ARCHIVED - Systems Under Development (Audit Guide) - March 1, 1991

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

The Environment of the Systems Development Process

Introduction

This chapter provides some basic definitions and descriptions of internal and external factors that affect the systems development process in government. Its purpose is to provide a common understanding of terms used in describing systems under development, and to identify factors that auditors may consider significant in auditing the development of a system.

The chapter is organized as follows:

• definitions
• general factors:
  • departmental management infrastructure
  • SDLC Policies and Standards
  • planning and acquisition process
  • technological processes
  • central agency policies
  • common service requirements
  • security and privacy

Definitions

a) Systems Development Life Cycle (SDLC)

A structured approach that divides an information systems development project into distinct stages which follow sequentially and contain key decision points and sign-offs. This permits an ordered evaluation of the problem to be solved, an ordered design and development process, and an ordered implementation of the solution. A final stage allows for management feedback and control through a post-implementation evaluation.

b) Systems Development Methodology

The particular department's adaptation of the SDLC. It may be a home-grown set of procedures, forms and processes within each of the usual stages of the SDLC or a purchased set of software, procedures, forms and processes that are considered more effective by the department.

c) Systems Development Project

An organized set of activities designed to execute the requirements of the particular Systems Development Methodology that is being followed to achieve a set of objectives and/or problem solutions. The activities are carried out by a project team acting under the leadership of a project manager. The manager is expected to follow all of the SDLC activities of management in completing the stages and requirements of the project.

The Systems Development Environment

During the 1980s, changes in the complexity of the Information Technology environment accelerated. Not only has the complexity of the systems development activity increased, but the range of functions included in systems design and development has also increased. The effect of this combination has been exaggerated by a shift towards systems created by the "end user".

We will continue to see increased use of Fourth generation languages (4GLs), prototyping, pilot implementations and CASE tools. Each of these will require adjustment of approach by internal audit, however, the fundamental principles laid out in this guide will remain of value. Future amendments to this audit guide will address these recent advances in system development methodology more directly.

These trends will only increase in the future.

The internal auditor, therefore, will have to keep abreast of those environmental factors, both internal and external, that affect the systems development process. Figure 1.1 below, and the descriptions that follow, illustrate these factors.

Figure 1.1: Systems Development Life Cycle

General Factor Descriptions

Departmental Management Infrastructure

The first area to consider is the general organization and infrastructure for systems development within the department. Of particular interest will be the roles and responsibilities of the information management organization (or organizations), the EDP advisory or user steering committees, and the senior management committee(s).

The auditor should find out how well coordinated these organizations are, and their "track record". This information will yield "clues" to possible issues or lines of inquiry, the extent of previous user involvement and an understanding of how effective management has been in developing systems within time and cost targets.

SDLC Policies and Standards

A second major factor that influences the development of a system is the department's SDLC policies and standards. They establish the basis for developing systems. Their purpose is to emphasize the definition of requirements before design begins, thereby minimizing costly modifications later.

The internal auditor should therefore review the department's policies and standards to ensure, on an on-going basis throughout the involvement in the SDLC, that the development project is satisfying departmental requirements.

Planning and Acquisition Process

A third major source of information for the auditor is the department's Information Management Plan (which evolved from the Information Technology and Systems Plan (ITSP)) and the capital budget. Both documents are prepared as part of the department's multi-year operational plan (MYOP).

While the name and the content of the TBS directed process known as the ITSP has changed since the first writing of this section, the principle of the auditor knowing all of the strategic, tactical, and operational planning of the department, in order to assure senior management that the project is supporting those planning thrusts, remains valid.

The ITSP reflects the EDP plans, for the on-going activities and for new initiatives, and the assignment of resources needed to carry out the EDP strategies, policies and programs. The ITSP also reflects the department's capital budget for new EDP acquisitions.

In addition the development should conform to applicable central agency policies and procedures (see Chapter 1 - Central Agency Policies and Procedures).

The internal auditor should review the ITSP and the capital budget to establish a proper link between these planning documents and the particular system under development. It is also important for the auditor to ensure that the planning for the systems development project is tied into and coordinated with the department's EDP acquisition process.

Technological Trends In The Public Service

The first external factor that influences the auditor's understanding of systems development is the technological trends that have an impact on information management in the Public Service. The Treasury Board's "Information Management Policy Overview - Strategic Direction in Information Technology Management in the Government of Canada - 1987", points out that:

The Overview also provides an interesting assessment of the current situation and it is worth noting that each principle is relevant to a SUD audit:

• Resources are used in support of government programs, and are not an end in themselves.
• Needs of the government are met through the services of the private sector, except when it is in the public interest, or is more economical to provide these services internally.
• Departments will develop annual plans, containing information on projects, equipment and personnel and these will be based on longer term plans.
• Efforts will be made to identify opportunities for the sharing of information plans, information itself and relevant expertise.
• Departments establish their own internal policies.
• The staged approval of systems development projects.
• The micro-computer policy, which also includes consideration of the impact on people and the need for training."

