submitted by
AUDIT PROGRAM - SYSTEM IMPLEMENTATION Diana Lindsey
I. Project Management Controls A. Project Management To determine if there is adequate project management, as established by State and agency guidelines. 1. Determine if the project has an established project team, including a leader from Information Services project area. Is the appropriate level of management involved in the project? Does the project team have the level of authority to make the decisions concerning the project? Does the project team have the appropriate level of expertise? In the technical (computer) area, and business area? Does the project team include members from the user areas (all affected departments) as well as systems development, vendors, computer operations, audit, legal, compliance and all other appropriate areas? 2. Determine if a Project Service Request has been generated and approved by the client management. Does the request include documentation of the expected benefits to be achieved? B. Feasibility Study/Plan To determine if there was a feasibility study prepared that meets requirements and details the project plan as required. 1. Determine if a project feasibility study has been written and approved by client management and Information Services, as well as DIS & OFM as necessary. Does the study detail the scope of the project? Is a project management plan included? Has a project budget been included? Does the budget appear realistic? Has the appropriate level of management reviewed and approved the study? What provisions, if any, have been made for overruns, delays, changes? 2. Determine if the project team has an established project plan. Is the plan written down? Do the time frames appear realistic? Are the critical phases determined? Does the plan require management/user approval at specified points?
�Can the project be canceled at early enough points? 3. Determine if the project plan included all the required phases of project development, including: test phase, training for users, conversion, and implementation. Does it cover all applications and areas concerned? Does it cover all vendors? Does it cover all interfaces to/from the application? Does everyone involved in the project understand their level of involvement, roles and responsibilities? 4. Determine if the project plan was be followed and any deviations documented, including extensions of the schedule. Are all deviations documented? Are all extensions approved by the project team and management (DIS and OFM if needed)? Are all relevant parties notified of any extensions or changes to the project plan? 5. Determine if the business proposal/contract for the system included all relevant information, including: - reasons for the project - scope of the project - constraints of the project - costs and benefits of the project - plans and schedules - user requirements Is the documentation for support of the project in accordance with the State and agency's established procedures. II. System Development To determine if the system met the stated functional business requirements and followed development standards. A. Design Phase To determine if the design meets the stated functional requirements and fulfills the scope of the project. 1 Determine if the design of the system is thoroughly documented. Are regular design sessions scheduled? Are all areas covered for each application interfacing with the new system? Is the old system documented and understood? Are the specifications documented? - data files - interfaces
�- procedures - screens - reports - documents Are all existing accounts, products and services known
and documented?
2. Determine if detailed user requirements have been developed. Are calculations, formulas used? Are report specifications and frequency included? Is system response time included? B. Training Plan To determine if a training plan was developed for the project and if user training was adequate. 1. Determine if a training plan was developed. Is the training plan written? 2. Determine what the training plan contains: data entry training, backup, user operations, balancing and reconciliation. Are all aspects of the system covered: - data entry - backups - management reporting - disaster recovery - user operations - computer operators - balancing and reconciliations Does the training include vendor techniques? 3. Review the training plan to determine if training will be completed prior to implementation of the system. Will critical personnel be trained early in the training? Will the most critical employees be trained first? Will there be staff trained to train others? Are differences in account handling noted for training? 4. Determine who will be trained - management staff, entry clerks, etc. Will there be several levels of training: Management reporting, data entry clerks, supervisory? Will all appropriate levels of staff be trained? Will there be technical training for operators? C. Testing To determine if the system is adequately tested prior to implementation, the test plan includes all aspects of the new system, and all unexpected results are thoroughly resolved. a. Test Plan
�To determine if the test plan is adequate. 1. Determine if the project team had developed a test plan. Has the test plan been written? Will there be system and acceptance tests? Are the users included in the testing? 2. Determine if all aspects of the system will be tested, as the detail requirements, including, but not limited to: - data entry - editing - reports - calculations - error reporting - interfaces with other systems - network communications - print handling Are all critical functions tested? Are all existing capabilities tested? Are all changes tested? outlined in
3. Determine when testing will take place and ensure it will be completed prior to implementation. Does the test plan allow for retesting of errors and changes? 4. Determine if a parallel test will be run. Have the criteria for the termination of the parallel run identified? been
5. Determine if month-end, quarter-end, and year-end tests will be run, if needed. If there are month-end, quarter-end, and year-end processing, then these tests should be run. 6. Determine if volume and/or stress testing will be done. Volume testing should include a "normal" processing day's transactions as well as a high-volume day's transactions, printing, etc. Stress testing should include a more than normal or high-volume transaction testing as well as printing, etc. The stress test should try to "overload" the system. Stress testing should also test system response time in this situation. b. Test Procedures To determine if there are adequate test procedures developed. 1. Determine if test data have been prepared. possible conditions, including errors? Does this include all
