Welcome » IT Booklets » Development and Acquisition » Appendix A: Examination Procedures
EXAMINATION OBJECTIVES: The objectives of Development and Acquisition assessments are to identify weaknesses or risks that could negatively impact an organization, to identify entities whose condition or performance requires special supervisory attention, and to subsequently effect corrective action.
Examiners should not expect organizations to employ formal project management techniques in all situations. Reviews should be risk focused and center on ensuring project management standards, controls, and procedures are present and commensurate with the characteristics and risks of the projects under review.
Examiners are not required to include lengthy responses to each Objective or bulleted item. Often, examiners should be able to simply note an item is adequate or inadequate with yes or no responses. However, examiners must adequately document material findings. Documentation must be sufficient to support the assignment of the Development and Acquisition component rating of the Federal Financial Institutions Examination Council's Uniform Rating System for Information Technology.
Objective 1: Determine the scope of the Development and Acquisition review. 1. Identify strengths and weaknesses relating to development, acquisition, and maintenance activities, through a review of:
2. Review management's response to report and audit findings to determine
3. Review applicable documentation and interview technology managers to identify:
Objective 2: Assess the level of oversight and support provided by the board and management relating to development, acquisition, and maintenance activities. 1. Assess the level of oversight and support by evaluating:
Objective 3: Assess the organizational structure in relation to the appropriateness of assigned responsibilities concerning technology systems and initiatives. 1. Evaluate organizational responsibilities to ensure the board and management:
Objective 4: Assess the level and characteristics of risks associated with development, acquisition, and maintenance activities that could materially impact the organization. 1. Assess the risks identified in other objectives and evaluate the adequacy of risk management programs regarding:
Objective 5: Assess the adequacy of development project management standards, methodologies, and practices. 1. Evaluate the adequacy of development activities by assessing:
Objective 6: Assess the adequacy of acquisition project management standards, methodologies, and practices. 1. Assess the adequacy of acquisition activities by evaluating:
Objective 7: Assess the adequacy of maintenance project management standards, methodologies, and practices. 1. Evaluate the sufficiency of, and adherence to, maintenance standards and controls relating to:
Objective 8: Assess the effectiveness of conversion projects. 1. Evaluate the effectiveness of conversion projects by:
Objective 9: Assess the adequacy of quality assurance programs. 1. Assess the adequacy of quality assurance programs by evaluating:
Objective 10: Assess the adequacy of program change controls. 1. Evaluate the sufficiency of, and adherence to:
Objective 11: Assess the adequacy of patch-management standards and controls. 1. Evaluate the sufficiency of, and adherence to, patch-management standards and controls that require:
Objective 12: Assess the quality of application, system, and project documentation, and the adequacy of documentation controls. 1. Assess the adequacy of documentation controls by evaluating the sufficiency of, and adherence to, documentation standards that require:
2. Assess the quality of application documentation by evaluating the adequacy of internal and external assessments of:
3. Assess the quality of open source-code system documentation by evaluating the adequacy of internal and external assessments of:
4. Assess the quality of project documentation by evaluating the adequacy of documentation relating to the:
Note: If examiners employ sampling techniques, they should include planning and testing phase documentation in the sample. Objective 13: Assess the security and integrity of system and application software. 1. Assess the quality of open source-code system documentation by evaluating the adequacy of internal and external assessments of:
Objective 14: Assess the ability of information technology solutions to meet the needs of the end users. 1. Interview end users to determine their assessment of technology solutions. Objective 15: Assess the extent of end-user involvement in the system development and acquisition process. 1. Interview end users and review development and acquisition project documentation to determine the extent of end-user involvement.
Objective 16: Document and discuss findings and recommend corrective actions. 1. Document findings and recommendations regarding the quality and effectiveness of the organization's Development and Acquisition standards and procedures. 2. Discuss preliminary findings with the examiner-in-charge regarding:
3. Discuss your findings with management and obtain commitments for corrective actions and deadlines for remedying significant deficiencies. 4. Discuss findings with the examiner-in-charge regarding:
5. Document your conclusions in a memo to the examiner-in-charge that provides report-ready comments for all relevant sections of the report of examination. 6. Organize your work papers to ensure clear support for significant findings and recommendations.