This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
This chapter provides some basic definitions and descriptions of internal and external factors that affect the systems development process in government. Its purpose is to provide a common understanding of terms used in describing systems under development, and to identify factors that auditors may consider significant in auditing the development of a system.
The chapter is organized as follows:
a) Systems Development Life Cycle (SDLC)
A structured approach that divides an information systems development project into distinct stages which follow sequentially and contain key decision points and sign-offs. This permits an ordered evaluation of the problem to be solved, an ordered design and development process, and an ordered implementation of the solution. A final stage allows for management feedback and control through a post-implementation evaluation.
b) Systems Development Methodology
The particular department's adaptation of the SDLC. It may be a home-grown set of procedures, forms and processes within each of the usual stages of the SDLC or a purchased set of software, procedures, forms and processes that are considered more effective by the department.
c) Systems Development Project
An organized set of activities designed to execute the requirements of the particular Systems Development Methodology that is being followed to achieve a set of objectives and/or problem solutions. The activities are carried out by a project team acting under the leadership of a project manager. The manager is expected to follow all of the SDLC activities of management in completing the stages and requirements of the project.
The Systems Development Environment
During the 1980s, changes in the complexity of the Information Technology environment accelerated. Not only has the complexity of the systems development activity increased, but the range of functions included in systems design and development has also increased. The effect of this combination has been exaggerated by a shift towards systems created by the "end user".
We will continue to see increased use of Fourth generation languages (4GLs), prototyping, pilot implementations and CASE tools. Each of these will require adjustment of approach by internal audit, however, the fundamental principles laid out in this guide will remain of value. Future amendments to this audit guide will address these recent advances in system development methodology more directly.
These trends will only increase in the future.
The internal auditor, therefore, will have to keep abreast of those environmental factors, both internal and external, that affect the systems development process. Figure 1.1 below, and the descriptions that follow, illustrate these factors.
Figure 1.1: Systems Development Life Cycle
The first area to consider is the general organization and infrastructure for systems development within the department. Of particular interest will be the roles and responsibilities of the information management organization (or organizations), the EDP advisory or user steering committees, and the senior management committee(s).
The auditor should find out how well coordinated these organizations are, and their "track record". This information will yield "clues" to possible issues or lines of inquiry, the extent of previous user involvement and an understanding of how effective management has been in developing systems within time and cost targets.
A second major factor that influences the development of a system is the department's SDLC policies and standards. They establish the basis for developing systems. Their purpose is to emphasize the definition of requirements before design begins, thereby minimizing costly modifications later.
The internal auditor should therefore review the department's policies and standards to ensure, on an on-going basis throughout the involvement in the SDLC, that the development project is satisfying departmental requirements.
A third major source of information for the auditor is the department's Information Management Plan (which evolved from the Information Technology and Systems Plan (ITSP)) and the capital budget. Both documents are prepared as part of the department's multi-year operational plan (MYOP).
While the name and the content of the TBS directed process known as the ITSP has changed since the first writing of this section, the principle of the auditor knowing all of the strategic, tactical, and operational planning of the department, in order to assure senior management that the project is supporting those planning thrusts, remains valid.
The ITSP reflects the EDP plans, for the on-going activities and for new initiatives, and the assignment of resources needed to carry out the EDP strategies, policies and programs. The ITSP also reflects the department's capital budget for new EDP acquisitions.
In addition the development should conform to applicable central agency policies and procedures (see Chapter 1 - Central Agency Policies and Procedures).
The internal auditor should review the ITSP and the capital budget to establish a proper link between these planning documents and the particular system under development. It is also important for the auditor to ensure that the planning for the systems development project is tied into and coordinated with the department's EDP acquisition process.
The first external factor that influences the auditor's understanding of systems development is the technological trends that have an impact on information management in the Public Service. The Treasury Board's "Information Management Policy Overview - Strategic Direction in Information Technology Management in the Government of Canada - 1987", points out that:
"The management of information systems on a life cycle approach is to receive increased importance in government, with due consideration, within increased ministerial responsibility, to the investment in systems, the benefits received, and the need to plan the replacement of systems."
