow) 3.11 system development methodologies and tools and an understanding of their strengths and weaknesses 3.12 quality assurance methods 3.13 the management of testing processes 3.14 data conversion tools, techniques, and procedures 3.15 system and/or infrastructure disposal procedures 3.16 software and hardware certifcation and accreditation practices 3.17 post-implementation review objectives and methods 3.18 system migration and infrastructure deployment practices

  IS Audit Small Quiz No.1 Domain 3 (1) Systems and Infrastructure Lifecycle Management Subject: Project Plan, Project Management, Architecture, method and APP

  Quiz book

  

ITCLC: IT Company Level Control

  IT control

  ITGC:IT general controls

  ITAC: IT Application Control

  ITGC:IT general controls

  ITAC: IT Application Control Logical access controls. complete and accurate

• System development life cycle Input Data Control.
• controls.

  Process Control

• Output Control Program change management
• controls.

  Application Systems Data center physical security controls.

• System and data backup and
• Sales Accounting ….

  recovery System System

  Development Operation Computer operation controls.

• IT Infrastructure (Network, Server, PC …)

  ITCLC: IT Company Level Control

• IT Governance/Policy *IT Risk Management. *Training
• Quality Assurance *IT Internal Audit

Overview : SLDC (System Development Lift Cycle) by

ISACA

R

  P1: Feasibility Study P2: Requirement Definition P3: System Design P4: Development

  P3: System Selection P4: Configuration P5: Implementation Review

  P6: Post implementation

  P3: Buy or Make R R R

  Buy Make (Build) Scope of General System Development

R R R

Overview of Development Organization

  Senior Management Project Sponsor User Management Project Management

  Quality Assurance Project Development Project Team

  User Project Team Technical Infrastructure Team Leader

  Software Support Hardware Support

  Network Support Application/ system

  Analysis Program mer Tester

  Steering Committee Overview of SLDC Phase 1 and 2 Phase 1: Feasibility Study To determine the strategic beneft of new information system and analyze possible resolutions to realize needs

• Defne business case •Defne the objectives with supporting evidence.
• List up possible resolutions
• Perform preliminary risk assessment
• Agree upon an initial budget and expected return on investment (ROI) Phase 2: Requirement defnition To create detail defnition of needs including inputs, output, current environment and proposed interaction.
• Collect specifcations (requirements) and supporting evidence.
• Identify which standard (technology) will be implemented for the specifcations.
• Create a quality control plan to ensure that the design complaints to the specifcations.

Overview of SLDC Phase 3 and 4 Phase 3: Plan solution and system design/ system selection To plan solution (strategy ) whether make (build) or buy based on the objectives from phase 1 and specifcations from phase 2.

Case of Build

• Make design such as user requirement, basic design, detail design and operation design. ( start development process) Case of buy
• Make RFP (Request for Proposal) to select best vendor and product based on specifcation in Phase 2.
• Conduct bidding to select the vender and product Phase 4: Development and confguration Case of Build •Making program and conducting testing Case of buy
• Customization is typically limited program confguration settings with a limited number of customized reports.

Overview of SLDC Phase 5,6 and 7 Phase 5: Implementation To install new system and fnal user acceptance (mainly function testing) test begins. The system undergoes a process of fnal certifcation and approval.

  Phase 6: post implementation After the system has been in production use, it is reviewed for efectiveness to full fll the original objectives.

• Compare performance metrics to the original objectives.
• Re-review the specifcations and requirement annually.
• Implement request for new requirement, update or disposal Phase 7: Disposal Final phase is the proper disposal of equipment and purging data.

Overview of Development Models (1) User Requirements Detail Design

  Acceptance Test System Test Integration Test Global (Basic) Design Component Test = Debug System Requirements Programming Test Water-fall model Overview of Development Models (2)

Function 1 Function 2 Function 3

  D es ig n co d in g

  T es t

  D es ig n co di n g

  

T

es

t

  D es ig n co di ng T es t

Overview of Development models (3)

  Water fall Agile Spiral (Prototyping) Document Document base Minimum Minimum Confirmation of requirement

  By document By software By software Changing requirement Difficult Easy Easy Programmer A few - hundreds A few – 20 1 cycle Months - years Weeks - months Month – a year Management Initial plan In each cycle Collaboration Defined by regulation personal Overview of Design and Development methods Method

