1. Develop assurance objectives for risks of information systems.
2. Design assurance procedures.
3. Implement assurance procedures with software tools.
4. Communicate assurance results.

Debrief Threadchic

1. Hazard of relying on an existing audit program, especially one developed for manual execution
2. Importance of well-formed audit objectives implemented with audit procedures and queries consistent with the objectives. Consider these audit objectives:
   1. Verify that payments are for actual purchases
   2. Verify that invoice amounts match payment amounts
   3. Verift payment for purchases
3. Inspired by real-world events
4. Increasing demand for "out-of-the-box" thinking
5. Integration of financial and IT auditing
   Shift in recent years from this kind of analysis being the preserve of IT auditors to it becoming more commonplace among auditors
   1. New auditing standards giving auditors more responsibility for detecting fraud
   2. SOX mandate for internal control assessments

Threadchic

Assertion-based auditing standards:

1. Pre-SOX: AU326
2. Post-SOX:
   1. SAS 106
   2. AS 5

Analytical procedures:

1. Auditing Standard AU329
2. Applications

CAATs:

1. Toolbox at Sara Lee
2. SQL at State of Minnesota
3. Accounts payable procedures
4. Software tools
   1. p. 56
   2. p. 58
   3. p. 59
   4. p. 60
   5. p. 61
   6. p. 62

1. Develop assurance objectives for risks of information systems.
2. Design assurance procedures.

Consider system development and change control pitfalls: Recognize signs of failing projects

1. System development life cycle (SDLC) methodologies (the way organizations go about developing information systems) range from nothing to a lot of process, e.g., the process for the U.S. Department of Justice. Why?
2. Does the project from hell have any similarities with CONFIRM?
3. Why did CONFIRM fail but Sabre was successful in rebuilding its reservation system?
4. How do risks and system development audits differ for systems developed iteratively (synch-and-stabilize) and with sequential (waterfall, e.g., U.S. Department of Justice) methodology?
5. The wages of inadequate testing can make the case for testing better than exhortations to adhere to sound testing practices.
6. Given that system capacities are fixed, why do organizations like Comair and Beth Deaconess Medical Center persist in ignoring the need to increase capacity to accommodate use?

System development

1. Sequential: U.S. Dept. Justice
2. Iterative: Synch-and-stabilize
3. Configuration management
4. Testing
   1. Levels of testing
   2. Wages of inadequate testing
   3. Automated testing tools
5. Change management
   1. Hunton pp. 83-85
   2. Change control

Failures (from which we learn if we pay attention)

1. Project from hell
2. CONFIRM
3. Comair
4. Beth Deaconess Medical Center

Success: Sabre: 3/29/04; 5/31/04; 1: 6/7/04; 2: 6/7/04

1. Develop assurance objectives for risks of information systems.
2. Design assurance procedures.
3. Implement assurance procedures with software tools.
4. Communicate assurance results.
5. Collaborate with others to achieve these objectives.

Organofood case

1. Interview Derilo to find out how Organofood develops and maintains its information systems
   1. XP (eXtreme Programming)
   2. Authorization
2. Answer readiness questions for the case
3. Work in teams
   

Organofood

1. Develop objectives for system development audits.
2. Justify priorities for system development audits.
3. Explain objectives and priorities convincingly to management.
4. Develop rationales for system development audits even when interest is scarce.

Explore the wages of inattention to installing ES (enterprise systems)

1. Early experiences with ES: What is the predominant development flaw?
   1. Doomed from the beginning: FoxMeyer ordeal and aftermath
   2. Even though FoxMeyer didn't have the transaction volume of Visa's VisaNet processing system, could FoxMeyer's development team have profited by knowing about how Visa does volume testing?
   3. Weak earnings associated with SAP implementations
      1. Grainger
      2. Hershey: Wall Street Journal; Computerworld one, two, three; CIO
      3. Jo-Ann Stores
      4. Nestlé
      5. Nike
      6. Thomas & Betts
      7. Volkswagen
      8. Whirlpool
2. How can CAAT techniques and tools be applied to auditing ES systems like SAP? (Kennametal example; extracting data)
3. More recent experiences with consolidating legacy systems onto a single platform
   1. What did Cigna fail to do?
   2. How did Celanese manage the challanges of consolidating systems?
4. When ERPs enable more integrated views of company results, flaws in prior legacy systems may come to light: CP Ships Ltd.

1. Develop assurance objectives for risks of information systems.
2. Design assurance procedures.
3. Implement assurance procedures with software tools.
4. Communicate assurance results.
5. Collaborate with others to achieve these objectives.

Organofood case

In your team, work on an audit program for the Organofood audit that you implement by querying the database and whose results you communicate in this report.

Name the files as follows :

1. The audit program and results in a .htm file with the name:
   
   11-OrganofoodAudit.htm
   
   
2. .mdb files containing queries implementing the audit program with the names:
   
   11-OrganofoodTestdataQueries.mdb
   
   11-OrganofoodProgLibraryQueries.mdb
   
   

1. Organofood
   
   
2. Glimpses into development audits:
   1. Information flow
   2. Access control
   3. Lack of integration
      
3. System development
   1. Hunton pp. 69-90
   2. Configuration management
      
      
4. Testing
   1. Levels of testing
   2. Wages of inadequate testing
   3. Automated testing tools
      
      
5. Change management
   1. Hunton pp. 83-85
   2. Change control
      
      
6. System failure: Project from hell