ARCHIVED - Systems Under Development (Audit Guide) - March 1, 1991

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Appendix C: Audit Program for the Feasibility Stage

Stage: 2. Feasibility Study

Objective: 2.A To establish that a feasibility study, including an Overall Project Plan, has been undertaken to determine the most appropriate solution to a stated problem in terms of organizational capability, economic justification, and technical suitability.

Criterion: 2.A.1 User requirements are addressed in a User Requirements Report or similar document.

Audit Step: 2.A.1.1 Has a User Requirements document been prepared and released? Does it include the following expression of need in terms of the organization's mission:

• A description of the current function.
• Deficiencies of the current function.
• Resources expended on the current function.
• Volume of work produced with the current function, including peak processing performance and projected growth.
• Internal control and security requirements.
• Justification for improvement and changes.
• Scope and objectives of proposed system.
• Alternative solutions to solving the need.
• Relationships with other systems.
• Relationships with long-range plans and other information resource management initiatives.

Note: See Gane and Sarson, Appendix I, Item 22, contains further areas of investigation concerning user requirements.

Y	N	N/A	Comments	XREF

Criterion: 2.A.2 The accuracy and completeness of user requirements has been acknowledged by the appropriate level of user, and by Data Processing management.

Audit Step: 2.A.2.1 Has the User Requirements document been reviewed by the Steering Committee/Sign Off Authorities?

• Have they signified acceptance of the need to continue the project? Note any conditional acceptance for follow-up in later stages.

Y	N	N/A	Comments	XREF

Audit Step: 2.A.2.2 Have steps been taken by the project team to identify and consult all affected parties?

Criterion: 2.A.3 The analysis of alternative processing configurations has been described in a Feasibility Study or similar document.

Audit Step: 2.A.3.1 Has a Technological Feasibility Study been prepared and documented?

• Are there organizational standards for the content and conduct of Technological Feasibility Studies?
• Is the proposed technology feasible, considering the technical sophistication existing or available through the organization?

Y	N	N/A	Comments	XREF

Audit Step: 2.A.3.2 Review the technology feasibility report to see if it has adequately addressed:

• Hardware needs and availability.
• System software needs and availability.
• Communications hardware and software needs availability. Valid time constraints in the user department's information requirements and the manner of satisfying them.
• Operational feasibility (eg. whether the new project fits into the current mix of hardware, software, and communications).

Y	N	N/A	Comments	XREF

Audit Step: 2.A.3.3 Verify that there is a consensus among user departments and designers concerning the technological aspects of the system's configuration.

Y	N	N/A	Comments	XREF

Audit Step: 2.A.3.4 Determine the organizational capability to manage the related technologies and to decide whether the technologies should be developed or bought, operated in-house or out, and maintained in-house or out.

Y	N	N/A	Comments	XREF

Audit Step: 2.A.3.5 Confirm with independent sources the reliability and track record of the recommended hardware and software.

Y	N	N/A	Comments	XREF

Criterion: 2.A.4 The user of an appropriate level and Data Processing management have acknowledged that the analysis of processing alternatives is accurate and complete and agrees with the recommendations.

Audit Step: 2.A.4.1 Has the Feasibility Study document been reviewed by the Steering Committee/Sign Off Authorities?

• Have they signified acceptance of the recommendations and the need to continue the project? Note any conditional acceptance for follow-up in later stages.

Y	N	N/A	Comments	XREF

Audit Step: 2.A.4.2 Have steps been taken by the project team to identify and consult all affected parties?

Y	N	N/A	Comments	XREF

Criterion: 2.A.5 Resource estimates and other financial data have been addressed in a Cost/Benefit Analysis Report or similar document.

Audit Step: 2.A.5.1 Has a Cost/Benefit document been prepared and released? Are all costs identified as operating or capital?

Note: Information from the Advisory Committee on Information Management (ACIM) committees should also be used as reference material at this point in the audit.

Y	N	N/A	Comments	XREF

Audit Step: 2.A.5.2 Ensure that the analysis of the project costs and benefits was prepared to evaluate the economic feasibility of each alternative:

• the assumptions and constraints in the cost/benefit analysis for reasonableness
• the user and system costs cover all stages of the life cycle
• the estimated costs for each alternative include hardware and software enhancements needed to support that alternative
• estimated costs for each alternative includes cost of security and internal controls, data preparation and entry, file conversion, testing, parallel operations, acceptance, and related costs
• the basis of estimation and computation of costs is reasonable
• there is a consensus among end users, designers,and implementors concerning system costs, benefits, and contractual agreements

Y	N	N/A	Comments	XREF

Audit Step: 2.A.5.3 Ensure that the analysis of the project costs and benefits takes into consideration the impact on human resources. Verify that estimated costs for each alternative includes:

• training, and
• redeployment of staff.

Y	N	N/A	Comments	XREF

Criterion: 2.A.6 The accuracy and completeness of the cost/benefit analysis and acceptance of the recommended alternative has been acknowledged by the appropriate level of user and by Data Processing management.

