Define Design Phase

Design Phase

The design phase involves converting the informational, functional, and network requirements identified during the initiation and planning phases into unified design specifications that developers use to script programs during the development phase. Program designs are constructed in various ways.

Using a top-down approach, designers first identify and link major program components and interfaces, then expand design layouts as they identify and link smaller subsystems and connections. Using a bottom-up approach, designers first identify and link minor program components and interfaces, then expand design layouts as they identify and link larger systems and connections.

Contemporary design techniques often use prototyping tools that build mock-up designs of items such as application screens, database layouts, and system architectures. End users, designers, developers, database managers, and network administrators should review and refine the prototyped designs in an iterative process until they agree on an acceptable design. Audit, security, and quality assurance personnel should be involved in the review and approval process.

Management should be particularly diligent when using prototyping tools to develop automated controls. Prototyping can enhance an organization’s ability to design, test, and establish controls. However, employees may be inclined to resist adding additional controls, even though they are needed, after the initial designs are established.

Designers should carefully document completed designs. Detailed documentation enhances a programmer’s ability to develop programs and modify them after they are placed in production. The documentation also helps management ensure final programs are consistent with original goals and specifications.

Organizations should create initial testing, conversion, implementation, and training plans during the design phase. Additionally, they should draft user, operator, and maintenance manuals.

Application Control Standards

Application controls include policies and procedures associated with user activities and the automated controls designed into applications. Controls should be in place to address both batch and on-line environments. Standards should address procedures to ensure management appropriately approves and control overrides.

Designing appropriate security, audit, and automated controls into applications is a challenging task. Often, because of the complexity of data flows, program logic, client/ server connections, and network interfaces, organizations cannot identify the exact type and placement of the features until interrelated functions are identified in the design and development phases.

However, the security, integrity, and reliability of an application is enhanced if management considers security, audit, and automated control features at the onset of a project and includes them as soon as possible in application and system designs. Adding controls late in the development process or when applications are in production is more expensive, time consuming, and usually results in less effective controls.

Standards should be in place to ensure end users, network administrators, auditors, and security personnel are appropriately involved during initial project phases. Their involvement enhances a project manager’s ability to define and incorporate security, audit, and control requirements. The same groups should be involved throughout a project’s life cycle to assist in refining and testing the features as projects progress.

Application control standards enhance the security, integrity, and reliability of automated systems by ensuring input, processed, and output information is authorized, accurate, complete, and secure. Controls are usually categorized as preventative, detective, or corrective. Preventative controls are designed to prevent unauthorized or invalid data entries. Detective controls help identify unauthorized or invalid entries. Corrective controls assist in recovering from unwanted occurrences.

Input Controls

Automated input controls help ensure employees accurately input information, systems properly record input, and systems either reject, or accept and record, input errors for later review and correction. Examples of automated input controls include

Check Digits

Check digits are numbers produced by mathematical calculations performed on input data such as account numbers. The calculation confirms the accuracy of input by verifying the calculated number against other data in the input data, typically the final digit.

Completeness Checks

Completeness checks confirm that blank fields are not input and that cumulative input matches control totals.

Duplication Checks

Duplication checks confirm that duplicate information is not input.

Limit Checks

Limit checks confirm that a value does not exceed predefined limits.

Range Checks

Range checks confirm that a value is within a predefined range of parameters.

Reasonableness Checks

Reasonableness checks confirm that a value meets predefined criteria.

Sequence Checks

Sequence checks confirm that a value is sequentially input or processed.

Validity Checks

Validity checks confirm that a value conforms to valid input criteria.

Processing Controls

Automated processing controls help ensure systems accurately process and record information and either reject, or process and record, errors for later review and correction. Processing includes merging files, modifying data, updating master files, and performing file maintenance.

Examples of automated processing controls include

Batch Controls

Batch controls verify processed run totals against input control totals. Batches are verified against various items such as total dollars, items, or documents processed.

Error Reporting

Error reports identify items or batches that include errors. Items or batches with errors are withheld from processing, posted to a suspense account until corrected, or processed and flagged for later correction.

Transaction Logs

Users verify logged transactions against source documents. Administrators use transaction logs to track errors, user actions, resource usage, and unauthorized access.

Run-to-Run Totals

Run-to-run totals compiled during input, processing, and output stages are verified against each other.

Sequence Checks

Sequence checks identify or reject missing or duplicate entries.

Interim Files

Operators revert to automatically created interim files to validate the accuracy, validity, and completeness of processed data.

Backup Files

Operators revert to automatically created master-file backups if transaction processing corrupts the master file.