IT Examiner School eBook May 2025

First page Table of contents Previous page 68 Next page Last page

Internal Use Only

Development & Acquisition InTREx Decision Factor Items to for examiners to review

• The level & quality of oversight and support of systems development and acquisition activities by senior management and the BoD.

• The quality of project management programs and practices.

• The adequacy over program changes.

• The development of information technology solutions that meet business needs of end users.

• If applicable, evaluate the adequacy of source code and programming controls

Board/Management Oversight

Project Management

Measuring Performance

Change Control

Application Security

Decision Factor DA.1.

Decision Factor DA.2.

Decision Factor DA.3.

Decision Factor DA.4.

Decision Factor DA.5.

Internal Use Only

Development & Acquisition

InTREx Decision Factor Items to Request from an Organization

• Board Meeting Minutes • Management Committee Meeting Minutes • Strategic Plan (alignment of projects with org goals) • Business Case / Project Justification Documents • Capital Expenditure (CAPEX) Approval Documentation • Vendor Risk Management Documentation (if reviewed at board level) • Risk Assessments (high-level summaries presented to board/management) • Compliance Reviews and Reports (with board visibility)

• Business Case or Project Justification Documents (also applicable here) • Approved Budgets & Budget Tracking Reports • Status Reports and Dashboards • Internal Audit Reports (focused on project execution) • Third-party Reviews or Assessments (project health, execution risks) • Post-Implementation Review Reports

• Escalation Documentation (for change related risks/issues) • Internal Audit Reports (focused on change management effectiveness) • Communication Protocols (related to change notifications/escalations)

• Key Performance Indicators (KPIs) and Metrics • Status Reports and Dashboards (also fits here) • Post-Implementation Review Reports (outcomes vs. objectives) • Budget Tracking Reports (performance against financial plan) • Lessons Learned Documentation • Internal Audit Reports (performance related findings)

• Risk Assessments (focused on application-level risks) • Vendor Risk Management Documentation (security posture of third-party software) • Application Security Policies/Standards (if available—like SDLC security policies, code review processes) • Third-party Security Assessments or Penetration Test Results • Change Management Documentation (as it relates to secure deployments) • Training Records (for developers/security staff involved in secure coding practices)