Week 1: Introductions/Orientation

 Business Process Framework: Organizations use business processes to structure tasks related to
developing and maintaining application software and IT infrastructure. These processes ensure
effective management control over high-value activities like system acquisition, development,
and maintenance.

 Shift from On-premise to SaaS: Traditionally, organizations developed and customized their
software in-house and hosted it on-premises. Today, the trend is toward Software-as-a-Service
(SaaS), with fewer in-house developers and integrations among cloud-based services.

 Systems Development Life Cycle (SDLC): Auditors must examine an organization’s SDLC
methodologies, focusing on how requirements are transformed into applications and
infrastructure that support key business processes. Key areas of audit interest include input,
processing, output controls, and ensuring the integrity of data, especially in multi-user systems.

Weeks 2 – 4: Business Application Development

 The SDLC Framework:

o The SDLC is a structured approach to software development, involving multiple phases

that ensure systematic planning, execution, and maintenance. It addresses business
needs, budget constraints, and time limitations.

o The focus is on delivering reliable, functional software that aligns with user expectations
and organizational goals.

 Phases of the SDLC:

1. Feasibility Study: Management determines the need for new software or updates to existing
systems based on factors like market conditions, cost changes, regulatory requirements, and risks.

2. Requirements Definition: A detailed description of functional, technical, security, disaster recovery,

and privacy requirements is developed. This step is critical to ensuring the software supports
business objectives and complies with organizational standards.

3. Design: High-level and detailed designs are created, mapping out the data flow, processing flow, and
database structure. Storyboards and database designs also emerge in this phase.

4. Development: Developers write the application code based on the design specifications. They also
document program logic, data flows, and interfaces. Security, privacy, and audit concerns are
integrated into the development process.

5. Testing: Various levels of testing, including unit testing, system testing, functional testing, and user
acceptance testing (UAT), are performed to ensure the software meets the required specifications.

6. Implementation: The final stage where the software is deployed into the production environment.
This includes training users, migrating data, and performing final checks.
7. Post-Implementation Review: After deployment, the project undergoes a review to assess any issues
that arose and evaluate the success of the project in meeting business goals.

 SDLC Models:

o Waterfall Model (Traditional Model): A linear, step-by-step process where each phase is
completed before the next begins. Each phase has a formal review to ensure its
completion.

o Iterative and Spiral Models: These allow for incremental development, where each loop
or cycle refines requirements, designs, and prototypes until the project is complete.

o DevOps: Emphasizes collaboration between development and operations teams for

continuous integration and delivery. The process is iterative, promoting continuous
improvement and faster deployment.

Week 6: Virtualization and Cloud Computing Environments

 Cloud-Based Acquisitions:

o More organizations are choosing cloud-based infrastructure and applications due to

scalability, cost savings, and reduced management overhead. The three main cloud
service models are:

 Software-as-a-Service (SaaS): The vendor hosts the application and users access
it over the internet.

 Infrastructure-as-a-Service (IaaS): Customers build and operate their own

virtual machines in the cloud but manage the network architecture, security,
and application layers themselves.

 Platform-as-a-Service (PaaS): Customers develop and deploy applications on a

platform provided by the cloud service provider.

 Key Considerations for Cloud Adoption:

1. Access Control: Ensuring only authorized personnel can access systems.

2. Environment Segregation: Strict separation of data and resources between cloud customers.
3. Physical Security: Protecting the physical infrastructure in the cloud data centers.
4. Legal Jurisdiction: Understanding where data is stored and the laws that govern its protection,
especially concerning data sovereignty.
5. Privacy and Regulation: Ensuring compliance with regulatory standards (e.g., GDPR, PCI DSS).
6. Availability: Ensuring cloud services are available on-demand, as per service-level agreements
(SLAs).
7. Audit and Compliance: Ensuring systems can be audited to meet regulatory and contractual
obligations.
Week 7: Development Methods

 Alternative Software Development Approaches: The traditional Waterfall Model has been
increasingly replaced or complemented by newer, more flexible development approaches, each
with its strengths and trade-offs.

1. DevOps:

o DevOps integrates development (Dev), quality assurance (QA), and operations (Ops) into
a seamless, collaborative process. It emphasizes continuous integration and automated
testing for faster release cycles.

o Key Characteristics: Continuous feedback loops, frequent releases, and enhanced

collaboration among teams. DevOps is crucial for maintaining agility in the face of rapid
technological changes.

o Access Controls and Separation of Duties: Ensuring that regulatory compliance and
security controls, such as data segregation and the separation of duties, are maintained.

2. DevSecOps:

o An extension of DevOps, DevSecOps integrates security into every phase of the software
development process. Security testing is automated and included in the build process,
identifying vulnerabilities early.

o Key Practices: Static and dynamic code analysis, security testing during development
sprints, and automated security tests in production environments.

3. Agile Development:

o The Agile methodology focuses on iterative, small-scale developments with continuous

feedback. Development teams are broken into small groups, working on shorter sprints
that allow for rapid adaptation to changes.

o Key Practices: Frequent product releases, collaboration between cross-functional teams,

and constant communication with stakeholders.

4. Prototyping:

o Prototyping emphasizes rapid creation of working models of a system based on user

feedback. This ensures continuous involvement of users, reducing the risk of developing
a system that doesn’t meet their needs.

o Advantage: Reduces the risk of significant errors or misalignments by involving users

early in the development process.

o Disadvantage: May overlook back-end controls and performance requirements that are
not visible to users during prototype evaluations.

5. Rapid Application Development (RAD):

 o RAD focuses on speeding up the development process through small, highly skilled
teams and reusable code. It is characterized by the rapid creation of prototypes and the
use of tools to support integration, user interfaces, and data management.

o Key Characteristics: Highly interactive development, code reusability, and tight

schedules. RAD is well-suited for projects where time-to-market is critical.

6. Object-Oriented Development (OOD):

o In Object-Oriented Development (OOD), the focus is on creating software "objects" that

encapsulate both data and behaviors. These objects interact with one another through
defined methods.

o Key Concepts:

 Classes and Objects: Classes define the structure and behavior of objects, and
objects are instances of classes.

 Encapsulation: Hides the complexity of objects, exposing only necessary

functionalities.

 Inheritance and Polymorphism: Allows objects to inherit properties from parent

classes and behave differently based on the input or context.