Embed Size (px)
Citation preview
Pertemuan 11-12
Matakuliah : A0214/Audit Sistem InformasiTahun : 2007
Bina Nusantara
PLANNING AND CONTROLLING
Bina Nusantara
Demand Management Process
Ø Ensures that Project has a business justification
Ø Ensures that projects have a business and IT sponsor
Ø Provides a consistent approach to approving all projects
Ø Ensures that all major projects identify all costs to improve decision making
Ø Provides a means to “weed out” non-essential projects
Ø Provides a means to control IT capacity and spending
Business or IT initiates Project Estimated
Joint Requirement Planning and High Level Solution Design
Business Case and Return On Investment
Cost and Savings Estimates from all Functions
Capital Appropriations Committee
Project Funding Approval and Project Initiation
Bina Nusantara
Technology ApprovalTechnical Steering Committee(ITSC) Evaluate ArchitectureDetermine impactApproval/disapprove
Account Manager works with TSC members to evaluate solution
Request For ProposalFinalize requirements and scopeRequest vendor proposalsEvaluate vendor proposals
NegotiationIT Procurement TeamDefine scope of workNegotiate services and costs
Account Manager works with IT Procurement Team to evaluate vendor proposals
Vendor ManagementIT Procurement TeamMonitor vendor performanceAdminister contractsBudget for costs
Account Manager works with IT Procurement Team to negotiate vendor terms
Technology / Contract RefreshIT Procurement TeamTrack contracts and assetsNegotiate technology refreshNegotiate contract renewal/upgrades
IT Procurement Team notifies customer of contracted date
Technology RequestReview requirements with customer Identify potential solutionsEvaluate potential solutionsRecommend vendor solutions
Customer works with Account Manager to document requirements and Identify potential solutions
Procurement and Vendor Management
Bina Nusantara
Project Planning
Project Definition and Planning
Review Present Status
SurveyInfoNeedsInitiate
Project And Organize
Identify Business Objectives/Information Strategy
Identify Hardware Software Info Structure / Envir.
Assess Packaged Systems Options
Evaluate Development Alternative
Perform Project Impact Analysis
Finalize Project Work Plan
Mgmt. Review and Approval
DevelopConceptDesign
Bina Nusantara
The Important of Project Planning and Control in SDLCSDLC flow follow steps:• A new idea is generated for a system or
improvement• The idea is preliminarily accepted for potential
funding by a sponsor, owner, or user group.
Bina Nusantara
The Important of Project Planning and Control in SDLC• Problem analysis
– The feasibility of the idea is investigated and data is gathered and analyzed related to the cost and benefits, along with other alternative courses of action
– Classic problem definition and current state analysis is performed and documented to understand the primary problem that is to be solved using root cause analysis techniques
– The constraints of existing and potentially future solutions are identified
– The resultant idea feasibility and options for moving forward are documented and presented to the sponsor for approval
Bina Nusantara
The Important of Project Planning and Control in SDLC• Solution design:
– If approved for further study, criteria are developed for a successful implementation and are documented along with the functional requirements for the system to meet the needs of the sponsor and the proposed idea
– Processes are defined by system flowcharts and data flow diagrams to better understand the possible solutions and project tasks involved with deploying the various solutions
– Various solutions are analyzed, buy versus build analysis is performed, software acquisition strategies are investigated, and in-house versus contract services are reviewed as options
– The technical feasibility of the various solutions is examined and reconciled with the organizations infrastructure, data model, current and planed system architectures, configurations and so forth
Bina Nusantara
The Important of Project Planning and Control in SDLC• Solution design:
– The economic feasibility also is examined of the top choices for solutions and compared to ROIs and the budgeted resources available.
– Risk analysis of the various options, including security and control concerns, are documented and prepared for the final proposal along with recommendations for risk mitigation
– Solution proposals are made with recommendations of the systems development goals, costs, and deliverables expectations for approval by system owner/sponsor
Bina Nusantara
The Important of Project Planning and Control in SDLC• System design:
– Based on the approved and agreed upon scope and constraints the system is designed and developed considering users needs, data requirements, functional and processing requirements, training, interfaces, inputs, outputs, internal and application controls, audit trails, availability, data integrity, security requirements, and reports
– Requests for Proposals (RFPs) are designed and submitted as appropriate and contracts are negotiated with various providers and vendors. For contract programmers, a specific contract language ensures that the adequate controls over deliverables, quality, performance to standards, and worksmanship, as well as supportability issues exist.
