|
Booklet:
Development and Acquisition Section: Introduction Subsection: |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
The
“Development and Acquisition Booklet” is one in a series of
booklets updating the 1996 Federal Financial Institutions Examination
Council (FFIEC) Information Systems Handbook (FFIEC IS Handbook).
The booklet, which rescinds Chapter 12 of the 1996 FFIEC IS Handbook,
provides examiners and financial institutions guidance for identifying
and controlling development and acquisition risks.
Development and acquisition is defined as “an organization’s
ability to identify, acquire, install, and maintain appropriate information
technology systems.”
The process includes the internal development of software applications
or systems and the purchase of hardware, software, or services from third
parties.
The development, acquisition, and maintenance process includes numerous risks. Effective project management influences operational risks (also referred to as transactional risks). These risks include the possibility of loss resulting from inadequate processes, personnel, or systems. Losses can result from errors; fraud; or an inability to deliver products or services, maintain a competitive position, or manage information. Refer to the FFIEC Information Technology Examination Handbook’s (IT Handbook’s) “Management Booklet” for additional information.
The Development and Acquisition Booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The booklet details general project management standards, procedures, and controls and discusses various development, acquisition, and maintenance project risks. Action summaries highlight the primary considerations within each section. Examiners should use the summaries to identify primary issues within each section, but should be aware the summaries are not substitutes for reading the entire document.
EXAMINATION OBJECTIVES
The objectives of reviewing development, acquisition, and maintenance
activities are to identify weaknesses or risks that could negatively impact
an organization, to identify entities whose condition or performance requires
special supervisory attention, and to subsequently effect corrective action.
Examiners should conduct risk-focused reviews that assess the overall effectiveness of an organization’s project management standards, procedures, and controls. Examiners should not expect organizations to employ elaborate project management techniques in all situations. However, organizations should employ project management standards, procedures, and controls commensurate with the characteristics and risks of their development, acquisition, and maintenance projects.
STANDARDS
The critical importance technology plays in financial institutions dictates
the use of appropriate development, acquisition, and maintenance standards.
Standards do not guarantee that organizations will appropriately develop,
acquire, and maintain technology systems. However, standards do enhance
management’s control over projects, thereby decreasing project risks.
Well-defined standards help ensure systems are obtained in an efficient
manner, operate in a secure and reliable environment, and meet organizational
and end-user needs. Therefore organizations that routinely complete projects
should establish comprehensive standards, policies, and procedures that
meet project and organizational needs and reduce project risks.
ACCOUNTING FOR SOFTWARE COSTS
Organizations must correctly account for the costs associated with the
acquisition and development of software for internal use. The American
Institute of Certified Public Accountants’ Statement of Position
(SOP) 98-1 requires organizations to capitalize or expense various costs
associated with obtaining and developing internally used software. Management
should become familiar with SOP 98-1 and other applicable accounting standards
and discuss specific capitalization and expense issues with its accountants.
INFORMATION SECURITY
Information security is a critical part of internally and externally developed
software. Financial institutions should consider information security
requirements and incorporate automated controls into internally developed
programs, or ensure the controls are incorporated into acquired software,
before the software is implemented. For additional details, please refer
to the IT Handbook’s “Information Security Booklet”
and additional industry standards such as Security Considerations
in the Information System Development Life Cycle published by the
National Institute of Standards and Technology.
|