Performing a Product Development Review.
In today’s competitive market, the process of product development is not just a pathway to innovation—it is also a key…

2 Feb 25
•My Audit Spot
4 mins
Table of contents
- What Is a Product Development Review?
- External Guidance and Best Practices
- Risks Associated with Product Development
- Why Include a Product Development Review in Your Audit Plan?
- Conclusion
In today’s competitive market, the process of product development is not just a pathway to innovation—it is also a key area of risk management and control within your organisation. A robust product development review ensures that new systems and products are designed, implemented, and maintained with security, availability, and operational excellence in mind. Leveraging the FIN69 Audit Work Programme – IT System Development Review, internal audit teams can thoroughly assess product development processes, mitigate risks, and reinforce controls.

What Is a Product Development Review?
A product development review is an internal audit process that examines the end-to-end system development lifecycle. This review evaluates whether the design, development, testing, and implementation of new products or systems meet both business requirements and regulatory standards. Key focus areas include:
- Project Management: Evaluating planning, resource allocation, and adherence to timelines.
- Risk Management and Controls: Assessing if risks are identified and mitigated effectively throughout the development process.
- Security and Compliance: Ensuring that security controls are embedded from the design phase, aligning with external guidelines and internal policies.
- Operational Efficiency: Reviewing whether the development processes support smooth operations and sustainable product performance.
Our FIN69 template offers a structured approach to guide audit teams through each stage of the product development review, ensuring a comprehensive assessment of risk and controls.
External Guidance and Best Practices
Aligning your product development review with recognised external standards enhances its effectiveness and credibility. Consider the following frameworks:
- ISO/IEC 27001: This standard provides guidance on maintaining robust information security management systems, crucial for safeguarding data during product development.
- ITIL (Information Technology Infrastructure Library): ITIL best practices assist in managing the development lifecycle and ensuring seamless service transition.
- COBIT (Control Objectives for Information and Related Technologies): COBIT offers a framework for IT governance and control, helping organisations integrate risk management into their development processes.
- Agile and DevOps Best Practices: Modern methodologies like Agile and DevOps emphasise continuous improvement, collaboration, and rapid response to change, all of which can be audited for risk and control effectiveness.
Utilising these external guidelines, internal audit teams can benchmark product development processes against industry standards, ensuring compliance and operational excellence.
Risks Associated with Product Development
Without robust review processes, product development can expose organisations to several risks, including:
- Security Vulnerabilities: Inadequate controls during development can result in insecure products that are susceptible to cyber-attacks.
- Operational Risks: Poorly managed development projects may lead to systems that are unreliable or inefficient, affecting business continuity.
- Compliance Risks: Failure to integrate regulatory requirements into product development can result in non-compliance, leading to legal and reputational damage.
- Financial Risks: Inefficient development processes may lead to cost overruns, impacting the organisation’s financial performance.
- Project Delivery Risks: Lack of effective project management and control can delay product launches, reducing competitive advantage and market responsiveness.
By conducting a detailed product development review, organisations can identify these risks early and implement corrective measures to mitigate them.
Why Include a Product Development Review in Your Audit Plan?
Incorporating a product development review into your audit plan is essential for several key reasons:
- Enhanced IT Risk Management: Regular reviews ensure that potential risks are identified and managed throughout the development lifecycle, safeguarding the organisation’s IT assets.
- Robust Internal Controls: A structured review process reinforces the implementation of effective controls, ensuring security, availability, and operational excellence in product development.
- Regulatory Compliance: Demonstrating adherence to external guidance and standards helps the organisation maintain compliance and reduce exposure to legal risks.
- Operational Efficiency and Cost Management: By streamlining development processes and mitigating project risks, organisations can improve efficiency and optimise costs.
- Stakeholder Assurance: Transparent review processes build confidence among stakeholders—including management, investors, and customers—by showcasing a proactive approach to risk and control management.
Conclusion
Performing a product development review is a strategic imperative that goes beyond mere process assessment—it is a vital component of your overall IT and internal audit framework. By leveraging the FIN69 Audit Work Programme – IT System Development Review, organisations can systematically evaluate their product development lifecycle, align with external guidance such as ISO/IEC 27001, ITIL, and COBIT, and mitigate risks associated with security, compliance, operational efficiency, and financial management.
Including a product development review in your audit plan ensures that new products and systems are developed with robust controls and best practices in mind, ultimately supporting a secure, efficient, and resilient IT environment. Stay proactive, align with industry standards, and enhance your internal audit function by making product development review a cornerstone of your audit strategy.
Free
£0 + VAT / month
For SME’s with basic audit requirements
Individual
£15 + VAT / month (min. 12 months)
For individuals that require a host of audit tools
Corporate
£10 + VAT / month / user (min. 12 months)
For organisations with bigger audit teams