The Controlling

and Auditing
Systems
Maintenance
Maintenance Authorization, Testing,
and Documentation
The benefits achieved from controlling new system development
can be quickly lost during system maintenance if control does
not continue into that phase

All maintenance actions should require, as a minimum, four

controls: formal authorization, technical specification of the
changes, retesting the system, and updating the documentation.
Source Program Library Controls

In larger computer systems, application program source code is

stored on magnetic disks called the source program library
(SPL).

 Uncontrolled Access to the Source Program Library

 Source Program Library under the Control of SPL
Management Software
 The Worst-Case Situation: No Controls

CREATE TWO SERIOUS

FORMS OF EXPOSURE:

Access to programs is
completely unrestricted

Programs are subject to

unauthorized changes.
 A Controlled SPL Environment
CONTROL FOUR
ROUTINE/ CRITICAL
FUNCTIONS:

Storing programs on the SPL

Retrieving programs for maintenance

purposes

Deleting obsolete programs from the library

Documenting program changes

 A Controlled SPL Environment
Separate Test
Libraries Audit Trail and
An improvement on the shared Management Reports
password approach through the creation
Verify that only changes requested and
of separate password-controlled
authorized were actually implemented.
libraries.

Password Control Program Version

Assigning passwords provides one Numbers
form of access control over SPL. The SPLMS assigns a version number
automatically to each program stored
on the SPL.

Controlling Access to
Maintenance Command
Access to the maintenance commands themselves should be
password-controlled.
Separate Test Libraries
Direct access to the production SPL is
limited to an authorized librarian who
approves all requests to modify, delete,
and copy programs.

An enhancement to this control feature

is the implementation of program
naming conventions.
 A Controlled SPL Environment
Separate Test
Libraries Audit Trail and
An improvement on the shared Management Reports
password approach through the creation
Verify that only changes requested and
of separate password-controlled
authorized were actually implemented.
libraries.

Password Control Program Version

Assigning passwords provides one Numbers
form of access control over SPL. The SPLMS assigns a version number
automatically to each program stored
on the SPL.

Controlling Access to
Maintenance Command
Access to the maintenance commands themselves should be
password-controlled.
Program Version Numbers
With each modification to the
program, the version number is
increased by 1.

This feature, when combined

with audit trail reports, provides
evidence for identifying
unauthorized changes to
program modules.
 A Controlled SPL Environment
Separate Test
Libraries Audit Trail and
An improvement on the shared Management Reports
password approach through the creation
Verify that only changes requested and
of separate password-controlled
authorized were actually implemented.
libraries.

Password Control Program Version

Assigning passwords provides one Numbers
form of access control over SPL. The SPLMS assigns a version number
automatically to each program stored
on the SPL.

Controlling Access to
Maintenance Command
Access to the maintenance commands themselves should be
password-controlled.
Audit Objectives Related to
System Maintenance
(1) maintenance procedures protect applications from
unauthorized changes

(2) applications are free from material errors

(3) program libraries are protected from unauthorized access

 Audit Procedures Related to
System Maintenance

Identify Identify
Test Access to
Unauthorized Application
Libraries
Changes Errors
• Reconcile the source code.
• Reconcile program version • Review programmer
• Review test results.
numbers. authority tables.
• Retest the program.
• Confirm maintenance • Test authority table
authorization