Information Technology - System Implementations
Effectiveness and efficiency of operations
A. Modifications to systems software are authorized and approved.
- Does an appropriate audit trail exist to support all changes to systems software (for example, program library software or manual procedures)?
- Have quality assurance procedures been implemented to ensure systems software changes are performed in accordance with formal policies, procedures, and standards?
- Have procedures been implemented to ensure that changes to systems programs do not adversely impact the application programs?
- Are emergency fixes controlled, reported, and documented (quick fixes to systems that happen during processing, frequently performed at night)?
- Are emergency fixes reviewed at least annually to determine their appropriateness in terms of nature and frequency?
B. Systems software modifications are appropriately tested.
- Have formal standards been established for determining the testing scope, test plan documentation, approvals, and test environment requirements for systems software modifications?
- Are systems software modifications subjected to comprehensive testing prior to implementation, in accordance with testing standards?
- Are systems software modifications tested via an independent group of employees who are not involved in implementing the modifications?
- Are test results of system software modifications retained as evidence of successful testing and for future reference?
C. Access to systems software is restricted.
- Are systems programmers prohibited from operating the computer while production systems are running?
- Are systems software support personnel only allowed supervised access to application program documentation in either hard copy or through logical access to production source code or documentation libraries?
- Are systems utility programs that allow bypassing of normal systems or application controls and functions prohibited or password-protected? Such programs are used only in circumstances of legitimate operational need and when IT management supervises their use.
D. Systems software and related documentation are evaluated adequately.
- Are exceptions recognized (where the software has not had extensive prior use and
field-testing) and due care exercised in maintaining backup
and in performing manual balancing and reasonableness checks?