Professional Documents
Culture Documents
CASE INFORMATION
Jayhawk Medical Supply Inc. (JMS) sells a comprehensive line of durable equipment and disposable supplies to hospitals, clinics and
doctors offices. Its product line ranges from tongue depressors and cotton swabs to x-ray machines and magnetic resonance imaging
equipment with six-figure price tags. Customer service is provided by salespeople assigned to specific geographic areas, but customers
are encouraged to place routine orders through the JMS web site. Inventory is maintained in six regional warehouses. Products are
delivered to customers by common carriers so that the company does not have to manage and maintain a fleet of delivery vehicles.
The JMS business strategy relies heavily on information technology (IT) to provide fast and efficient customer service, and to minimise
supply chain costs. Its information system was assembled through a best-of-breed strategy that involved buying from different vendors:
Database management
Customer relationship management
Supply chain management
Accounting/human resource
Business intelligence applications
These systems are integrated by a middleware package purchased from and maintained by a sixth vendor. This configuration provides
JMS with an enterprise system that is custom-tailored to its business needs, but also requires constant changes from installing upgrades
to maintain the functionality of the six major application packages.
Because IT is essential to the customer value proposition that supports the JMS business strategy, the enterprise system is maintained by
an in-house IT organisation, which is directed by a chief information officer (CIO) who reports directly to the chief executive officer
(CEO). JMS offers a wide range of sales and payment options to its customers, and management has entered into a variety of
arrangements for procurement and vendor-managed inventory. Therefore, the enterprise system also plays an important role in recognising
or deferring sales revenue, and in determining when costs should be capitalised as inventory or expensed as cost of goods sold.
Under the guidance of the IT investment committee of the board of directors, the IT organisation acquires all hardware and software
solutions (including system upgrades) on a turnkey basis from well-recognised IT vendors. No programming or system development
activities are conducted in-house. With the help of vendor personnel, the IT organisation has installed system upgrades for four of the
five major applications during the past year, and modified the middleware application to accommodate these changes. JMS has designed
a system of internal controls that management attempts to enforce for all changes to the enterprise system.
CASE QUESTION
Assume that you are directing field work for a team of auditors who are evaluating the effectiveness of internal controls over system
changes. The audit team has already evaluated the design effectiveness of these controls and concluded that JMS has adequate
procedures in place. The team has identified critical system change controls that need to be tested to provide evidence for evaluating the
operating effectiveness. Your task is to design a program of audit tests. Your firms inventory of potential audit procedures for controls
over system changes is presented as an appendix to this case. For each of the critical controls listed below, describe specific test
procedures that should be used to evaluate the operating effectiveness of the control practice. Focus on designing the appropriate test
procedure; you do not have to specify sample sizes or timing for the procedures you describe.
Critical Controls
1. AI6.1 Set up formal change management procedures to handle in a standardised manner all requests (including maintenance and
patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.
2. AI6.2 Assess all requests for change in a structured way to determine the impact on the operational system and its functionality.
Ensure that changes are categorised, prioritised and authorised.
3. AI6.3 Establish a process for defining, raising, testing, documenting, assessing and authorising emergency changes that do not follow
the established change process.
IT GOVERNANCE INSTITUTE
TM
CASELETS, 2 EDITION
ND
4. AI6.4 Establish a tracking and reporting system to document rejected changes, the status of approved and in-process changes, and
complete changes. Make certain that approved changes are implemented as planned.
5. AI6.5 Whenever changes are implemented, update the associated system and user documentation and procedures accordingly.
6. AI7.1 Train the staff members of the affected user departments and the operations group of the IT function in accordance with the
defined training and implementation plan and associated materials, as part of every information systems development,
implementation or modification project.
7. AI7.5 Plan data conversion and infrastructure migration as part of the organisations development methods, including audit trails,
rollbacks and fallbacks.
8. AI7.7 Ensure that business process owners and IT stakeholders evaluate the outcome of the testing process as determined by the test
plan. Remediate significant errors identified in the testing process, having completed the suite of tests identified in the test plan and
any necessary regression tests. Following evaluation, approve promotion to production.
