Assurance and Audit
- Buy now
- Learn more
- Discussions
Information System Auditing Process

Part A: Audit Planning Frameworks and Strategic Foundations
Activity -Emerging Audit Areas
Part B: Audit Execution, Evidence, and Reporting
TY - What is EDI? - An Overview (5 min)
Activity - IS Auditing Process
Governance and Management

Part A: IT Governance
Activity - Read and Reflect
SANS - The Five Must-Haves of an AI Governance Framework [30 min]
Part B: IT Management
Activity - Governance - Management Quiz.
Information Systems Acquisition, Development, and Implementation

Part A: Information Systems Acquisition and Development
Activity - SDLC - part01
Part B: Information Systems Implementation
Activity 2 - SDLC - Part 02
Information Systems Operations and Business Resilience

Part A: Information System Operations
Activity - IS Operations
YB: Database Normalization (5 min)
Part B: Business Resilience
Activity - Business Resilience
YT: Types of databases (16 min)

Part B: Information Systems Implementation

The transition from the controlled development environment to a live, dynamic production environment represents the most volatile and high-risk phase of the system life cycle. Part B of the literature review examines the critical operational processes of implementation, focusing extensively on system readiness, rigorous testing methodologies, data migration strategies, configuration management, and the subsequent post-implementation evaluation of the project's overall success.

System Readiness and Implementation Testing

Before moving an information system into production, it must be thoroughly tested to confirm its logic, security, and alignment with the original business requirements. The literature categorises software testing into a hierarchical framework designed to isolate defects and validate complex integrations systematically:

Unit Testing: The foundational testing of individual programs or atomic modules to ensure their internal operations perform exactly according to procedural design specifications.
Interface and Integration Testing: Evaluates the connection of two or more software components to verify that data passes accurately and securely across architectural interfaces.
System Testing: The comprehensive, end-to-end validation of the entire application under varying operational conditions. This phase encompasses recovery testing, security vulnerability testing, load testing, volume testing, stress testing, and overall performance testing. Stress testing, crucially, should be carried out in an isolated test environment using live, heavily scaled workloads to simulate extreme operational pressure and safely identify architectural breaking points.
Final Acceptance Testing: Comprises Quality Assurance Testing (QAT) and User Acceptance Testing (UAT). UAT is required to confirm the system meets business expectations, and formal user sign-off is a key governance step before authorising implementation.

To execute these tests effectively, IS auditors and Quality Assurance professionals utilise various specialised diagnostic techniques :

Snapshot Testing: Records the flow of transactions through specific logic paths to verify execution of program logic, though it requires extensive, in-depth knowledge of the IS environment.
Mapping: Analyse programs during execution to identify untested branches of logic and unused code, highlighting potential security exposures or dead code.
Tracing and Tagging: Places a unique indicator on specific data transactions and traces their path through the entire application architecture, providing an exact picture of the sequence of processing events.
Test Data/Deck: Simulates high-volume transactions using dummy data to verify program execution logic without risking the corruption of actual master files.
Parallel Operation: Processes production data through both the legacy and new systems simultaneously, comparing the outputs to verify accuracy before an abrupt changeover.
Integrated Testing Facility (ITF): Creates a fictitious operational entity (such as a dummy department or vendor) within the live database to process test transactions simultaneously with live data, requiring meticulous planning to isolate test data from accurate corporate financial reporting.
Parallel Simulation: Utilises specialised audit software to independently process production data, simulating the application's program logic to verify outputs without altering the production environment.

For systems processing financial or critical transactions in real-time, the literature heavily emphasises the enforcement of the ACID Principle to guarantee absolute data integrity :

Atomicity: Ensures a transaction is executed entirely or not at all. If interrupted, all database changes are backed out.
Consistency: Ensures that the database transitions seamlessly from one valid, consistent state to another while maintaining all predefined relational integrity constraints.
Isolation: Guarantees concurrent transactions are isolated from one another to prevent data contamination.
Durability: Ensures that once a transaction is reported complete, the resulting changes persist through any subsequent hardware or software failures.

Implementation Configuration and Release Management

Configuration management is the rigorous discipline of identifying, defining, and tracking changes to the hardware and software baseline throughout the system life cycle. A robust configuration management process establishes a known, secure baseline and meticulously registers any modifications to configuration items. This ensures that the production environment is fiercely protected from unauthorised, malicious, or untested code.

