IBM AS400 Security Procedures

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

I.

Implementation/Change Controls 1.

Verify that a formal method of project control has been established which covers all phases for the development of new/modified systems.

Document the method and reports used to control and prioritize projects.

Review the justification proposal created for all new systems, or major enhancements to existing systems, which may include: a.

Scope and purpose of the system User requirements. Cost analysis. Time estimates.

2.

3.

b.

c.

d.

4.

5.

a.

b.

c.

d.

e.

6.

CHANGE CONTROL

I/PROG Page 1 of 3

Ensure the programming phase is properly supervised by EDP management.

Completion of a programming checklist. Required approval points.

Adherence to programming standards. Target dates for completion. The assignment of programmers.

Ensure that a detailed plan has been prepared and documented which should include:

Document the approval process to ensure that a steering committee or top management is involved.

12

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

I.

Implementation/Change Controls (continued) 7. 8.

Verify that programmers perform all development work only in test libraries and using test data.

Document testing procedures established for all new/modified systems.

Ensure that users participate in the creation of test.

Verify that test results are reviewed by both EDP and User management to provide compliance with specifications.

Review the plan for converting new/modified systems from development to production. Does it include at a minimum: a. b. c.

The training of users.

Completion of documentation.

Defining user access requirements.

9.

10.

12.

13.

14.

15.

16.

CHANGE CONTROL

I/PROG Page 2 of 3

Ensure that a designated official regularly reviews changes not yet implemented.

Verify that all program changes are supported by appropriate authorization.

Verify that programs are recompiled after modifications, prior to being placed into production.

Document the process used to transfer completed programs from test to production libraries.

13

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

I.

Implementation/Change Controls (continued) 17.

Verify that procedures are in place for saving current versions of programs to diskette/tape prior to substituting the new programs to allow for restoration of the older version in case of program problems.

Review procedures in effect to ensure that changes are correctly made and approved, when immediate modifications have to be made to production programs, bypassing normal procedures. Examine evidence for documentation being created or updated, including: a. b.

Operator instructions. Data entry instructions. User manuals.

System Documentation.

18.

19.

c.

d.

20.

21.

22.

CHANGE CONTROL

I/PROG Page 3 of 3

Describe how user access requirements are defined, how passwords are assigned and who are authorized to perform these activities.

Review evidence that old versions of programs are saved before making final changes.

Review evidence of final approval before project is transferred to projection library.

14

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

Testing (Implementation/Change Controls)

Select a representative number of completed program changes or new programs and trace from the initial request to the completion phase, performing or reviewing the following steps:

1. Ensure that user management has evidenced their approval on

the initial project request form.

2. Describe the method of prioritizing requests submitted to steering

committee or management for major projects.

3. Review log or method used to control all requests to ensure they

are being followed up.

4. Determine if cost for purchase versus in-house development was

considered.

5. Document method of assigning programmers to the project.

6. Review procedures for approval and progress reporting.

7. Examine project progress reports for evidence that systems

development is controlled in accordance with established procedures.

8. Detail method used to create test data.

9. Ensure that EDP and user management evidence their review

and approval of test results.

10. Review evidence of programmer having completed all necessary

steps:

a. File specifications. b. Program specifications. c. Files created. d. Test results filed.

CHANGE CONTROL I/TEST

15

Page 1 of 1