The Overview also provides an interesting assessment of the current situation and it is worth noting that each principle is relevant to a SUD audit:
"The present policies for EDP and telecommunications are based on policy principles that are still sound:
The Overview continues by outlining re-adjustments to the scope of systems development necessitated by the increasing complexity of the environment:
"Re-adjustments are, however, required to take into account the merging of information technologies, human resource considerations and recent developments, as noted above, in government information policies. Also factors such as the need to ensure departmental and government-wide data quality and consistency in an environment where more computing power is placed in the hands of end users will require coverage in forthcoming policy updates."
A complete reading of the Overview reveals, in summary, that more factors have been, and will continue to be, introduced into the domain of systems development. Some of these factors are:
Two organizations that have an impact on the way public service systems are developed are the Administrative Policy Branch of the Treasury Board Secretariat (TBS) and the Financial Management Information and Systems Branch of the Office of the Comptroller General (OCG). These organizations are positioned by legislation to provide leadership in the management and control of information technology. They have created a general framework that departments and agencies are expected to follow.
The Administrative Policy Branch has promulgated policies and directives dealing with all aspects of the information and systems life cycle, such as project management, access to information, common services, micrographics, EDP, telecommunications, and micro-computers.
The branch also reviews the Information Management Plans (IMP) submitted by departments and agencies and prepares an annual review of information technology and systems in the Government of Canada. Section 1.A.1.2 of Chapter Three recommends that the auditor verify that the project is appropriately established in the department's plans.
The Financial Management Information and Systems Branch (FMISB) fosters the development and monitors the implementation of sound managerial practices and controls in government. To assist financial systems implementors, the Branch has published and is currently developing guidelines, criteria and policies specifically for financial systems development. Appendix J, Items 13 through 18 contain references to those financial systems development aids. It is very important for auditors to be aware of these guidelines, criteria and policies as they emerge, since they will form part of the auditor's review of controls in financial systems under development.
The FMIS Branch is also responsible for the OCG's role in the currently emerging Financial Information Strategy. This joint undertaking, between the OCG and SSC, is better described in Appendix J, Item 19. Suffice it to say here that the auditor should know the Strategy and how it should fit departmental strategies inherent in any developing financial system.
Auditors should also be aware of their department's Increased Ministerial Authority and Accountability negotiations and the implication of these negotiations on any financial systems being developed. The Office of the Comptroller General is the reference point for IMAA reporting requirements.
The nature and scope of common services is described in Chapter 303 of the Treasury Board's Administrative Policy Manual and in a series of directives. Common services are an important element in EDP operations and its management. Chapter 303 states that "it is the policy of the government to provide goods and services through common service organizations for maximum value for money, more uniform compliance with socio-economic policy decisions, and greater observance of prudence and probity". The fact that common services are government-wide gives them the attributes of a central service. They can significantly affect Information Technology management practices and system development.
The auditor should therefore determine whether management has considered the impact of common service requirements, such as the pay/pension, procurement, SSC, PWC, Communications, NLC (Archives) and other departmentally-provided services as a factor in their planning.
The issue of security and privacy in the information technology environment has been given a lot of attention recently, particularly by the Administrative Policy Branch of the Treasury Board Secretariat. The following documents have been published by the Treasury Board: Security Policy of The Government of Canada (revised Sept. 1987), Security In the Government Of Canada-Interim Security Standards: Operating Directives and Guidelines (1987); and TBS Circular 1987-52, the Review of Security Policy. See Appendix J for other listings.
While some of the following references are no longer current, they can provide useful information. The auditor should examine Administrative Policy Manual and other publications, particularly:
Ideally, security and privacy should be addressed by the auditor at
every stage of the systems development process. All relevant security
and privacy requirements should be taken into account right at Project
Initiation and who fulfils the responsibilities of EDP Security
Co-ordinator and Departmental Security Officer established. The
availability of relevant RCMP Security Evaluation and Inspection Team
reports should also be ascertained at the beginning of the audit.