PROGRAM CHANGE CONTROL - by: James Smith [jsmith@securanceconsulting.com]
Objective:
The purpose of this review is to independently evaluate the adequacy, effectiveness, and efficiency of the
system of control and the quality of ongoing operations within the Change Control / Configuration
Management process. While originating in a mainframe environment, this program can be adapted, as
necessary, to client-server based production environments.
The system of control should be designed to:
1. Provide reasonable assurance that assets are safeguarded, information is timely and reliable,
and errors and irregularities are discovered and corrected promptly.
2. Promote operational efficiency.
3. Encourage compliance with managerial policies, laws, regulations, and sound fiduciary principles.
Scope:
The scope includes:
a. Documentation, policies and procedures and software governing the change control process.
b. Modifications to production and development to ensure that they are authorized.
c. Modules placed in the production environment to ensure they are documented by a development
listing and supported by related program change forms according to standards.
d. Procedures to ensure the Quality Assurance / Control group, if applicable, monitors all changes to
production and development environments.
e. Access Security restrictions to production.
f. Controls specific to the source control system are in place.
Program Change Control / Configuration Management Page 2 of
5
W/P
Ref.
Done
By
1.0
General
1.1 Modify this program as necessary to address each type of change control
environment controlling modifications made to application or system software.
Prepare questionnaires and/or checklists for the program steps where they
are appropriate.
1.2 Obtain and review audit workpapers, report and follow-up of prior audit
recommendations. Plan and perform such ad