Quality System Oversight: Ensuring Responsible System Development Life Cycle Practices Over Time

 

Responsible System Development Life Cycle (SDLC) practices are crucial for developing systems because the System Development Life Cycle allows a company to account for systems used in their business for operational or financial benefits over time. The point of the System Development Life Cycle (SDLC) is to account for everything going on in the organization, including the technical systems. The SDLC helps the company track the financial, operational, regulatory, and business alignments in the organization. It allows the company to determine whether or not to use a system based on cost-effectiveness and ensures that configurations are correct. It's an important part of asset management because once you choose a system, it becomes an asset for the company. The SDLC covers the entire lifecycle, including the disposal of the system once you are done with it. Following the SDLC allows the company to have eyes on the system in all the important ways that apply to the business.

Function Point Analysis. In Function Point Analysis (FPA), a program is analyzed to determine the number of external input, external output, external inquiries, internal file structure, and external interface files. These parameters reflect the complexity requirement of a program because every feature in a program depends on where the data comes from and where it is going. These factors are multiplied by low, average, or high ranks and multiplied against an adjusted weight to develop an estimate of work required. Because the software isn’t built yet, the senior developer needs enough experience to comprehend what is actually required to define the inputs according to the FPA. They would need to understand how API authentication works, how data is requested from an external API, what data is requested, and how many incoming and outgoing requests to quantify it in a way that determines if it is worth the time it takes to write the code. This approach allows the developer to create a scope of work, determine effective cost-estimates, and compare it to the payback schedule to decide if the system is a viable approach the company wants to invest in. The auditor reviews the documentation to verify that the chosen solution was a reasonable solution that obtained management approval. 

ER Diagram. The ER diagram is a standardized definition of your data that accounts for every piece of data in the database and is used to create a database schema. Internal controls are necessary in all software designs to meet compliance requirements. These controls are corrective, preventative, and detective. An auditor fulfilling their role in the System Development Life Cycle exemplifies a detective control. Corrective controls ensure data integrity. While a corrective control is required, software developers will be unable to build a workable program if not accounted for on a technical level. Preventative controls are developed after a problem has been discovered through additional monitoring, data encryption, and stronger password policies. The auditor reviews the requirements and ensures that the proposed system meets the needs of the user, provides adequate internal controls and security measures, offers secure configuration, and ensures that cost and estimates receive proper management approval. In this way, they verify that the proposed system meets the company’s needs and the needs of the user. 

System Design. The system design phase details logic for the entire system. This work is based on initial concepts, flow charts, and ER Diagrams. The auditor’s role is to oversee the process to ensure that everything is accounted for. A technical system is broken down into great granular detail to ensure compliance and quality in planning. Because this is one of the longest phases, it’s important that the person that fulfills this role has a technical background. Architecture in the code can be done quickly at a high level. The cost of proper planning is less than the cost of correcting problems later on. A great deal of time is spent in this area to develop a strong system that lowers the price of non conformance through accepting the price of conformance and providing quality and training from the planning phase. Poor planning, flawed design, and poor management represent quality failures in a system. An auditor verifies proper planning, design, and management approval to reduce and prevent quality failures and deviations from the plan. Management provides solutions for common failures within defined processes, and employees address special quality failures in the product. Change control and well-defined policies serve to prevent special quality failures.

System Testing, Certification, Accreditation and User Training. System testing verifies that the system meets all specified requirements and functions as intended. It involves various levels of testing, including unit testing, integration testing, system testing, and user acceptance testing. Certification measures compliance and tests a system to ensure it has all of the internal controls as compared against a known reference, such as the ISO 15408 standards or NIST special publication 800.53 as a complete set of Common Criteria. Accreditation denotes the executive responsible for accepting consequence and ensuring the overall operation, maintenance, and annual funding of a site, type of use, or system to prevent a governance failure. User training ensures that end-users are proficient in using the new system and can take full advantage of its features. The auditor's role during this phase is to verify that all testing procedures are followed correctly, certifications and accreditations are obtained, and training programs are effectively implemented to verify that the system is ready for deployment and that users are adequately prepared to operate it.

Post-Implementation Reviews. After the system has been deployed, post-implementation reviews evaluate the system’s performance and ensure that it meets the organization's goals and user requirements. Recently, on February 23, 2024, climate change considerations became a core requirement for all Management System Standards, such as ISO 9001, 14001, and 45001(Marlow, 2024). The London Declaration now requires organizations to integrate climate change considerations into post-implementation reviews to ensure sustainability and resilience gain attention in ongoing system management. This change highlights the growing importance of environmental factors in effective system management to protect resources, comply with regulations, and reduce the environmental impact. By gathering user feedback, assessing the system's operational effectiveness, and identifying areas of improvement, the auditor's role verifies that the system is functioning as intended and issues are addressed with urgency ensuring the system remains aligned with business objectives over time and continues to improve and deliver value to the organization. Continuous monitoring, application security, annual reviews, updates to hardware and software,policy reviews, environmental changes, and system migrations ensure that systems and teams remain effective. 

Reference:

Cannon,D. L., O’Hara, B. T., and Keele, A. (2016). CISA Certified Information Systems Auditor Study Guide Fourth Edition. SYBEX.

Marlow, A. (2024). DON’T MISS OUT ON THIS CRUCIAL UPDATE FOR YOUR MANAGEMENT SYSTEM – EVERYTHING THAT YOU NEED TO KNOW!. EMS MASTERY. https://emsmastery.com/2024/02/25/dont-miss-out-on-this-crucial-update-for-your-management-system-everything-that-you-need-to-know/

QTS. (2019). The Four Phases of the Certification and Accreditation Process. https://qtsdatacenters.com/resources/articles/the-four-phases-of-the-certification-and-accreditation-process

Martin, D. (n.d.) The System Design Primer. Pragmatic Engineer. https://github.com/donnemartin/system-design-primer?ref=blog.pragmaticengineer.com