9. AI7.9 Establish procedures in line with the organisational change management standards to require a post-implementation review as
set out in the implementation plan.
10. DS5.3 Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment,
system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with defined and documented business needs, and that job
requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system
owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy
cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication
and enforce access rights.
2
3
4
IT GOVERNANCE INSTITUTE
AI6.3 Emergency ChangesEstablish a process for defining, raising, testing, documenting, assessing and authorising emergency changes that do not
follow the established change process.
Control Practices
Assurance Steps
1 Ensure that a documented process exists within the overall
Enquire whether and confirm that the overall change management process
change management process to declare, assess, authorise and
includes emergency change procedures (e.g., defining, raising, testing,
record an emergency change.
documenting, assessing and authorising emergency changes).
2 Ensure that emergency changes are processed in accordance with Inspect the documentation for a representative sample of emergency
the emergency change element of the formal change
changes and, by interviewing key staff members, establish whether
management process.
emergency changes are implemented as specified in the change
3 Ensure that all emergency access arrangements for changes are
management process.
appropriately authorised, documented and revoked after the
Confirm through interviews with key staff members that emergency access
change has been applied.
arrangements are authorised, documented and revoked after the change
4 Conduct a post-implementation review of all emergency changes,
has been applied.
involving all concerned parties. The review should consider
Enquire whether and confirm that a post-implementation review of
implications for aspects such as further application system
emergency changes is conducted.
maintenance, impact on development and test environments,
application software development quality, documentation and
manuals, and data integrity.
AI6.4 Change Status Tracking and ReportingEstablish a tracking and reporting system to document rejected changes, the status of approved and inprocess changes, and complete changes. Make certain that approved changes are implemented as planned.
Control Practices
Assurance Steps
1 Establish a process to allow requestors and stakeholders to track Enquire whether and confirm that there is an established process to allow
the status of requests throughout the various stages of the change requestors and stakeholders to track the status of requests throughout the
management process.
various stages of the change management process.
2 Categorise change requests in the tracking process (e.g. as
Enquire whether and confirm that the tracking and reporting system
rejected, approved but not yet initiated, approved and in-process,
monitors the status of the change requests (e.g., rejected, approved but not
and closed).
initiated, approved and in process).
3 Implement change status reports with performance metrics to
Enquire whether and confirm that management reviews and monitors the
enable management review and monitoring of both the detailed
detailed status of changes and overall state (e.g., aged analysis of change
status of changes and the overall state (e.g., aged analysis of
requests).
change requests). Ensure that status reports form an audit trail so Enquire whether and confirm that open and approved changes are closed in
changes can subsequently be tracked from inception to eventual
a timely manner, depending on priority.
disposition.
4 Monitor open changes to ensure that all approved changes are
closed in a timely fashion, depending on priority.
IT GOVERNANCE INSTITUTE
TM
CASELETS, 2 EDITION
ND
AI6.5 Change Closure and DocumentationWhenever changes are implemented, update the associated system and user documentation and procedures
accordingly.
Control Practices
Assurance Steps
1 Ensure that documentationincluding operational procedures,
Enquire whether and confirm that change documentation (e.g., operational
configuration information, application documentation, help
procedures, configuration information, application documentation, help
screens and training materialsfollows the same change
screens, training materials) is up to date.
management procedure and is considered to be an integral part
Enquire whether and confirm that change documentation (e.g., pre- and
of the change.
post-implementation system and user documentation) is retained.
2 Consider an appropriate retention period for change
Enquire whether and confirm that business process documentation is
documentation and pre- and post-change system and user
updated for the changes implemented in hardware or software.
documentation.
3 Update business processes for changes in hardware or software
to ensure that new or improved functionality is used.
4 Subject documentation to the same level of testing as the
actual change.
AI7.1 TrainingTrain the staff members of the affected user departments and the operations group of the IT function in accordance with the defined
training and implementation plan and associated materials, as part of every information systems development, implementation or modification project.
