Systems Development and

Program Change Activities

Auditing in a CIS Environment
Controlling and Auditing the SDLC

Controlling Systems Maintenance

• Four minimum controls:
– Formal authorization
– Technical specification of the changes
– Retesting the system
– Updating the documentation
Controlling and Auditing the SDLC

Controlling Systems Maintenance

• Source program library controls
– To prevent...
• Unauthorized program changes
– In large computer systems, application program source code is
stored on magnetic disks called the source program library
(SPL).
– SPL is a sensitive area, which, to preserve application integrity,
must be properly controlled.
– Controlling the SPL may require the implementation of an SPL
management system (SPLMS).
Controlling and Auditing the SDLC

Controlling Systems Maintenance

• SPLMS Controls
– Storing programs on the SPL
– Retrieving programs for maintenance purposes
– Detecting obsolete programs
– Documenting program changes (audit trail of the changes)
• The mere presence of an SPLMS does not guarantee
program integrity. The succeeding control techniques
must be used...
Controlling and Auditing the SDLC

Controlled SPL Environment

• Password control
– On a specific program
• Separate test libraries (for each programmer)
– Programs are copied into the programmer's library for
maintenance and testing.
– Direct access to the production SPL is limited to an authorized
librarian who must approve all requests to modify, delete, and
copy programs.
Controlling and Auditing the SDLC

Controlled SPL Environment

• Audit trail and management reports
– Being produced by the SPLMS
– Describing program modifications
• Program version numbers
– The SPLMS assigns a version number automatically to each
program stored on the SPL. Starts with version number 0. With
each modification, the version number is increased by 1.
Controlling and Auditing the SDLC

Controlled SPL Environment

• Controlling access to maintenance [SPL] commands
– Commands
• Alter or eliminate program passwords
• Alter the program version number
• Temporarily modify a program without generating a record of the
modification.
– These commands must be controlled to avoid unauthorized
program modifications.
– Access to these commands should be password-controlled.
Controlling and Auditing the SDLC

Audit Objectives and Procedures

• Audit objectives
– Detect any unauthorized program changes
– Verify that maintenance procedures protect applications from
unauthorized changes
– Verify applications are free from material errors
– Verify SPL are protected from unauthorized access
Controlling and Auditing the SDLC

Audit Objectives and Procedures

• Audit procedures
– Identify unauthorized changes
• Reconcile program version numbers
• Confirm maintenance authorization
– Identify application errors
• Reconcile source code [after taking a sample]
• Review test results (documentation of tests conducted by a client)
• Retest the program
– Testing access to libraries
• Review programmer authority tables (from SPLMS, access to libraries)
• Test authority table (simulation, intentionally violate the authorization rules by
attempting to access unauthorized libraries)