NARRATIVEIT ENVIRONMENT AND CHANGE CONTROL MANAGEMENT PROCESS

The IT audit of client ABC Company is for the fiscal year ended 12/31/20XX. In various planning meetings with client/entity personnel, you gathered the following information pertaining to the clients relevant financial applications. These are the applications that will form the scope of this years audit:

1. SAPHandles all accounting and general ledger transactions. SAPs server is SapAppServ1, and its operating system (o/s) version is UNIX AIX VX. SAP is classified as a purchased software requiring significant customization. The database supporting SAP is Oracle, with server name SapDbServ1.
2. Bill-Inv SystemHandles billing and inventory management. The Bill-Inv Systems server is InfAppServ1, and its o/s version is OS 400 VX. Bill-Inv System is a purchased software with little customization. The database is IBM DB2, with server name InfDbServ1.
3. APS2Handles all treasury and investment transactions. The server hosting the application is Aps2AppServ1, and its o/s version is OS400 VX. APS2 is a purchased software requiring significant customization. The database is Oracle, with server name Aps2DbServ1.
4. Legacy SystemHandles transactions related to the entitys fixed assets. The Legacy Systems server is LSAppServ1, and its o/s version is Windows VX. The Legacy System is classified as an in-house developed software. The database is proprietary, with server name LSDbServ1.
5. KronosHandles employee time and attendance transactions. The Kronoss server is KAppServ1, and its o/s version is Linux VX. Kronos is also classified as an in-house developed software. The database is proprietary, with server name KDbServ1.
6. HR&PHandles transactions related to human resources and payroll processing and disbursement. This application is outsourced to a service organization called ADP.

The o/s hosting the applications are the ones hosting the databases. All of the above relevant applications, except for HR&P, are located in the entitys headquarters premises, computer room, first floor, in Melbourne, FL. HR&P is outsourced, meaning that the application, its database and o/s, as well as all related servers are located outside the clients premises. For description of the processes and procedures regarding this outsourced application, refer to the auditors service organization report.

During the fiscal year, there were no significant modifications performed for the Bill-Inv System, Legacy System, Kronos, and HR&P relevant applications. SAP and APS2, however, were significantly upgraded to their current versions in March 1st and November 15th, respectively.

Client ABC Company has three IT-related departments, all reporting to the IT Director. The IT director reports directly to the entitys Chief Financial Officer. The IT departments and their supporting personnel are listed below:

• Infrastructure & Operations (I&O)I&O Manager, Help Desk Supervisor, Trainer & End-User Support, and Network/LAN Administrator
• Application Systems Programs & Support (ASP&S)ASP&S Manager, Software Programmer, Analyst Programmer, and SAP Administrator
• Database and Operating Systems Support (D&OSS)Database Support Specialist and Operating Systems Support Specialist

Purchased Applications (SAP, Bill-Inv System, and APS2)

The clients process for selecting and purchasing new applications is conducted taking into consideration the economic and operational impact. Whenever the need for acquiring software is identified, both management personnel and representatives of the end user community (users) establish design requirements and compatibilities for the soon-to-be acquired application. According to the IT Director and the I&O Manager, once a need has been identified and requirements have been established, IT management personnel are responsible for evaluating at least three alternatives considering costbenefit relationships and the impact to the IT environment. Once evaluated, an alternative is preliminary selected and discussed with business managers to ensure alignment between information systems and business initiatives. Applications exceeding $100,000, and/or having the potential of impacting IT risks are subject to risk assessments and business impact analyses. Upon completion of such analyses, the selected alternative (supported with analysis documentation) is submitted to the Chief Financial Officer for final approval. Once a selection of the application is made, IT personnel perform full backups of the old application. IT personnel then prepare a separate environment for users to start testing whether the new application runs as expected, and whether the data are accurate. They also compare the new application against the old application (i.e., parallel testing). After testing is done, users provide acceptance and support for the installation of the new application in the production environment. IT personnel is then responsible for advising all affected users of the installation dates. The above is part of the entitys policy for selecting and purchasing new applications; however, such policy has not been revised and/or updated during the past 5 years. A policy should be reviewed and updated at least once a year to reflect changes in the entitys processing environment.

