De Guzman, Marian Nilza Ginge A

Flores, Charina Beverly

0
1
Introduction

Terminologies

03
Systems Development
Controls

02
0
4 Related Case

0
5

Summary

06
Bibliography

Introduction
A systems development lifecycle
(SDLC) has three primary objectives:
ensure that high quality systems are
delivered, provide strong management
controls over the projects, and
maximize the productivity of the
systems staff.
In order to meet these objectives the
SDLC has many specific requirements
it must meet, including: being able to
support projects and systems of various
scopes and types, supporting all of the
technical activities, supporting all of the
management activities, being highly
usable, and providing guidance on how
to install it.

Terminologies
Source Program
a program written in a language other than machine code, typically a highlevel language.

Compiler
is a computer program (or a set of programs) that transforms source code
written in a programming language (the source language) into another
computer language (the target language), with the latter often having a
binary form known as object code.

Terminologies
Load Module
a program or combination of programs in a form ready to be loaded into
main storage and executed

Test of Controls
is an audit procedure to test the effectiveness of a control used by a client
entity to prevent or detect material misstatements

s s
m
L
e vitie
t
m
P
s ti
a
s
S
r
y
e
s
c
g
r
d
l
S A
o
u
e
o
l
r
g
r
t
l nt
d
P nt
o
e
ll in en
r
t
c
e
e
o
o
n
o
c
m
m
r
r yC
tr p
o
n
P
u
n
C iro
lo
o ar
o
it
e
A
S
d
C v
r
v
u
b
n
e
i
A
E
L
D

Co
Th
Au
e
Ch nt
S
di
R
r
W
i
tu
el t O
an oll
o
at
at
r
bj
ge ing
s
io
e
t
d ec
n: -C
Ac Pr
to tiv
a
N
o
tiv g
se
SD es
o
r
itie a
C
C
m
on
s
tro
ls

Systems
Developm
ent
Controls

Internal
Audit
User
Technical
Specification
Design
Activities
Activities
Systems
Authorization
Activities
User
TheParticipation
detailed
design
was
an
appropriate
and
computer
services
All
program
modules
must
be
IA
serve
as a
Select a sample of
IA play an
02

Technical
and
accurate
the user's
management
properly
authorized
Test
team:
IA department
needs
beforeto
they
are
completed projects thoroughly tested solution
liaison
between
project.
user
personnel,
complexity
of
problem
the
important
role
01
02
(current
&
previous)
01
to beview
independent,
user's
implemented
of
SCOP
results
systems
professionals;
A
Test
show
that
the
system
was
preliminary
feasibility
study
Users in
active
users
and
the
the
system
the
control
The
results
of
the
tests
are
then
E
Technical
Translate
and
the
problem
objective,user
and
at
systems
analysis
thoroughly
tested
both
the individual
showed
that
the
project
had
not
stifle
against
predetermined
should
systems
internal
auditors
Individual
modules
need
toset
befor compared
specifications
into
ainvolvement
Design
SDA
Requires
a formal
Should
Review
documentation
be
properly

module and the total

system
level before
feasibility
merit.
technically
qualified
Program

results
A detailed analysis
user needs was
of
detailed
technical
user ofprofessionals
evidence
of compliance
Activities
formally
and rigorously
tested
implementation
environment
authorized to identify
Joint
efforts of
analysis,
and
programming
and
logic
Testing

specifications
conducted
that
resulted
in
alternative
There
is
a
checklist
of
specific
problems
Detailed
as a whole
involvement
x systems
03
USEtheperiod,
detailed
systems
conceptual
designs
detected
the
conversion
user along
and
errors;
and during
written
professionals
Once
the
test
team
is satisfied
Details
results of the
Specific points
forand
review
with
evidence
that
they
were
corrected
in the
R
design
A cost-benefit
analysis
was
to verify
the module's
internal
logic
systems
the
system
can be transferred
should
include
The adequacy
of 03need tomaintenance
Documentation
04
tests
performed
be
phase
report
ofreasonably
the
conducted
using
User
Specification
to
the
user
User
Test
and
Acceptance
Test
data
Internal
Audit
determining
that:
professional
these activities
is
is
both
a control

