Chapter 17

Auditing IT Controls Part III:

Systems Development &
Program Changes
NOTE: Excludes Application
Auditing
IN CLASS NOTES

OBJECTIVES:

Be familiar with the controls and audit

tests relevant to the systems
development process.
Understand the risks and controls
associated with program change
procedures and the role of the source
program library.

ACCT 4342

System (Application) Development

Life Cycle

Figure 13-1

ACCT 4342

System (Application) Development Controls

Controllable activities that distinguish an
effective systems development process
include:
Systems authorization
User specification
Technical design
Internal audit participation
Program testing
User test and acceptance procedures
ACCT 4342

Audit Objectives for

System (Application) Development
All systems development activities are
applied consistently and follow
managements policies
System as originally implemented was free
from material errors and fraud
System was judged necessary and justified
at checkpoints throughout the SDLC, and
System documentation is sufficiently
accurate and complete to facilitate audit
and maintenance activities
ACCT 4342

Test of System (Application)

Development Controls

New systems must be authorized.

Feasibility studies were conducted.
User needs were analyzed and
addressed.
Cost-benefit analysis was done.
Proper documentation was
completed.
All program modules must be
thoroughly tested before they are
implemented.
ACCT 4342

Entering Maintenance
Last phase of SDLC
Maintenance: simple complex
Rarely is there never a change to a
system
System Changes high risk

ACCT 4342

4 Controls for System(Application) Maintenance:

1.
2.
3.
4.

Formal authorizations
Technical specifications
Testing
Documentation Update

Essentially treat
maintenance as a
Mini SDLC
ACCT 4342

Source Program Library

Library of applications and
software
Place where programs are
developed and modified
Once compiled into machine
language, no longer vulnerable
ACCT 4342

Source Program Library Controls

(UNCONTROLLED)
In this example, there
is no SPLMS to
control access

ACCT 4342

10

Controlled SPL
Environments

SPL Management Systems (SPLMS)

protect the SPL by controlling the
following functions:
storing programs on the SPL
retrieving programs for
maintenance purposes
deleting obsolete programs from
the library
documenting program changes
to provide an audit trail of the
11

Source Program Library under the

Control of SPL Management Software

Figure 17-3

12

SPLMS a few hints

Just because you have an SPLMS
does not guarantee program
integrity
May be purchased separately and
integrated into the business or may
come as part of the operating system

ACCT 4342

13

SPL Control Features

Password control
Must have passwords for each significant system

Separation of test libraries

Strict separation; Direct access to the production
SPL in limited to librarian that approves all
requests to modify, delete and copy programs.
Production programs that need to be modified are
copied to a development library for changes to be
made
NEVER make changes in production
Naming conventions provide additional support
14

SPL Control Features

Audit trails & Management Support
Modification reports
Used to indentify program changes
Can be compared to actual requests for changes

Assigns program version numbers automatically

Internal versioning increased by 1 number each time
Versions are tracked to identify unauthorized
changes

Controlled access to maintenance commands

Change program version, change production
password, override BE CAREFUL who can do this
15

Program Change
Auditing procedures: verify that
programs were properly maintained,
including changes
Specifically, verify
1. Maintenance procedures protect
application from unauthorized changes
2. Applications are free from material
errors
3. Program libraries are protected from
unauthorized access
16

Test of Controls
Audit Objective: Maintenance
procedures protect application from
unauthorized changes
Tests of Controls:
Reconcile Program Version Numbers
Look for discrepancies in version
number and documentation
Confirm Maintenance Authorization
Look for management approval
ACCT 4342

17

Test of Controls
Audit Objective: Applications are free from material
errors
Tests of Controls:
Reconcile Source Code
Documentation describes what the reason for the
change was
Compare descriptions in authorization to
descriptions in the source program library
Review Test Results
Verify testing occurred and was rigorous enough to
work

Retest the Program (sample)

ACCT 4342

18

Test of Controls
Audit Objective: Program libraries are
protected from unauthorized access
Tests of Controls:
Review Programmer Authority Tables
Test Authority Table

ACCT 4342

19