Change ControlAUDIT PROGRAMPurpose of These Audit Programs and Internal Control QuestionnairesGeneral ProcessSpecific ProcessSpecific ProcessSpecific ProcessSystem TestingUser Acceptance TestingTesting EnvironmentBackup and RecoveryInformation Systems Audit and Control Associationwww.isaca.orgChange ControlAUDIT PROGRAM&INTERNAL CONTROL QUESTIONNAIREThe Information Systems Audit and Control Association With more than 23,000 members in over 100 countries, the Information Systems Audit and Control Association® (ISACA™) is a recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences, administers the globally respected CISA® (Certified Information Systems Auditor™) designation earned by more than 25,000 professionals worldwide, and develops globally applicable information systems (IS) auditing and control standards. An affiliated foundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, established by the association and foundation in 1998, is designed to be a "think tank" offering presentations at both ISACA and non-ISACA conferences, publications and electronic resources for greater understanding of the roles and relationship between IT and enterprise governance.Purpose of These Audit Programs and Internal Control QuestionnairesOne of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support member and industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released audit programs and internal control questionnaires on various topics for member use through the member-only web site and K-NET. These products are intended to provide a basis for audit work. E-business audit programs and internal control questionnaires were developed from material recently released in ISACA’s e-Commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte & Touche and ISACA’s Research Board and are recommended for use with these audit programs and internal control questionnaires. Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed and edited by the Education Board. The Education Board cautions users not to consider these audit programs and internal control questionnaires to be all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on an organization’s constraints, policies, practices and operational environment.DisclaimerThe topics developed for these Audit Programs and Internal Control Questionnaires have been prepared forthe professional development of ISACA members and others in the IS Audit and Control community.Although we trust that they will be useful for that purpose, ISACA cannot warrant that the use of thismaterial would be adequate to discharge the legal or professional liability of members in the conduct of theirpractices.September 2001 1Change ControlAudit Program and ICQGeneral ProcessProcedure Step:ReviewComments:Details/Test:- Through interviews:- Chart the processes in place to determine - Who prioritizes and justifies changes- How user requests are assigned to programmers- How testing is performed- Who approves changes- How edited or new programs are put into production, etc.- Determine that adequate guidelines are established to instruct programming personnel in their duties.Specific ProcessProcedure Step:CompletenessComments:Details/Test:- Determine the completeness of changes and that the control ensure:- All requests for system amendment are considered for action. - That the filtering procedures include processes to cost the changes- Verify that business benefit exceeds cost (or that the change is mandatory for other reasons)- All approved requests are implemented on a timely basis.Specific ProcessProcedure Step:Validity of changesComments:Details/Test:- Determine the validity of changes. - If modifications are made to existing programs during the year, are there adequate procedures to ensure that systems, operations, and clerical documentation are properly updated. This should be thoroughly covered in the written change control procedures.Specific ProcessProcedure Step:Adequate involvementComments:Details/Test:- Is there adequate involvement in and approval of system modifications by:- Users, to ensure the modifications are appropriate?- Relevant IT personnel?- Other (i.e., quality assurance - In the UK BS7799 - a computer securitystandard would also involve data owners and system controllers)? 2Change ControlAudit Program and ICQSpecific ProcessProcedure Step:Access controlComments:Details/Test:- Determine:- Which programs can the programmer examine?- Which programs can the programmer change?- Who else can examine or change programs?- Who can implement a change into production? There needs to be strong control in this area to prevent fraud or error. Detailed change control procedures should be in writing, and maintained up-to-date. In the specific are of programmers making changes, this should only be allowed ina specifically designated development area. Programmers should not be able to make changes to live production programs. The procedures should be very strong on testing changes in the development area, independently of the programmer who made the change, and should be equally strong on controllinghow amended and tested programs are subsequently put into production. This is critical.Specific ProcessProcedure Step:Emergency changesComments:Details/Test:- Review what procedures are in place for emergency changes. There needsto be a good balance between control and keeping the business running. For out-of-hours emergencies, controls may include one time emergency password, retained by the shift manager.Specific ProcessProcedure Step:One-time changesComments:Details/Test:- Review what procedures are in place for one-time changes (i.e., correction of a record, etc.) Powerful utilities (e.g. may go straight in and amend database records). These need to strongly controlled, with carefully limitedaccess. Possibly some sort of “dual control” via access control passwords – (i.e. needs two people to be involved, not just one) may be appropriate if business critical systems are involved. 3Change ControlAudit Program and ICQSystem TestingProcedure