AI02 Process Description

AI02: Application SW Acquisition & Maintenance

1. Description

Definition of specific statements of functional and operational software requirements, and a phased implementation with clear deliverables.

2. Control Objectives

Design methods - Appropriate SDLC, close with users, design specification
Major changes to existing - Similar development process systems
Design approval - Design review, including user/customer representatives
File requirements definition - Data dictionary rules and documentation
Programme specifications - Programme specifications against system design specifications
Source data collection design - Mechanisms specified Input requirements definition Mechanisms specified and documentation
Definition of interfaces - Interface specification
User-machine interface - Usability, built-in help
Processing requirements definition and documentation - Mechanisms specified
Output requirements definition and documentation - Mechanisms specified
Controllability - Internal controls, security requirements, application controls, accuracy, completeness, timeliness, authorisation
Availability as a key design factor - Availability considered in design, availability analysis, maintainability, reliability
IT integrity provisions in application programme software - Data integrity, restoration, verification
Application software testing - Unit, application, integration, system, load and stress testing, project test plan, adequate test measures
User reference and support materials - Support manuals
Reassessment of system design - Recognition of technical/logical discrepancies

3. Key Goal Indicators

Number of applications delivered on time, meeting specifications and in line with the IT architecture
Number of applications without integration problems during implementation
Cost of maintenance per application below the set level
Number of production problems, per application, causing visible downtime or service degradation
Number of solutions not consistent with the currently approved IT strategy
Reduced ratio of maintenance efforts relative to new development

4. Key Performance Indicators

Ratio of actual maintenance cost per application versus the application portfolio average
Average time to deliver functionality, based on measures such as function point or modules
Number of change requests related to bugs, critical errors and new functional specifications
Number of production problems or disfunctionality per application and per maintenance change
Number of deviations from standard procedures, such as undocumented applications, unapproved design and testing reduced to meet deadlines
Number of returned modules or level of rework required after acceptance testing
Time lag to analyse and fix problems
Number or percent of application software effectively documented for maintenance

5. Critical Success Factors

The acquisition and implementation methodology is strongly supported by senior management
Acquisition practices are clear, understood and accepted
There is a formal, accepted, understood and enforced acquisition and implementation methodology
>An appropriate set of automated support tools is available, saving time on software selection by focusing on the best of breed
There is separation between development and testing activities
Key requirements are prioritized in view of possible scope reductions, if time, quality or cost cannot be compromised
The approach taken and effort committed are related to the business relevance of the application
The degree and form of documentation required is agreed upon and followed in the implementation
Compliance with corporate IT architecture is monitored, including a formal process for approving deviations

6. Service Maturity Variations

0 Non-existent	There is no process for designing and specifying applications. Typically, applications are obtained based on vendor driven offerings, brand recognition or IT staff familiarity with specific products, with little or no consideration of actual requirements.
1 (Initial/Ad Hoc)	There is an awareness that a process for acquiring and maintaining applications is required. Approaches, however, vary from project to project without any consistency and typically in isolation from other projects. The organisation is likely to have acquired a variety of individual solutions and now suffers legacy problems and inefficiencies with maintenance and support. The business users are unable to gain much advantage from IT investments.
2 (Repeatable but Intuitive)	There are similar processes for acquiring and maintaining applications, but they are based on the expertise within the IT function, not on a documented process. The success rate with applications depends greatly on the in-house skills and experience levels within IT. Maintenance is usually problematic and suffers when internal knowledge has been lost from the organisation.
3 (Defined Process)	There are documented acquisition and maintenance processes. An attempt is made to apply the documented processes consistently across different applications and projects, but they are not always found to be practical to implement or reflective of current technology solutions. They are generally inflexible and hard to apply in all cases, so steps are frequently bypassed. As a consequence, applications are often acquired in a piecemeal fashion. Maintenance follows a defined approach, but is often time-consuming and inefficient.
4 (Managed and Measurable)	There is a formal, clear and well-understood system acquisition and implementation methodology and policy that includes a formal design and specification process, criteria for acquisition of application software, a process for testing and requirements for documentation, ensuring that all applications are acquired and maintained in a consistent manner. Formal approval mechanisms exist to ensure that all steps are followed and exceptions are authorised. The methods have evolved so that they are well suited to the organisation and are likely to be positively used by all staff, and applicable to most application requirements.
5 Optimized	Application software acquisition and maintenance practices are in line with the agreed processes. The approach is component based, with predefined, standardised applications matched to business needs. It is usual for organisation-wide approaches to be taken. The acquisition and maintenance process is well advanced, enables rapid deployment and allows for high responsiveness, as well as flexibility, in responding to changing business requirements. The application software acquisition and implementation process has been subjected to continuous improvement and is supported by internal and external knowledge databases containing reference materials and best practices. The methodology creates computer based documentation in a pre-defined structure that makes production and maintenance very efficient.