Summary

  Structured analysis development of modules and the synthesis of these modules in a so called "module hierarchy" OOD: Object-oriented the process of planning a system of interacting objects design for the purpose of solving a software problem

  Overview of Project Management

PMBOK Knowledge Areas

  1. Project Integration Management

  3. Project Time Management

  4. Project Cost Management

  5. Project Quality Management

  6. Project Human Resources Management

  7. Project Communications Management

  8. Project Risk Management

  9. Project Procurement Management R

  C es e e m m ou os t

  Ti Ti rc es

  Resources Performance Performance Overview of Cost estimation and Scheduling Planning Cost estimation

  Scheduling Function 　 point

  Lines of code WBS (Work Breakdown

  Structure) Bottom-up estimate Parametric modeling Analogous estimate

  PERT Gantt chart

Overview of Procurement

  Define Specification Make RFP

  Vender Evaluation Criteria Vender Long list Vender short list

  Select Make Contract Delivery

  Install Acceptant Test RFP: Request for Proposal

  Bidding Overview of RFP (Request for Proposal)

  Qualification of Vender The vender supplying and supporting the product should be reputable and should be able to provide evidence of financial stability

  t ar

  Bidding document To mention about the bidding document the venders

  P

  submit

  al ci

  Contract Condition Some conditions such as payment, delivery and

  er

  warrantee In the contract

  m

  Bid opening and Criteria for selecting the vender

  om C

  evaluation Requested document Clients list, other evidence of product and system Product and system Main content of RFP. Define detail specification of

  t

  Requirement requested product and system . It includes not only

  ar

  functional specifications but also non-functional

  P

  specifications such as reliability and performance

  al ic

  Installation schedule When will product and system needed.

  hn ec

  Test plan Installation test plan

  T

  Client support Training, operation support, maintenance, warrantee

Overview of Business APP

  APP Summary

  E-commerce the buying and selling of products or services over electronic systems such as the Internet and other computer networks. E-banking/Online To conduct financial transactions on a secure website banking operated by their retail or virtual bank, credit union or building society. CIM: Computer- Both a method of manufacturing and the name of a computer- integrated manufacturing automated system in which individual engineering, production, marketing, and support functions of a manufacturing enterprise are organized. DSS: Decision support DSSs serve the management, operations, and planning system levels of an organization and help to make decisions, which may be rapidly changing and not easily specified in advance. SCMS: Supply chain Supply chain transactions, managing supplier relationships management software and controlling associated business processes. it commonly includes: Customer requirement processing Purchase order processing, Inventory management, Goods receipt and Warehouse management, Supplier Management/Sourcing

  CRM: Customer Sales force automation, Marketing and Customer Service relationship management and Support

Overview of Risk of Business APP

  APP Summary of Risk

  E-commerce Clear business case, Innovation is so rapid, Certification, Privacy of customer, High reliability and electric signature

  E-banking/Online banking Innovation is so rapid, Security of authentication, Privacy of customer, High reliability and integration to other system.

  CIM: Computer- integrated manufacturing Big system consisting of many systems and software. Clear feasibility study.

  DSS: Decision support system Difficulty of define purpose and usage. Not clear of ROI.

  SCMS: Supply chain management software Changing workflow and business model.

  CRM: Customer relationship management Innovation is so rapid, Security of authentication, Privacy of customer

Overview of Technology for Business APP

  APP Summary

  EDI: Electronic data Structured transmission of data between organizations by electronic interchange means. It is used to transfer electronic documents or business data from one computer system to another computer system

  Data warehouse To retrieve and analyze data, to extract, transform and load data, and to manage the data dictionary Internet-based computing, whereby shared resources, software, and

  Cloud computing information are provided to computers and other devices on demand, like the electricity grid. SaaS

  Office suite Office software suite or productivity suite is a collection of programs intended to be used by knowledge workers, Ex. Google Apps ERP: Enterprise Integrated computer-based system used to manage internal and resource planning external resources, including tangible assets, financial resources, materials, and human resources. Smart phone Mobile phone that offers more advanced computing ability and connectivity than a contemporary basic 'feature phone CTI: Computer technology that allows interactions on a telephone and a computer telephony integration to be integrated or co-ordinated. As contact channels have expanded from voice to include email, web, and fax, the definition of CTI has expanded to include the integration of all customer contact channels (voice, email, web, fax, etc.) with computer systems. Overview of CMMI

Overview of Development tools (IDE)

  Tools Summary

  CASE :Computer-aided Set of tools and methods to a software system which is software engineering meant to result in high-quality, defect-free, and maintainable software products.

