Introduction:
Systems development is the process of defining, designing, testing, and implementing a new software application or program. It could include the internal development of customized systems, the creation of database systems, or the acquisition of third party developed software. Written standards and procedures must guide all information systems processing functions. The organization’s management must define and implement standards and adopt an appropriate system development life cycle methodology governing the process of developing, acquiring, implementing, and maintaining computerized information systems and related technology.
Examination Objectives:
Determine if the board and management have established and maintained effective systems development methodology. This is accomplished through the following examination objectives:
• Board and Management Oversight – Assess the adequacy of systems development oversight by examining related policies, procedures, and methodology.
• Risk Assessment—determine the level of systems development activities existing within the institution. If systems development activities for mission-critical systems are handled primarily through a service provider, evaluate management’s due diligence to ensure appropriate documentation and controls exist within the service provider’s development processes. Assess the adequacy of the institution’s risk assessment process for systems development.
• Internal Controls—Evaluate the effectiveness of preventive and detective controls designed to identify material deficiencies on a timely basis. The internal audit function should identify systems development as an area for evaluation and review.