Control Practices
Assurance Steps
1
5
6
Enquire whether and confirm that a training plan is part of the overall project
master plan for development projects.
Enquire whether and confirm (e.g., through interviews with key staff
members or inspection of project plan) that the training plan identifies and
addresses impacted groups (e.g., business end users, IT operations,
support and IT application development training, service providers).
Enquire whether and confirm that alternative training strategies are
considered to ensure that a cost-effective approach is selected and
incorporated in the training framework.
Enquire whether and confirm that there is a process to verify compliance
with the training plan.
Inspect training documentation to determine compliance with the training
plan (e.g., list of staff members invited to training, attendees list, evaluation
forms for the achievement of learning objectives, other feedback).
Enquire whether and confirm that there is a process of monitoring training
to obtain feedback that could lead to potential improvements in the system.
Enquire whether and confirm that planned changes are monitored to ensure
that training requirements are considered and suitable plans are created.
IT GOVERNANCE INSTITUTE
AI7.7 Final Acceptance TestEnsure that business process owners and IT stakeholders evaluate the outcome of the testing process as determined by
the test plan. Remediate significant errors identified in the testing process, having completed the suite of tests identified in the test plan and any
necessary regression tests. Following evaluation, approve promotion to production.
Control Practices
Assurance Steps
1
3
4
5
Confirm that key stakeholders are considered in the final acceptance testing
activities.
Enquire whether and confirm that success criteria are identified in the
testing plan in the final acceptance stages.
Enquire whether and confirm that appropriate documentation for review and
evaluation exists.
Enquire of key stakeholder whether the documentation and presentation of
final acceptance testing results are complete and timely.
IT GOVERNANCE INSTITUTE
TM
CASELETS, 2 EDITION
ND
AI7.9 Post-implementation ReviewEstablish procedures in line with the organisational change management standards to require a post-implementation
review as set out in the implementation plan.
Control Practices
Assurance Steps
1
2
3
4
5
DS5.3 Identity ManagementEnsure that all users (internal, external and temporary) and their activity on IT systems (business application, IT
environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm
that user access rights to systems and data are in line with defined and documented business needs, and that job requirements are attached to user
identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible
person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current
to establish user identification, implement authentication and enforce access rights.
Control Practices
Assurance Steps
1 Establish and communicate policies and procedures to uniquely
Determine if security practices require users and system processes to be
identify, authenticate and authorise access mechanisms and
uniquely identifiable and systems to be configured to enforce authentication
access rights for all users on a need-to-know/need-to-have basis,
before access is granted.
based on predetermined and preapproved roles. Clearly state
If predetermined and preapproved roles are utilised to grant access,
accountability of any user for any action on any of the systems
determine if the roles clearly delineate responsibilities based on least
and/or applications involved.
privileges, and ensure that the establishment and modification of roles are
2 Ensure that roles and access authorisation criteria for assigning
approved by process owner management.
user access rights take into account:
Determine if access provisioning and authentication control mechanisms
Sensitivity of information and applications involved
are utilised for controlling logical access across all users, system processes
(data classification)
and IT resources, for in-house and remotely managed users, processes
Policies for information protection and dissemination (legal,
and systems.
regulatory, internal policies and contractual requirements)
Roles and responsibilities as defined within the enterprise
The need-to-have access rights associated with the function
Standard but individual user access profiles for common job
roles in the organisation
Requirements to guarantee appropriate segregation of duties
3 Establish a method for authenticating and authorising users to
establish responsibility and enforce access rights in line with
sensitivity of information and functional application requirements
and infrastructure components, and in compliance with applicable
laws, regulations, internal policies and contractual agreements.
4 Define and implement a procedure for identifying new users and
recording, approving and maintaining access rights. This needs to
be requested by user management, approved by the system owner
and implemented by the responsible security person.
5 Ensure that a timely information flow is in place that reports
changes in jobs (i.e., people in, people out, people change). Grant,
revoke and adapt user access rights in co-ordination with human
resources and user departments for users who are new, who have
left the organisation, or who have changed roles or jobs.
IT GOVERNANCE INSTITUTE