  Visual Studio .Net It can be used to develop console and graphical user interface applications along with Windows Forms applications, web sites, web applications, and web services in both native code together with managed code for all platforms supported by Microsoft Windows, Windows Mobile, Windows CE, .NET Framework, .NET Compact Framework and Microsoft Silverlight.

  Eclipse It is written primarily in Java and can be used to develop applications in Java and, by means of various plug-ins, other languages including C, C++, COBOL, Python, Perl, PHP, Scala, Scheme and Ruby (including Ruby on Rails framework) Overview of Actual (Practical) Tools JUnit Test Frame Code Metrics Static Analysis Programming

  Ecllipse Metrics Plusin Checkstyle/ PMD Calculate Code metrics such as complexity Check style of Code and dependency

  Findbugs Find bad cording that seems to CAP/Jdepend4eclipse make bugs Show dependency

  Test design/ Test case/ Executing TPTP Component Supproit Making test code and executing djUnit Test test case including remote host Make Moc-class for testing/ Coverage

  Junit Factory Automated Continuous Integration Automatically generating Test case Executing test case automatically

  Test Test Executing for Web System Solex WSUnit Test

  Recod, Replay and edit HTML Session Simulate XML web servise Performance Testing Acceptance Extensible Java Profiler/iMechanic/Eclipse profiler plug-in Test

  Measure Nun.Call, Time and Usage of memory Test Executing for Web / Performance Testing Selenium JMeter

IS Audit Small Quiz No.1 (Answer) (1)

  1-1 (A) The frst concern of an IS Auditor should be to ensure that proposal meets the needs of business, and this should be established by a clear business case. 1-2 (B) AS IS auditor should not recommend discontinuing or completing the project before reviewing and updated business case. 1-3 (D) Lack of adequate user involvement, especially in the system requirement phase, will usually in a system that does not fully or adequately address the needs of the user. 1-4 (A) It is important that the project be planned properly and that specifc phase and deliverables be identifed during the early stage of the project. 1-5 (B) A PERT chart will help determine project duration once all the activities and work involved with those activities are known. 1-6 (D) Old (legacy) system that have been corrected, adapted and enhanced extensively require reengineering to remain maintainable. Reengineering is rebuilding activity to incorporate new technology into existing system.

  1-7 (A) The waterfall model has been best suited to the stable condition like (A).

IS Audit Small Quiz No.1 (Answer) (2)

  1-8 (A) If resource allocation is decreased, and increase in quality can be achieved if a delay in delivery time will be accepted. 1-9 (A) Cost performance of a project cannot be properly assessed in isolation for schedule performance. 1-10 (C) Projects often have a tendency to expand, this expansion often grows to point where the originally anticipated cost-beneft are diminished. When this occur, the project be stopped or frozen to allow review of all the cost –benefts and the payback period. 1-11 (C) A project steering committee is responsible for reviewing the project progress to ensure that it will deliver the expected result. 1-12(D) In the case of deviation from the predefned procedure, an IS auditor should frst ensure the procedure followed for acquiring the software is consistent with business objectives and has been approved by appropriate authorities. 1-13 (B) Quality plan is essential element of all projects. It is critical that the contracted supplier be required to produce such test plan.

IS Audit Small Quiz No.1 (Answer) (3)

  1-14 (C) Choice A,B and D are not risk, but characteristics of a DDS. 1-15 (B) Once the data are in a warehouse, no modifcation should be made to them and access controls should be in place to prevent data modifcation. 1-16 (C) Best resolution. 1-17 (C) When implementing an application software package, incorrect parameter would be the great risk. 1-18 (C) The Project portfolio database contains project data such as organization, schedule, objectives status and cost. 1-19 (D) Criteria of CMMI show the development organization follows stable and predictable software process, CMMI doesn’t guarantee quality of each project. 1-20 (B) A strength of IDE is that it expands the programming resources and aids available.

  IS Audit Small Quiz No.2 Domain 3 (2) Testing, Implementation/Migration and APP control

  Quiz book