All changes or upgrades to purchased applications are performed by application vendor personnel and sent back to the entity for installation. Per the ASP&S Manager, changes or upgrades received from the vendors are currently not tracked or logged. The client acknowledges there are available Web-based tools and techniques that can track or log these types of changes, but feel their costs may not be justified. Because these changes or upgrades are from the vendor, the entity trusts that they have been adequately tested (at the vendor site) before the vendor forwards them to the client. Therefore, the entity does not perform full backups of the existing application before the implementation of the changes or upgrades. IT personnel do install the changes/upgrades received in a separate test environment. Tests are performed thoroughly to ensure the new changes are consistent and will conform to current business needs. Test results, if successful, are communicated verbally to the manager in charge. In addition to the IT personnel approval, there are no additional approvals required before implementation of the changes/upgrade into production. IT personnel are responsible for advising all affected users of installation dates in the production environment. The above procedures have been formalized into a policy. The policy is updated annually.

Once implementation of changes or upgrades to purchased applications is performed, IT personnel, led by the ASP&S Manager, perform various tests to validate the integrity, accuracy, and completeness of the information.

In-House Developed Applications (Legacy System and Kronos)

As discussed with both, I&O Manager and ASP&S Manager, the process of developing in-house applications or implementing changes to in-house applications is a standard and common process. The process may result from (1) users identifying system needs; (2) errors being identified and requiring fix; and/or (3) applications themselves forcing implementation of new patches/upgrades. Requests for developing in-house applications or implementing their changes are submitted by users who complete an online System Modification Request Form (SMRF). The SMRF is a Web-based tool the entity uses to track and control requests, and includes information, such as the name of the application or system, requesters name, date, department(s) affected, and a description of the requested change. Additionally, the tool provides information on the programmer who will work with the change and the estimated completion date. Once the SMRF is completed and requirements are established, the ASP&S Manager assesses the impact of the change. If the in-house application or change is deemed significant, it is considered as a project and additional resources are allocated. On the other hand, if the in-house application or change is considered to have a minor impact or maintenance, it is assigned to either the Software Programmer, Analyst Programmer, or SAP Administrator, and performed directly in the production environment. Therefore, there is no evidence like test methodologies, test plans and results, and project implementation schedules, maintained for these types of changes. There is also no separate environment established for developing or testing these minor impact in-house application or changes.

When determined to be significant, in-house applications or their changes are worked in a development environment separate from production. Full application and data backups are not performed prior to developing the in-house application or implementing the changes. Nonetheless, test procedures are documented, and successful results support final implementation. Testing is performed by selected users from the IT and business area. Test procedures performed consist of recreating normal operation transactions and verifying/monitoring the results for accuracy. Test procedures also validate the integrity and completeness of the information. After testing is done and in order to ensure proper segregation of duties, programmers are not allowed to migrate their own changes into the production environment. Instead, they turn in their work to independent, non-programmer personnel (quality assurance team, for example) for migration into the live environment.

Both, the I&O Manager and the ASP&S Manager, indicate that in order to manage and maintain version control, a Software Version Control Configuration Manager (SVCCM) tool is used. This tool allows the identification of changes, labeling them by revision number, revision letter, revision level, or simply just revision. Change revisions are associated with a timestamp and the name of the user making the change. The SVCCM tool also allows revisions to be compared and restored, as well as combined with other types of files. The above process has not been formally documented in the form of a policy or procedure, nor establishes how it prevents unauthorized changes to the in-house based applications. Additionally, there is currently no version control or management system process used or in place for the entitys purchased applications. The above information was also corroborated with the clients Software Programmer, Analyst Programmer, and the SAP Administrator.

Case 1: - IDENTIFY POTENTIAL AUDIT FINDINGS AUDIT 75 points

1. Read the NARRATIVE IT ENVIRONMENT AND CHANGE CONTROL MANAGEMENT PROCESS below

Finding #	Description of Finding	Area and/or Application Affected	Risk Associated with Finding