Program Change Program Development Audit Program
1. Systems Maintenance
Objective: Determine that all maintenance activity is performed and documented according to installation standards and procedures by reviewing documentation related to systems maintenance.
Audit steps
a. Determine whether standards have been established for the documentation of systems maintenance
b. Evaluate existing standards to determine whether they are comprehensive enough and cover issues such as compliance with International Standards Organization (ISO) 17799
c. Review a sample of existing documentation to determine whether it complies with installation standards
d. Ascertain whether systems maintenance documentation is maintained in a secure environment and protected against tampering
2. Change Procedures
Objective: Determine whether all changes to the system are completely documented and tested to ensure the desired results by reviewing documentation related to system changes (maintenance) and evaluating its adequacy.
Audit steps
a. Interview appropriate personnel to determine Documentation standards that relate to system changes Testing standards that relate to system changes
b. Select a sample of completed system changes and determine whether
Documentation is in accordance with installation standards
Documentation provides a clear explanation of the change made and the reason for the change
Documentation has been appropriately reviewed and approved
Test plans for the change are in compliance with installation standards
The test plan thoroughly tested the implemented change
The test plan and the results of the test were reviewed and approved
c. Evaluate the review process related to system changes and determine whether
A peer review of system changes is done before they are submitted for approval
Operations management reviews and approves system changes before implementation
Errors were identi. ed, corrected, retested, documented, and reviewed for approval before release for use
d. Assess whether the controls over documentation and test results are adequate to prevent
tampering
3. Implementation of System Changes
Objective: The implementation of system changes should be performed by a group other than the group responsible for the system (e.g., systems software changes should be implemented by someone other than a systems programmer). All procedures related to the implementation of system changes should be reviewed.
Audit steps
a. Identify the personnel responsible for implementing system changes and determine whether an adequate separation of duties exists
b. Determine whether adequate communication links exist between the change implementation group and the other data processing and user groups involved in the change process
c. Determine the adequacy of documentation supplied to the change implementation group to support the change
d. Determine whether the change documentation includes the date and time at which changes will be installed
e. Determine that documentation similar to that given to the change implementation group has been released to system users to inform them of the impending changes
f. Determine whether system changes have been installed in an orderly manner (i.e., in compliance with standards and procedures)
g. Determine whether system changes are evaluated and accepted after installation
h. Determine whether computer operators cannot reverse system changes without assistance from the change implementation group
4. System Change Log
Objective: Determine whether a chronological record of all system changes is maintained by reviewing records of all system changes.
Audit steps
a. Determine whether a log exists to record all changes made to the system
b. Review the log for completeness and for evidence of management approval
