Audit involvement in systems life cycle: Internal auditors should review information system design at what stage to ensure adequate controls before going live?

Introduction / Context:
Internal audit plays a preventive role in the systems development life cycle (SDLC). The goal is to ensure that security, controls, and compliance requirements are designed in—not bolted on after deployment. The timing of audit engagement determines how effectively risks are mitigated and rework is minimized.

Given Data / Assumptions:

• We consider typical SDLC phases: analysis, design, development, implementation (go-live), and maintenance.
• “Review system design” implies assessing controls before production use.
• We assume standard internal-audit practice focused on pre-implementation control adequacy.

Concept / Approach:
The best practice is to complete control reviews before systems are implemented in production. Auditors validate logical access, input/output controls, change management, logging, backup/recovery, and segregation of duties. Reviewing earlier than implementation (during design) is valuable, but the essential gating point is still “before implemented.”

Step-by-Step Solution:
Identify the key control gate: just prior to go-live.Confirm that findings can be remediated before users depend on the system.Choose the stage that ensures controls are in place before operation: implemented.Therefore, the correct stage is “before implemented.”

Verification / Alternative check:
Audit methodologies (e.g., risk-based audits) emphasize “pre-implementation reviews” to avoid costly remediation after deployment and to satisfy regulatory expectations for change governance.

Why Other Options Are Wrong:
Developed: reviewing only after coding is finished may be too late to affect design decisions cost-effectively.

Modified: reviews at modification are useful but miss the crucial first go-live gate.

All of the above: audits may appear at many times, but the question asks when they should review design for adequacy before use. “Implemented” captures the necessary pre-go-live checkpoint.

Common Pitfalls:
Assuming “after implementation” is acceptable; post-implementation reviews find issues but do not prevent initial exposure.

Final Answer:
implemented