Visit
Apply
Give

Department of Internal Audit and Compliance

Information Technology - Business Continuity

Effectiveness and efficiency of operations 

A. Management and users are involved in and approve IT systems development.

  1. Is a systems development life cycle employed which includes the following key aspects or phases: request for systems design; feasibility study; general system design; detailed systems specifications; program development and testing; system testing; conversion; and system acceptance and approval?
  2. Are programmers restricted from transferring programs (source code and load modules) from test to production until IT management authorizes the transfer?
  3. Is all design work reviewed for proper implementation of control practices (for example, they follow approved design and documentation standards, standards have been user-approved, conformity exists between established programming policies and procedures, and completed programs are reviewed for compliance to original functional and technical specs)?
  4. Are user manuals used that contains system flowcharts, transaction definitions, input formats and procedures, output descriptions, and reports?
  5. Are system manuals used that contain general and program-specific flowcharts, computer set-up instructions, record file layout, and file retention?

B. Testing and conversion standards are used.

  1. Are all reasonable error conditions and unusual situations incorporated, such as exception transactions, maximum file size, transaction volumes and security, as part of standard testing?
  2. Are all known combinations of conditions tested across, including valid and invalid as well as realistic and unrealistic volumes of data?

C. Appropriate authorization and approval is required for any changes to IT systems.

  1. Is user department authorization and approval required for all systems and program changes except those required to correct programming errors?
  2. Do programming supervisors perform a thorough supervision and review of program changes?  This involves a detailed code review, processing the change against test data, and parallel processing.
  3. Are original backup versions of pre-change files retained until several revisions have been processed and new programs are tested and updated?

D. Changes to IT systems are tested and properly implemented.

  1. Is program library software used to prevent the movement of programs into production status before they have been tested and formally approved?

E. Access to IT systems documentation is restricted.

  1. Are systems documentation, both physical and source library programs, secure physically and logically, and access restricted to authorized personnel?
  2. Has program library software been implemented that restricts access to production program code and reports all program changes to IT management for review and approval? 

    Back

Last Updated: 1/3/23