6.7. Acquisition

It is equally likely that the requirements and specifications development processes will result in a commercial product being identified for implementation as all or some portion of the solution to developing a new product to provide the needed services. A blend of bought and developed solutions might also fit the bill more ideally. Caution will need to be applied to customized commercial product solutions because of maintenance costs and ongoing support requirements. The aspects of the acquisition process that need to be understood from an IS audit perspective include the following:

  • The assessment of potential vendor solutions

  • The investigation of the need to customize the vendor application to meet the needs of the business

  • The need to maintain the customized code with the application revisions in the future

  • The need to reengineer the process to more closely fit the commercial product without extensive enhancements

  • The ability to get the vendor to modify their product to meet the business' needs

  • The negotiation process and contract provisions including right to audit, escrow, and intellectual property rights issues

  • The support, maintenance contract, and performance issues

  • The implementation, support expertise, and availability issues

  • The integration of vendor solutions into the existing business process flow

Let's cover some of these points, explain their gravity, and how to assess them.

6.7.1. Evaluate the Application System Acquisition and Implementation Process ...

Get The CISA® Prep Guide: Mastering the Certified Information Systems Auditor Exam now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.