The Overview continues by outlining re-adjustments to the scope of systems development necessitated by the increasing complexity of the environment:

A complete reading of the Overview reveals, in summary, that more factors have been, and will continue to be, introduced into the domain of systems development. Some of these factors are:

• importance of the quality and consistency of data
• end user computing and processing power
• complex and interactive systems
• where required, better development "tools" such as prototyping, fourth generation languages, Computer Assisted Systems Engineering (CASE) software, and interactive data base software (with active data dictionaries)
• more money, not less, to be invested in systems replacement
• critical human EDP resource issues
• the inclusion or integration of telecommunications

Central Agency Policies and Procedures

Two organizations that have an impact on the way public service systems are developed are the Administrative Policy Branch of the Treasury Board Secretariat (TBS) and the Financial Management Information and Systems Branch of the Office of the Comptroller General (OCG). These organizations are positioned by legislation to provide leadership in the management and control of information technology. They have created a general framework that departments and agencies are expected to follow.

The Administrative Policy Branch has promulgated policies and directives dealing with all aspects of the information and systems life cycle, such as project management, access to information, common services, micrographics, EDP, telecommunications, and micro-computers.

The branch also reviews the Information Management Plans (IMP) submitted by departments and agencies and prepares an annual review of information technology and systems in the Government of Canada. Section 1.A.1.2 of Chapter Three recommends that the auditor verify that the project is appropriately established in the department's plans.

The Financial Management Information and Systems Branch (FMISB) fosters the development and monitors the implementation of sound managerial practices and controls in government. To assist financial systems implementors, the Branch has published and is currently developing guidelines, criteria and policies specifically for financial systems development. Appendix J, Items 13 through 18 contain references to those financial systems development aids. It is very important for auditors to be aware of these guidelines, criteria and policies as they emerge, since they will form part of the auditor's review of controls in financial systems under development.

The FMIS Branch is also responsible for the OCG's role in the currently emerging Financial Information Strategy. This joint undertaking, between the OCG and SSC, is better described in Appendix J, Item 19. Suffice it to say here that the auditor should know the Strategy and how it should fit departmental strategies inherent in any developing financial system.

Auditors should also be aware of their department's Increased Ministerial Authority and Accountability negotiations and the implication of these negotiations on any financial systems being developed. The Office of the Comptroller General is the reference point for IMAA reporting requirements.

Common Service Requirements

The nature and scope of common services is described in Chapter 303 of the Treasury Board's Administrative Policy Manual and in a series of directives. Common services are an important element in EDP operations and its management. Chapter 303 states that "it is the policy of the government to provide goods and services through common service organizations for maximum value for money, more uniform compliance with socio-economic policy decisions, and greater observance of prudence and probity". The fact that common services are government-wide gives them the attributes of a central service. They can significantly affect Information Technology management practices and system development.

The auditor should therefore determine whether management has considered the impact of common service requirements, such as the pay/pension, procurement, SSC, PWC, Communications, NLC (Archives) and other departmentally-provided services as a factor in their planning.

Security and Privacy

The issue of security and privacy in the information technology environment has been given a lot of attention recently, particularly by the Administrative Policy Branch of the Treasury Board Secretariat. The following documents have been published by the Treasury Board: Security Policy of The Government of Canada (revised Sept. 1987), Security In the Government Of Canada-Interim Security Standards: Operating Directives and Guidelines (1987); and TBS Circular 1987-52, the Review of Security Policy. See Appendix J for other listings.

While some of the following references are no longer current, they can provide useful information. The auditor should examine Administrative Policy Manual and other publications, particularly:

• (current) Security Policy and Standards of the Government of Canada
• (current) the OCG's draft Guide to the Audit of the Government's Security policy
• interim information technology standards (Part III Interim Security Standards)
• contingency measures, GES/NE1-14 - 4.1.2.7
• disaster plans, 4.1.2.7.3
• software security, 4.6
• design, development, and quality assurance. 4.6.2

Ideally, security and privacy should be addressed by the auditor at every stage of the systems development process. All relevant security and privacy requirements should be taken into account right at Project Initiation and who fulfils the responsibilities of EDP Security Co-ordinator and Departmental Security Officer established. The availability of relevant RCMP Security Evaluation and Inspection Team reports should also be ascertained at the beginning of the audit.

 

 

• Previous Page
• Table of Contents
• Next Page