Module 4

IT Acquisition and
Development
………

Module 4: IT Acquisition and Development

4.1: Introduction
4.2: Basic Concepts
4.3: KTP1 IT Sourcing Strategies
4.4: KTP2 IT Project Management Practices
4.5: KTP3 IT Development Methodologies
4.6: KTP4 Audit Matrix for IT Acquisition and Development
4.7: Summary
4.8: References

Module Overview
In the previous module you were introduced to the concept of IT Governance. It consists of
leadership, organizational structure, and processes to ensure that IT supports the organization’s
strategies and objectives. Additionally, you learned the risks and controls associated with the IT
governance. In this module, you will learn strategies used by organizations to obtain their IT
needs/solutions.

Module Learning Objective

After completing this module, participants will be able to explain the strategies and major
processes involved in acquiring and developing organizational IT solutions as well as their
associated risks to the extent that they are in accordance with the best practices as evaluated by
the mentors.

4.1 Introduction
In order to support an entity’s business strategy, the IT organization1 has responsibility to provide
solutions to the business or business users. The IT organization can develop solutions in-house or
acquire the solutions from a vendor. In order to increase the chances of success and to manage
risks in the development and acquisition process, it is generally recommended that development
and acquisition activities be planned and managed. Additionally, requirements for these solutions
should be identified, documented, analyzed, and prioritized. IT organization also needs to employ
a quality assurance and test function to guarantee the quality of the solutions.

1
IT organisation refers to IT unit/department/division that provides IT support to the business.

Module
4 IT Acquisition and Development 1
………

In this module we will discuss several practices of developing or acquiring solutions that should be
in place in order to maximize success. We will also discuss some of the newer trends in IT acquisition
and development, such as outsourcing and agile computing.

4.2 Basic Concepts

The following terms and their definitions are used in this module:

Acquisition
Acquisition is the process of procuring IT solutions (hardware or software) through the use of
contracts or formal agreements. The contracted solutions could be custom application software, an
integrated system with PCs, network, storage, and applications, or could be software that upgrades
current capability. The special case of acquiring software or hardware services (i.e., running your
software on a vendor’s hardware or utilizing a vendor’s hardware and software and management
capabilities) are addressed in the cloud computing and outsourcing areas. Acquisition, outsourcing,
and cloud computing have common elements such as requirement gathering, solicitation, and
project monitoring.

IT Department
The IT Department is a unit within the audited entity which is responsible for managing the IT
activities of the entity. In large entities, the IT Department may be quite extensive and have over a
hundred personnel, some of whom work from remote sites or at field offices. The IT Department is
responsible for providing solutions to meet the need of business users and accomplishes these by
either developing software, acquiring commercial products or custom software via the acquisition
process or perhaps assists the business in better meeting their needs by outsourcing certain
functions. The IT Department generally needs to have key management practices in place so that
they can ensure the success of software development, systems acquisition or effectively manage
the vendor responsible for the outsourced functions.

Project Management
Project Management is the discipline of planning, organizing, securing, managing, leading, and
controlling resources to achieve specific goals or requirements for a project. In the case of IT
development, the project manager is the one who is responsible for managing the team in a
manner that leads to a product which meets the entity’s expectations. This includes defining and
following an established development process, documenting the requirements and design, and
ensuring that the system meets the established quality objectives.

Module
4 IT Acquisition and Development 2
………

System Development Life Cycle (SDLC)

System Development Life Cycle describes a process for planning, creating, testing, and deploying
an information system. The SDLC concept applies to a range of hardware and software
configurations, as a system can be composed of hardware only, software only, or a combination of
both. The SDLC is composed of a number of clearly defined and distinct work phases. Thus, project
management focuses on managing the team to use the SDLC methodology to deliver the required
outputs.

Requirements
Requirements are the needs of the entity or users and document what an IT system, a business
function, or a capability should accomplish. Requirements must be documented, prioritized,
analyzed, and approved.

Solicitation
Solicitation is the process of collecting user requirements, putting them out on a request for
proposal, and evaluating and selecting the most optimum solution that meets the users’ needs. This
activity is required for any acquisition and for selecting the vendor who will manage the outsourced
functions.

Service Level Agreement (SLA)

Service Level Agreement is an agreement between two parties (the service provider and the user)
that defines the terms of the service. It typically contains performance parameters that are
measured and reported on periodical basis. The measured data serves as the basis to take remedial
actions as appropriate.

Risk management
Risk management in IT systems development or acquisition is the process of identifying risks and
managing them. It also includes keeping management aware of certain risks and mitigation
activities.

Contract
A contract is a formal agreement between the entity and the vendor. It lays out the technical, legal,
and management requirements for both parties, contains measurable parameters to be utilized for
product acceptance, and is a legally binding document that holds both parties accountable to its
content in courts of law.

Module
4 IT Acquisition and Development 3
………

Development
Development is the process of producing a solution with in-house capabilities or with primarily in-
house capabilities. The product is typically software but could include hardware if the capability
and need exists. Development of software requires key technical skills and a process discipline to
ensure success.

IT Outsourcing
IT Outsourcing is the process of contracting with a vendor to operate, maintain, or support parts of
the automated or other business processes that may have been typically done with in-house
resources. Through the contractual agreement, the organization hands over parts or all of the
functions of the IT department to an external party. Most IT departments utilize information
resources from a wide array of vendors –e.g. for network, for facility management, for hardware
maintenance, for hardware leases, website management, etc.

Cloud Computing
Cloud computing is a particular sourcing approach for provisioning of IT functions in an organization.
Increasingly, large service providers pool computing resources (storage, processing and network
bandwidth) to serve multiple consumers using a multi-tenant model, with different physical and
virtual resources dynamically assigned and reassigned according to consumer demand. The
customer generally has less control over the exact location of the provided resources. A cloud can
be viewed as an utility like gas or electricity where consumer organizations pay for the IT resources
they consume For the consumer organization, the investment on IT resources shifts from a Capital-
expenditure (Capex) intensive model to an Operational Expenditure (Opex) intensive model. It
affords quick deployment or de-provisioning, scalability, and minimizes human interaction with
multiple service providers.

Module
4 IT Acquisition and Development 4