Department of Internal Audit and Compliance

Information Technology - System Implementations

Effectiveness and efficiency of operations 

A. Modifications to systems software are authorized and approved.

  1. Does an appropriate audit trail exist to support all changes to systems software (for example, program library software or manual procedures)?
  2. Have quality assurance procedures been implemented to ensure systems software changes are performed in accordance with formal policies, procedures, and standards?
  3. Have procedures been implemented to ensure that changes to systems programs do not adversely impact the application programs?
  4. Are emergency fixes controlled, reported, and documented (quick fixes to systems that happen during processing, frequently performed at night)?
  5. Are emergency fixes reviewed at least annually to determine their appropriateness in terms of nature and frequency?

B. Systems software modifications are appropriately tested.

  1. Have formal standards been established for determining the testing scope, test plan documentation, approvals, and test environment requirements for systems software modifications?
  2. Are systems software modifications subjected to comprehensive testing prior to implementation, in accordance with testing standards?
  3. Are systems software modifications tested via an independent group of employees who are not involved in implementing the modifications?
  4. Are test results of system software modifications retained as evidence of successful testing and for future reference?

C. Access to systems software is restricted.

  1. Are systems programmers prohibited from operating the computer while production systems are running?
  2. Are systems software support personnel only allowed supervised access to application program documentation in either hard copy or through logical access to production source code or documentation libraries?
  3. Are systems utility programs that allow bypassing of normal systems or application controls and functions prohibited or password-protected? Such programs are used only in circumstances of legitimate operational need and when IT management supervises their use.

D. Systems software and related documentation are evaluated adequately.

  1. Are exceptions recognized (where the software has not had extensive prior use and field-testing) and due care exercised in maintaining backup and in performing manual balancing and reasonableness checks?

    Back

Last Updated: 1/3/23