Audit Step: 2.A.6.1 Has the Cost/Benefit document been reviewed by the Steering Committee/Sign Off Authorities?

• Have they signified acceptance of the recommended alternative and the need to continue the project? Note any conditional acceptance for follow-up in later stages.

Y	N	N/A	Comments	XREF

Audit Step: 2.A.6.2 Have steps been taken by the project team to identify and consult all affected parties?

Y	N	N/A	Comments	XREF

Criterion: 2.A.7 Based on the alternative recommended in the cost/benefit analysis, a Personnel Skills Summary has been prepared by the Project Manager summarizing the following information:

• required skill categories (administrative and technical)
• required skill levels
• required number of skilled personnel
• required authority level

Audit Step: 2.A.7.1 Has the Project Manager prepared a Personnel Skills Summary?

Y	N	N/A	Comments	XREF

Audit Step: 2.A.7.2 Does the Personnel Skills Summary address the following:

• required skill categories (administrative and technical)?
• required skill levels?
• required number of skilled personnel?
• required authority level?

Y	N	N/A	Comments	XREF

Audit Step: 2.A.7.3 Does the Project documentation show that the skills of the staff employed on the project (as Team Members or Steering Committee/Sign Off Authority members) meet the requirements specified in the Personnel Skills Summary?

Y	N	N/A	Comments	XREF

Criterion: 2.A.8 Dates for Committee meetings and the items to be discussed at each meeting have been addressed in a Steering Committee Meeting Schedule or similar document.

Audit Step: 2.A.8.1 Has a Steering Committee Meeting Schedule document been prepared and released to all interested parties, including EDP and user management?

Y	N	N/A	Comments	XREF

Audit Step: 2.A.8.2 Review the minutes of the Committee meetings and note the following:

• that EDP and user management were represented at each meeting, and
• that meetings were held regularly.

Y	N	N/A	Comments	XREF

Criterion: 2.A.9 The status of the project compared to the work plan contained in the Project Initiation document has been addressed in a Feasibility Stage Project Status Report or similar document.

Audit Step: 2.A.9.1 Has a Feasibility Stage Status document been prepared and released?

Y	N	N/A	Comments	XREF

Audit Step: 2.A.9.2 Verify that it contains at least the following:

• actual resources used to date, compared to planned, with reasons for variance
• actual milestones achieved to date, compared to planned, with reasons for variance
• detailed plan for General Design Stage, including reference to the following:
• analyzing and specifying the user's detailed requirements
• establishing change control processes
• updating the cost/benefit analysis
• obtaining management approval
• updated budget and reasons for any changes
• updated schedule and reasons for any changes
• recommendation to continue or discontinue the project

Y	N	N/A	Comments	XREF

Audit Step: 2.A.9.3 Verify actual resources used in the source documents.

Y	N	N/A	Comments	XREF

Audit Step: 2.A.9.4 Verify that the updated budget and schedule are in keeping with the feasibility study and cost/benefit analysis.

Y	N	N/A	Comments	XREF

Criterion: 2.A.10 The accuracy and completeness of the Feasibility Stage Status document has been acknowledged by the appropriate level of user, and by Data Processing management, and they agree with it.

Audit Step: 2.A.10.1 Has the Feasibility Stage Status document been reviewed by the Steering Committee/Sign Off Authorities? Have they confirmed its acceptance?

Y	N	N/A	Comments	XREF

Audit Step: 2.A.10.2 Have steps been taken by the project team to identify and consult all affected parties?

Note: The auditor is likely to find that the Cost/Benefit Analysis and the Feasibility Stage Status documents are combined. In any event, management acceptance of the cost/benefit analysis recommendation will be tantamount to accepting the updated budget. The updated schedule is a different matter.

Y	N	N/A	Comments	XREF

Objective: 2.B To ascertain that data processed and stored by the system will be complete, accurate, and authorized, and that security, privacy, and accessibility levels for the system's data are specified.

Criterion: 2.B.1 The need for processing control requirements are identified in a System Processing Controls Specifications or similar document.

Audit Step: 2.B.1.1 Does the Feasibility Study identify the need for a System Processing Controls Specifications or similar document?

Y	N	N/A	Comments	XREF

Criterion: 2.B.2 The level of security, privacy, and accessibility of system data has been documented by the user representative.

Audit Step: 2.B.2.1 Determine that a statement of the level of security, privacy and accessibility needed for system's data conforms to the TB policies (see Appendix J for a list of relevant documents) or government Acts, and that the statement is included with the documentation to be reviewed by the Steering Committee/Sign Off Authorities.

Y	N	N/A	Comments	XREF

Objective: 2.C To ensure that the system operates efficiency, effectively, and economically.

Criterion: 2.C.1 The need for system management control requirements is identified in a System Management Controls Specifications or similar document.

Audit Step: 2.C.1.1 Does the Feasibility Study identify the need for a System Management Controls Specifications or similar document?

Y	N	N/A	Comments	XREF

• Previous Page
• Table of Contents
• Next Page