Bina Nusantara
The Important of Project Planning and Control in SDLC• System design:
– Project plans are built defining the required resources, timeframes, deliverable milestones, and so forth. This is the point where review criteria is developed and agreed upon to ensure that design goals are met.
– Mock ups and a cost benefit analysis are presented for approval and final sign off of development by the departments of management and the affected users.
Bina Nusantara
The Important of Project Planning and Control in SDLC• System development:
– Equipment is purchased and installed properly– Systems are developed in the test environments– Programming occurs either through internal or contracts
resources– Several iterations of programming and testing are
staged and integrated to achieve the final objectives
Bina Nusantara
The Important of Project Planning and Control in SDLC• System development:
– The testing staged includes unit testing, integration testing, regression testing, hardware and component testing, load and stress testing, pilot testing, user acceptance testing, performance testing, and total system testing. This testing should have provisions for protecting sensitive data in the testing phases. The testing duties should be segregated from development tasks as much as possible to ensure the fair analysis and testing of the resultant system or programming components
Bina Nusantara
The Important of Project Planning and Control in SDLC• System development:
– User screens are developed and tested– Initial systems documentation is produced– Test data is processed for the required objectives testing– Facilities planning and implementation is developed with
acceptance procedures defined for all of the environment and support needs
Bina Nusantara
The Important of Project Planning and Control in SDLC• System implementation:
– Based on approval and sign off, implementation and production deployment is planned
– File conversion is performed to populate the final system– Systems conversion is planned and executed using pilot,
parallel or full system cutover methodologies– User and operations manuals are documented and completed– User and operators are trained– The final cutover is created, involving close interaction and
communication with the system users
Bina Nusantara
The Important of Project Planning and Control in SDLC• Maintenance and Modifications:
– The system undergoes routine maintenance and bug fixes with scheduled improvements prepared over time using mini SDLCs
– An ongoing, operational use and utilization of system occurs.
– The periodic assessment of design and performance based on the needs and changes in technologies also occurs.
Bina Nusantara
The Important of Project Planning and Control in SDLC• Cycle repeats:
– A new idea is generated for the improved system to better meet the needs of the owner/sponsor of the user group
Bina Nusantara
The Important of Project Planning and Control in SDLCWhy control important?• Discussion of methods, tools, tasks, resources, project
schedules and user inputs are critical review point for the IT auditor
• Project plan are personnel assignments, cost estimates, risks, and organizational impacts associated with the project, and plans for future phases of development including the related cost estimates.
Bina Nusantara
Project Planning and Control : E-Commerce Security as a Strategic and Structural Problem
• An effective security management system should be made an integral part of an organization’s business strategy.
• The development and management of security should support the core business of the organization.
• Security management consists of guidelines that are based on the security practices that support the business strategy as a whole.
• In E-commerce businesses, information security should be seen as strategic asset and not as a cost.
Bina Nusantara
Information Security Management Systems • Policy and procedures• Scope• Risk assessment• Risk areas• Controls• Documentation
Bina Nusantara
The Planning and Control Approach to E-Commerce Security Management
• Strategic Aspect– Planning corporate objectives– Defining budgets– Defining information security policy
• Organizational Aspect– Setting up security team of managers and technical personnel– Defining responsibility– Drawing up training program in technology and methods– Documenting information security procedures– Application of security procedures– Compliance with security procedures
Bina Nusantara
The Planning and Control Approach to E-Commerce Security Management
• Technical aspect• Financial aspect• Legal Aspect
Bina Nusantara
Conclusion
• Auditor influence is significantly increased when there are formal procedures and guidelines identifying each phase in the SDLC and the extent of auditor involvement
• Auditors will be able to review all relevant areas and phases of the SDLC and report independently to management the adherence to planned objectives and company procedures
• Auditors can identify selected parts of the system and become involved in the technical aspects based upon their skills and abilities
Bina Nusantara
Audit Involvement in Planning and Analysis
• The auditor makes a determination of the reasonableness and merits of the project, potential for satisfying the business need and consistent agreement with company policy and objectives
• The auditor identifies the existence of the communication of the organizational goals from top management downward.
• Auditor requirements are introduced in a timely manner.
