Page 48 - ITGC_Audit Guides
P. 48

Ultimately the organization’s management ensures the appropriate level of documentation and
                   authorizes the change that affects the application’s production environment on the basis of test
                   results. The approved source code then moves into production by an independent function from a
                   staging environment that mimics production activity. The change should be formally accepted by
                   the business unit requester subject to their due diligence (i.e., diligence monitoring might include
                   validating a series of consecutive processing cycles without error).
                   A simple depiction of the migration of a proposed change through the appropriate environments is
                   shown in Figure 19.

                   Figure 19: Example of an IT Change Migration









                   Note: The migration through each of these environments should be properly segregated.
                   Source: The Institute of Internal Auditors.


                   Business users are usually restricted to their online production environment; programmers and
                   developers are restricted to their test environment. Movement into production environments
                   should be performed independently to ensure version control.

                   Emergency changes should be few and still require the same level of documentation and testing.
                   In some instances, the approval to run an emergency change in production may be obtained after
                   the fact, but within a reasonable and formally established timeframe (e.g., two business days).

                   Applications Challenges and Risks

                   Functioning and efficient applications are key to every organization’s success. The design and
                   maintenance of application architecture, development of new applications, and changes to
                   existing applications should be efficient and effective processes owned by management and
                   understood by internal auditors. Appropriately operating controls across these functions can be
                   the difference between an effective or ineffective process.

                   Regarding application architecture, internal auditors should have an enterprisewide view of third-
                   party service providers, cloud technology risk, and suitable controls that are significant to
                   business process operations and delivery.

                   There are numerous challenges/risks related to an organization’s applications that internal
                   auditors should be aware of, which can include but are not limited to:

                      Unclear planning/accelerated timeframes. When application development efforts fail, it is
                       often due to unclear planning and/or an accelerated timeframe that leads to insufficient
                       design. If the frequency of change increases, development teams may accelerate
                       implementation outside of documented protocols and without giving priority to strategic
                       architecture and planning.






                   40 — theiia.org
   43   44   45   46   47   48   49   50   51   52   53