The design phase involves converting the informational, functional, and network requirements identified during the initiation and planning phases into unified design specifications that developers use to script programs during the development phase. Program designs are constructed in various ways.
Design Phase
The design phase involves converting the
informational, functional, and network requirements identified during the
initiation and planning phases into unified design specifications that
developers use to script programs during the development phase. Program designs
are constructed in various ways.
Using a top-down approach, designers first
identify and link major program components and interfaces, then expand design
layouts as they identify and link smaller subsystems and connections. Using a
bottom-up approach, designers first identify and link minor program components
and interfaces, then expand design layouts as they identify and link larger
systems and connections.
Contemporary design techniques often use
prototyping tools that build mock-up designs of items such as application
screens, database layouts, and system architectures. End users, designers,
developers, database managers, and network administrators should review and
refine the prototyped designs in an iterative process until they agree on an
acceptable design. Audit, security, and quality assurance personnel should be
involved in the review and approval process.
Management should be particularly diligent when
using prototyping tools to develop automated controls. Prototyping can enhance
an organization’s ability to design, test, and establish controls. However,
employees may be inclined to resist adding additional controls, even though
they are needed, after the initial designs are established.
Designers should carefully document completed
designs. Detailed documentation enhances a programmer’s ability to develop
programs and modify them after they are placed in production. The documentation
also helps management ensure final programs are consistent with original goals
and specifications.
Organizations should create initial testing,
conversion, implementation, and training plans during the design phase.
Additionally, they should draft user, operator, and maintenance manuals.
Application Control Standards
Application controls include policies and
procedures associated with user activities and the automated controls designed
into applications. Controls should be in place to address both batch and
on-line environments. Standards should address procedures to ensure management
appropriately approves and control overrides.
Designing appropriate security, audit, and
automated controls into applications is a challenging task. Often, because of
the complexity of data flows, program logic, client/ server connections, and
network interfaces, organizations cannot identify the exact type and placement
of the features until interrelated functions are identified in the design and
development phases.
However, the security, integrity, and
reliability of an application is enhanced if management considers security,
audit, and automated control features at the onset of a project and includes
them as soon as possible in application and system designs. Adding controls
late in the development process or when applications are in production is more
expensive, time consuming, and usually results in less effective controls.
Standards should be in place to ensure end
users, network administrators, auditors, and security personnel are
appropriately involved during initial project phases. Their involvement
enhances a project manager’s ability to define and incorporate security, audit,
and control requirements. The same groups should be involved throughout a
project’s life cycle to assist in refining and testing the features as projects
progress.
Application control standards enhance the
security, integrity, and reliability of automated systems by ensuring input,
processed, and output information is authorized, accurate, complete, and
secure. Controls are usually categorized as preventative, detective, or
corrective. Preventative controls are designed to prevent unauthorized or
invalid data entries. Detective controls help identify unauthorized or invalid
entries. Corrective controls assist in recovering from unwanted occurrences.
Input Controls
Automated input controls help ensure employees
accurately input information, systems properly record input, and systems either
reject, or accept and record, input errors for later review and correction.
Examples of automated input controls include
Check
Digits
Check digits are numbers produced by
mathematical calculations performed on input data such as account numbers. The
calculation confirms the accuracy of input by verifying the calculated number
against other data in the input data, typically the final digit.
Completeness
Checks
Completeness checks confirm that blank fields
are not input and that cumulative input matches control totals.
Duplication
Checks
Duplication checks confirm that duplicate
information is not input.
Limit
Checks
Limit checks confirm that a value does not
exceed predefined limits.
Range
Checks
Range checks confirm that a value is within a
predefined range of parameters.
Reasonableness
Checks
Reasonableness checks confirm that a value
meets predefined criteria.
Sequence
Checks
Sequence checks confirm that a value is
sequentially input or processed.
Validity
Checks
Validity checks confirm that a value conforms
to valid input criteria.
Processing Controls
Automated processing controls help ensure
systems accurately process and record information and either reject, or process
and record, errors for later review and correction. Processing includes merging
files, modifying data, updating master files, and performing file maintenance.
Examples of automated processing controls
include
Batch Controls
Batch controls verify processed run totals
against input control totals. Batches are verified against various items such
as total dollars, items, or documents processed.
Error Reporting
Error reports identify items or batches that
include errors. Items or batches with errors are withheld from processing,
posted to a suspense account until corrected, or processed and flagged for
later correction.
Transaction Logs
Users verify logged transactions against source
documents. Administrators use transaction logs to track errors, user actions,
resource usage, and unauthorized access.
Run-to-Run Totals
Run-to-run totals compiled during input,
processing, and output stages are verified against each other.
Sequence Checks
Sequence checks identify or reject missing or
duplicate entries.
Interim Files
Operators revert to automatically created
interim files to validate the accuracy, validity, and completeness of processed
data.
Backup Files
Operators revert to automatically created
master-file backups if transaction processing corrupts the master file.