Systems
documentation
complies
with
formally documented
and
accurate
figures
timeParticipation
consuming
measuredActivities
by the
and evidence
of
user's needs
Procedure
organizational
requirements
and involved
are
analyzed
preserved to meetcontrol
future audit
quality of the should bestandards
documentation objectives

Program
Technical DesignTests
of Systems Development
Systems Authorization
Testing Controls
Activities
Activities

Controlling Systems Development

Activities Test Sales Order
Program Testing (cont'd)

Transactions File
Acct
Num

Name

432

John
Smith

Sale
Amou
nt
100

AR Update
Application

Predetermined
Results: New
Balance = 1100

Compare

Test Accounts
Receivable Master File

Acct
Num

Name

Sale
Amou
nt

432

John
Smith

1000

Actual
Test
Results

Controlling Program Change

Activities
Upon implementation,
the information system

Do not remain static

enters the maintenance

but rather undergo

phase of the SDLC

substantial changes

Longest period

01
formal authorizations

02
To
minimiz technical specifications
e the
testing and documentation updates
risk:

03

Source
Program
Library
Controls
Systems
development
programmers

SPL

SOURCE
PROGRAM

Production Load
Library

Compiler
Program

Systems
Maintenance
Programmers

Object
Module

Link Edit
Program

Risk: Access to programs by

unauthorized individuals
threatens application
integrity

PROGRAM
LOAD
MODULE

PRODUCTION
APPLICATION

Source Program Library Controls

Executing a

As a practical matter,

production application

programs in their

requires that the

compiled state are

source code be

secure and free from

compiled and linked to

the threat of

a load module that the

unauthorized

computer can process

modification
In fact, we could

At this point, the

source code is not
needed for the
application to run

destroy it if no future
changes were ever to
be made to the
application

The Worst-Case Situation: No Controls

Unrestricted access to application programs

S
NNOO OLLS
TTRRO
N
CCOON

Basis for relying on the effectiveness of

Text
Text

controls is nonexistent

Therefor, with no control over access to the

SPL, a program's integrity during the period
in question cannot be established

Text
Text

Text
Text

A Controlled SPL Environment

Requires SPL management system software
Four critical functions

storing programs on the SPL

retrieving programs for maintenance purposes
deleting obsolete programs from the library; and
documenting program changes to provide an audit trail of the changes

A Controlled SPL Environment

Control Techniques
Password Control
Every financially significant program stored in the SPL can be
assigned a separate password

Separation of Test Libraries

Strict separation between production programs that are subject
to maintenance and those being developed

A Controlled SPL Environment

Separation of Test Libraries (cont'd)

A Controlled SPL Environment

Audit Trail and Management Reports
Creation of reports that enhance management control and
support the audit function
Program modification reports describe in detail all program
changes to each module
These reports should be part of the documentation file of each
application to form an audit trail of program changes
The reports can be reconciled against program maintenance
requests to verify that only approved changes were implemented

A Controlled SPL Environment

Program Version Numbers
Automatically assigns a version number to each program stored
in SPL
When programs are first placed inn the libraries, they are
assigned version number zero
Modification to program increases version number by one
An unauthorized change is signaled by a version number on the
production load module that cannot be reconciled to the number
of authorized changes

A Controlled SPL Environment

Controlling Access to Maintenance Commands
Powerful maintenance commands are available for most library
systems that can be used to alter or eliminate program
passwords, alter the program version number, and temporarily
modify a program without generating a record of the
modification
Access to maintenance commands should be password
controlled, and management or an IT security group should
control the authority to use them

