Assume that you are working as a software project manager in a software development company. Your company assigned you a project to develop an information system for a bank and you chose object-oriented methodology to develop the system. Based on this scenario, answer the following questions.
a) What are the reasons for choosing object-oriented development approach for this project? How is object-oriented development different from structured development approach?
b) Why do you incorporate controls into the design and implementation of information systems? Explain general controls and application controls that are used to control information system. What is the role of auditing in the control process?
First part: Object-oriented development uses the object as the basic unit of systems analysis and design. An object combines data and the specific processes that operate on those data. Data encapsulated in an object can be accessed and modified only the operations, or methods, associated with that object. Instead of passing data to procedures, programs send a message for an object to perform an operation that is already embedded in it. The system is modeled as a collection of objects and the relationships among them. Because processing logic resides within objects rather than in separate software programs, objects must collaborate with each other to make the system work.
Object-oriented developments make the promise of reduced maintenance, code reusability, real world modelling, and improved reliability and flexibility. Since my company is a software development company, the software objects developed for one project can be easily ported to another project. Moreover, in object oriented approach, each distinct function or feature can be developed a separate developer or team and integrated into the main project later. These are the principal motivators for me to choose this approach. Here are some of the major benefits of the object-oriented approach:
• Reduced Maintenance: The primary goal of object-oriented development is the assurance that the system will enjoy a longer life while having far smaller maintenance costs. Because most of the processes within the system are encapsulated, the behaviour may be reused and incorporated into new behaviour.
• Real-World Modelling: Object-oriented systems tend to model the real world in a more complete fashion than do traditional methods. Objects are organized into classes of objects, and objects are associated with behaviour. The model is based on objects, rather than on data and processing.
• Improved Reliability and Flexibility: Object-oriented system promise to be far more reliable than traditional systems, primarily because new behaviors can be “built” from existing objects. Because objects can be dynamically called and accessed, new objects may be created at any time. The new objects may inherit data attributes from one, or many other objects. Behaviors may be inherited from super-classes, and novel behaviors may be added without effecting existing systems functions.
• High Code Reusability: When a new object is created, it will automatically inherit the data attributes and characteristics of the class from which it was spawned. The new
object will also inherit the data and behaviour from all super classes in which it participates. When a user creates a new type of a widget, the new object behaves “wigitty”, while having new behaviour which are defined to the system.
Second part: Structured methodologies have been used to document, analyze, and design information systems since the 1970s. Structured refers to the fact that the techniques are step step, with each step building on the previous one. These methodologies are top-down, progressing from the highest, most abstract level to the lowest level of detail from the general to the specific. These methods are process-oriented, focusing primarily on modeling the processes, or actions that capture, store, manipulate, and distribute data as the data flow through a system. These methods separate data from processes whereas object oriented development combine both data and process in a single object. Object oriented development uses modeling tools (class diagram, object diagram, sequence diagram etc.) that are different from structured development.
The primary modeling tool in structured development for representing a system‘s component processes and the flow of data between them is the data flow diagram (DFD). DFD offers a logical graphic model of information flow, partitioning a system into modules that show manageable levels of detail. DFD rigorously specifies the processes or transformations that occur within each module and the interfaces that exist between them. DFDs can be used to depict higher-level processes as well as lower- level details. Through leveled data flow diagrams, a complex process can be broken down into successive levels of detail. Using DFD, an entire system can be divided into subsystems with a high level data flow diagram. Each subsystem, in turn, can be divided into additional subsystems with second-level data flow diagrams, and the lower-level subsystems can be broken down again until the lowest level of detail has been reached.
Another tool for structured analysis is a data dictionary, which contains information about individual pieces of data and data groupings within a system. The data dictionary defines the contents of data flows and data stores so that systems builders understand exactly what pieces of data they contain. Another tool is process specification that describes the transformation occurring within the lowest level of the data flow diagrams. Process specifications express the logic for each process. Another tool is structure chart where software design is modeled using hierarchical structure charts. It is a top-down chart, showing each level of design, its relationship to other levels, and its place in the overall design structure; The design first considers the main function of a program or system, then breaks this function into sub-functions, and decomposes each sub-function until the lowest level of detail has been reached; The chart may document one program, one system (a set of programs), or part of one program
First Part: To minimize errors, disasters, interruptions of service, computer crimes, and breaches of security, controls must be incorporated into the design and implementation of information systems. The combination of manual and automated measures that safeguard information systems and ensure that they perform according to management standards is termed controls. Controls consist of all the
methods, policies, and procedures that ensure protection of the organization‘s assets, the accuracy
and reliability of its records, and operational adherence to management standards.
In the past, the control of information system was addressed only toward the end of implementation, just before the system was installed. Today, Organizations must identify vulnerability and control issues as early as possible. The control of an information system must be an integral part of its design. Users and builders must pay close attention to controls throughout the system‘s life span.
Second Part: Computer systems are controlled a combination of general controls and application controls. General controls establish the framework for controlling design, security, and use of computer programs and the security of data files in general throughout an organization. Application controls, on the other hand, are specific controls unique to each computerized application.
• General Controls and Data Security: General controls include software controls, physical hardware controls, computer operations controls, data security controls, controls over the systems implementation process, and administrative controls. Although most of these controls are designed and maintained information systems specialists, data security controls and administrative controls require input and oversight from end users and business managers.
Software controls monitor the use of software and prevent unauthorized access of software programs, system software, and computer programs. Hardware controls ensure that computer hardware is physically secure, and check for equipment malfunction. Computer operations controls oversee the work of the computer department to ensure that programmed procedures are consistently and correctly applied to the storage and processing of data. Data security controls ensure that valuable business data file on either disk or tape are not subject to unauthorized access, change, or destruction while they are in use or in storage. Implementation controls audit the systems development process at various points to ensure that the process is properly controlled and managed. Administrative controls formalize standards, rules, procedures, and control disciplines to ensure that the organization‘s general and application controls are properly executed and enforced.
• Application Controls: Application controls include both automated and manual procedures that ensure that only authorized data are completely and accurately processed an application. These are unique to each computerized application. Application controls include input controls, processing controls, and output controls.
Input controls check data for accuracy and completeness when they enter the system. These are specific input controls for input authorization, data conversion, data editing, and error handling. Processing controls establish that data are complete and accurate during processing. Output controls ensure that the results of computer processing are accurate, complete, and properly distributed.
Third Part: To know that information systems controls are effective, organizations must conduct comprehensive and systematic audits. An MIS audit identifies all the controls that govern individual information systems and assess their effectiveness. To accomplish this, the auditor must acquire a thorough understanding of operations, physical facilities, telecommunications, control systems, data security objectives, organizational structure, personnel, manual procedures, and individual applications.
For this audit, the auditor usually interviews key individuals who use and operate a specific information system concerning their activities and procedures. Application controls, overall integrity controls, and control disciplines are examined. The auditor should trace the flow of sample transactions through the system and perform tests, using, if appropriate, automated audit software.