If you’re the first person responsible for performing information system audit in your company, then what is your first priority? Repairing the IT process in your company? Prepare risk control matrices or just recruit another experience IS auditor for brainstorming with you?

In my experience, all start from planning first. Yes IT planning plays the significant role at this stage. Remember that auditing mean a lot of interaction with a lot of departments and function across the company. So coordination is the first issue to be noted.

Have you ever be in this situation?

The SDLC is designed to produce high-quality software in a structured way that minimizes risk. The traditional approach to SDLC is the waterfall model, which contain 6 step of implementation. ISACA uses a modified model that has five primary phases and the post implementation phase.

Phase 1: Feasibility
In this step, the feasibility of the project is considered. The cost of the project must be discussed, as well as the potential benefits that it will bring to the system’s users. A payback analysis must be performed to determine how long the project will take to pay for itself. In other words, the payback analysis determines how much time will lapse before accrued benefits will overtake accrued and continuing costs. If it is determined that the project will move forward, the team will want to develop a preliminary timeline. During the feasibility phase, everyone gets a chance to meet and understand the goals of the project.

Phase 2: Requirements Definition

Most of us put a lot of effort into cost estimation in our personal lives. When considering a new job offer, most of us look closely at the cost of living in a different area; likewise, when shopping for a new car, most people check with several dealerships to find the best deal. The business world is constrained by the same budget factors. These components drive up the cost of software:

• The chosen source code language—Using an obscure or unpopular language will most likely drive up costs.
• The size of the application—The size or complexity of the application has a bearing on cost. As an example, the level of security needed is something that will affect the complexity of a given application. This also has a direct correlation to the scope of the project.
• The project time constraints—If a project is projected to be completed in one month versus three months, this might mean that more overtime needs to be paid, along with fees for rushed services.

R/2 Mainframe Solution
R/2 is SAP AG mainframe software that runs on IBM, Siemens, Amdahl, and compatible equipment. This type of solution cannot claim to be open, although with the help of Application Link Enabled (ALE) technology, R/2 can be linked to R/3 systems and share online data.

Nevertheless, and despite the emergence of new technologies and the significant decrease of hardware prices, some companies some companies preferred the approach of the mainframe solution. This is mainly targeted at enterprises with data?intensive and centralized industries.

R/2 is the antecedent of the client/server R/3 system and also offers comprehensive, fully functional business applications to satisfy the demands of mainframe users. SAP will still continue to support R/2 systems till the year 2004, and so it is advising customers to migrate to R/3.

Although this is not a step in the SDLC, an organization might decide to buy a product instead of building it. The decision typically comes down to time, cost, and availability of a predesigned substitute.

Before moving forward with the option to buy, the project team should develop a request for proposal (RFP) to solicit bids from vendors. Vendor responses should be closely examined to find the vendor that best meets the project team’s requirements. Some of the questions that should be asked include these:
. Does the vendor have a software product that will work as is?
. Will the vendor have to modify the software product to meet our needs?
. Will the vendor have to create a new, nonexistent software product for us?

Senior management must select a strategy to determine who will pay for the information system’s services. Funding is an important topic because departments must have adequate funds to operate. Each funding option has its advantages and disadvantages. The three most common include these:

Shared cost
With this method, all departments of the organization share the cost. The advantage of this method is that it is relatively easy to implement and for accounting to handle. Its disadvantage is that some departments might feel that they are paying for something they do not use.

There are a lot of definitions of IT risk, but, before let you know that every business venture is basically risky. In new business ventures and new product development, there are unknown factors and their impacts on the venture are equally unknown. The unknown factors could be favorable or unfavorable. There is a probability that one may either gain or lose. However, a loss may hurt the venture. Here are some of the definitions:

1. Risk is the probability of suffering loss.
A refinement of this definition is to include goals, gains, or opportunities in the statement. Perhaps it is implied and obvious that risks are connected with gains. Nevertheless, if risks are divorced from the associated goals, then one sees just a set of problems. A risk list should not be reduced to a problem list. Risks have a much broader role to play.