A Controlled SPL Environment

Audit Objectives Relating to Systems Maintenance
Maintenance procedures protect applications from unauthorized
changes
Applications are free from material errors; and
program libraries are protected from unauthorized access

Audit Procedures
Audit Procedures for Identifying Unauthorized Program Changes
Reconcile Program Version Numbers
Confirm Maintenance Authorization

Audit Procedures for Identifying Application Errors

Reconcile the Source Code
Review the Test Results
Retest the Program

Audit Procedures for Testing Access to Libraries

Review Programmer Authority Tables
Test Authority Table

Related Case
In the context of urban planning, the present system of development control in
most local authorities in Malaysia is by the granting or refusal of planning
permission for development. The local authority is empowered to grant or refuse
any planning application in its area. The recent amendment to the planning
statute requires that certain planning application be accompanied by a
development proposal report which include a written statement and a plan to (i)
describe the present condition of the land to which the application relates; and
(ii) describe the proposed development, in particular on how it would be likely to
have a significant effect on the built environment.

Development control and approval, which involves the process of analyzing the
appropriateness of planning applications, requires various data from the relevant
agencies. A planning application will be assessed in terms of current
development scenario, land information, planning requirements and planning
design .Consideration given to an application requires a tedious process as it will
have to go through several committees and technical evaluation.
Information required for a development proposal report would therefore include the following
major aspects:
i.Status of land and restrictions;
ii. Land use analysis and intensity of development this includes land use zoning, population
density zoning, height limit, plot ratio, plinth area, predetermined public area;
iii. Analysis of issues and potential of sites this includes site location, existing drainage system,
topography and slope, existing road system, existing land use, natural features which must be
preserve and development potential;
iv. Analysis of surrounding development this includes infrastructure, type, intensity and facilities
available in the surrounding area;
v. Structure Plan and Local Plan policy, if available.

This raised a number of drawbacks as follows:

I.

II.

i. Delay related to the overall process of

development control process and
procedures. This may be divided into (a)
consultation-caused; (b) planning
committee-caused and (c) applicantcaused (Larkham, 1990).
Lack of consistency in making decisions
due to personal judgment and lack of
comprehensive information

III.

Lack of transparency in decision making

process.
IV. Lack of updated information. This is due
to difficulties in obtaining specific data as
data exchange mechanisms are not fully
automated to facilitate cooperation
between data holders. Data which is in
hardcopy is often difficult to retrieve and
at time hard to trace their whereabouts.
V. Lack of public participation in planning
decision making process due to the lack
of readily available information.

The automated Development Control System implemented by the Planning

and Development Control Department, City Hall of Kuala Lumpur, is one of
the ICT applications undertaken to facilitate the procedures to control and
monitor the city development. In general, the Development Control System
encompasses seven main sub systems that execute specific functions at
the same time has the ability to interact between each other.
Database design must be based on the planning and development control
process to be implemented. Based on conceptualized GIS application for
planning and development control, there will be several data layers in the
database. They are meant for retrieval, analysis and conformed to
technical requirements for any planning application.

Summary
System software refers to the operating system, database management systems and other
software that increases the efficiency of processing. Application software refers to particular
applications such as sales or wages. The controls over the development and maintenance of
both types of software are similar and include:
Controls over application development, such as good standards over the system design and
program writing, good documentation, testing procedures (eg use of test data to identify
program code errors, pilot running and parallel running of old and new systems), as well as
segregation of duties so that operators are not involved in program development
Controls over program changes to ensure no unauthorised amendments and that changes
are adequately tested, eg password protection of programs, comparison of production
programs to controlled copies and approval of changes by users
Controls over installation and maintenance of system software many of the controls
mentioned above are relevant, eg authorisation of changes, good documentation, access
controls and segregation of duties.

Bibliography
http://itsystemsdevelopment.pdf
Accounting Information System by James Hall 6th Edition
Foziah_Johar_fab.pdf