Release management is inextricably linked to configuration management. Following implementation, a system enters the maintenance stage, in which formalised change control becomes paramount. We must strictly enforce the methodology for authorising, prioritising, assessing the impact of, and tracking system change requests. Emergency changes that bypass standard testing protocols to restore critical services must have a documented, auditable pathway that balances the need for rapid deployment with appropriate retrospective security oversight. We must enforce strict segregation of duties across the environment, preventing software developers from accessing production source code or executing unauthorised changes directly in the live environment.

System Migration, Infrastructure Deployment, and Data Conversion

Data migration is frequently cited in the academic and professional literature as one of the highest-risk activities within the entire system implementation life cycle. Industry studies indicate that up to 83% of data migration projects fail, significantly exceed budgets, or cause severe operational disruption. These failures are primarily attributed to rushed infrastructural assessments, poor legacy data quality, and hidden system dependencies.

Data migration can take several forms, including storage migration, database migration, business process migration, and cloud migration. Regardless of the type, the objective of data conversion is to translate legacy data into a new format while flawlessly preserving its semantic meaning and relational integrity. Successful data conversion demands a highly structured, risk-averse approach :

Data Audit and Cleansing: Long before migration scripts are written, organisations must conduct a thorough data audit to identify redundant, duplicate, or outdated records. Cleansing the data ensures that historical errors are not propagated into the new, optimised system.
Data Mapping: Precise alignment of legacy data fields with the new ERP database schema is essential to maintain referential integrity.
Testing and Validation: Migrations should be executed iteratively in a secure sandbox environment first. After the production conversion, automated reports should document any exceptions, and critical financial and operational data should be reconciled against the legacy system's final state.

The literature emphasises that while IT teams handle the physical transfer of data, the business Data Owner is responsible for reviewing and formally signing off on the data's accuracy and completeness before it goes live.

To shift operations from the old system to the new, organisations must select a changeover strategy that aligns closely with their risk appetite and operational constraints :

Parallel Changeover: Both the old and new systems run simultaneously for a defined period. While this significantly reduces operational risk by providing a built-in active fallback, it is highly resource-intensive, requiring duplicate data entry and processing.
Phased Changeover: The new system is deployed incrementally, typically by functional module or geographical business unit. This approach isolates implementation risk but can severely complicate data synchronisation between legacy and newly implemented modules.
Abrupt (Big Bang) Changeover: The legacy system is abruptly deactivated, and the new system is immediately activated at a specific cutoff date and time. This is the fastest but most risky method, demanding an immaculate, thoroughly tested fallback scenario.

Regardless of the chosen strategy, we must define a comprehensive rollback (fallback) scenario that uses unload/load components, rapid transfer components, and extensive log files to restore the environment to its original state in the event of a catastrophic deployment failure.

Post-Implementation Review (PIR)

The implementation phase ends with a Post-Implementation Review (PIR). The primary objective of the PIR is to assess whether the deployed project met its intended business requirements, evaluate the adequacy and operational effectiveness of the implemented controls, and measure the actual Return on Investment (ROI) against the initial business case projections. The Government Accountability Office (GAO) notes that the PIR provides an essential feedback mechanism to management, delivering the data needed to analyse which corrective actions may be required before embarking on future system development efforts.

The literature outlines several crucial steps and best practices for project closeout and the PIR process :

Timing of the Review: The PIR should emphatically not be conducted immediately upon go-live. A stabilisation period (typically weeks or months) is necessary to allow users to adapt to the system and to measure operational impacts and the realisation of benefits accurately.
Assessment Metrics: Project success must be measured across multiple quantifiable dimensions, including productivity (e.g., transactions per user), quality (e.g., discrepancy or error rates), economic value (e.g., total processing time reduction, administrative cost reduction), and customer service metrics (e.g., turnaround time for issue resolution).
Documentation of Lessons Learned: Documenting both project successes and challenges, and identifying the root causes of constraints or delays, significantly improves the accuracy of future planning and prevents the organisation from repeating systemic mistakes.
Auditor Independence: Crucially, the IS auditor or personnel conducting the PIR must maintain strict independence from the project's development and implementation teams. This independence is required to provide a completely objective assessment of the control environment and the project's true outcomes.

During the execution of the PIR, the independent IS auditor reviews program change requests since go-live, analyses input and output control balances to verify that the system is processing data correctly in the real world, and examines operator and system error logs to detect any inherent systemic software problems. This continuous feedback loop provides executive management with the insights they need to refine and improve the enterprise's IT governance and system implementation strategies.