�Have test scripts been prepared? Have the test files been defined? Are the data files synchronized? Are the detail steps for the tests defined? 2. Determine if there are procedures developed to evaluate the test results. Have predetermined results been set up in advance? Is there a problem resolution scheme and logging procedures? Is the logging and problem resolution consistent with other implementations? Are the users included in the testing and evaluation of the results? 3. Determine if the expected test results have been defined prior to actual testing. The test scripts should include all expected test results. Have procedures been developed to monitor test results? 4. Determine if there has been a problem resolution for those tests not meeting the expected results. Are unexpected test results logged and monitored? c. Test Results To determine if test results are consistent and unexpected results are monitored. 1. Determine if there was user acceptance of the final test results. Have standards for the final acceptance test been established? Has the user department management reviewed the system performance and approved of the final results? Has the user department identified any inefficiencies in the system? Can these be corrected? Is so, will they be prior to system implementation? 2. Review the test results and determine if there are unexpected results. Are unexpected test results evaluated to determine the reasons for the variance? 3. Determine the follow-up on those unexpected results. Are program corrections made if needed? Are the problems retested after correction? 4. Follow those unexpected results deemed of a critical ensure adequate resolution. nature to procedure designed
5. Determine if those tests with unexpected results were adequately retested after correction to the program, etc. All results which deviated from the expected should be retested. D. Conversion Plan
�To determine if the system conversion plans are adequate. 1. Obtain and review the conversion plan. Is the conversion plan written? Is the data conversion approach defined? - full conversion - "shell accounts" and update later - interim and "bridge" process - combination Is a fallback approach defined? Has the plan been approved by management and user Are all source systems identified? Are all components identified?
departments?
2. Determine if conversion will be manual or automated. Determine if the conversion rules and rationale are documented, and determine if they appear reasonable. Manual involves manual records input to the system; automated is from one automated system to another. If a manual conversion: Are there plans for verification of the data input? Will there be enough staff available for conversion? Are there procedures developed for balancing? - number of records - dollar totals If an automated conversion: Are the needed files identified? Are all fields identified and mapped to the new system? Are the appropriate operations staff available? Will the conversion occur during normal processing? What are the procedures for balancing? - run-to-run totals - before and after file compares 3. Determine if there will be a parallel run prior to actual conversion. Ensure the results of the parallel run will be reviewed prior to the actual conversion. Were the results of the parallel run consistent with expectations? Have all problems encountered in the parallel been resolved prior to full conversion? E. Implementation Plans To determine if the installation/ conversion has been adequately planned for, and all phases, equipment, etc., have been planned, including back-out if needed. a. Implementation Plan To determine if the implementation of the system was adequately planned.
�1. Determine if there is a written implementation plan in place. Does the plan include responsibilities for all areas involved? 2. Determine if there is a problem resolution scheme in place for the installation/ conversion phase. Is there a "help" desk and personnel available? Is the vendor or programmer(s) available for problem resolution? After installation and "shake-out," is the maintenance staff ready and able to take over? Do the users know where to go to get help? 3. Determine if there is a backout plan included. Does the backout plan define when the backout would be invoked? Does the backout plan include procedures necessary to reimplement the old system, if needed? Does the backout plan require approval from management prior to implementation of the backout? Does the backout include procedures for all affected areas? Does the backout plan include a means to notify all areas/ users that the installation failed? 4. Determine if all software required for the successful has been written (if coded in-house) or obtained from the vendor. 5. Determine if all required JCL and computer operations have been written and included. b. Forms, Paper, Envelopes To determine if the correct forms, paper supplies, and other supplies have been obtained prior to implementation. office implementation
procedures
1. Determine if any required new or special forms have been designed and approved by all applicable parties. Have the forms been reviewed and signed off by all involved departments? Has audit reviewed the form(s) for audit requirements? 2. Determine if the new forms include all required approvals, account number, name, etc. 3. Determine if all items have been ordered with delivery prior to implementation. These include (as needed): - paper - special forms - envelopes information, such as
sufficient time for
�- printer ribbons - diskettes, disks, tapes 4. Determine if the user departments are aware of how and where to reorder forms and supplies. Does the user department know which forms need to be reordered? Does the user department know when to reorder forms? Is there a minimum quantity that must be reordered? Is there a supply in the supply warehouse? c. Hardware To determine if all required hardware components are in implementation. place prior to
1. Determine if there was a problem resolution scheme for the installation phase. Is there a "help" desk and personnel available? Is the vendor available for problem resolution? After installation, is the maintenance staff ready and able to take over? Do users know how to get help when the installation team leave? 2. Determine if there is a written plan and schedule for hardware installation. Does the plan include an installation schedule? Does the plan appear reasonable? Will all components be installed prior to the scheduled implementation? Have there been contingency plans developed? 3. Determine if the equipment has been ordered in time for installation prior to implementation. Is there a contingency plan developed in case of delays? 4. Determine if any required changes to the site have completion prior to implementation. been made for
5. Determine if the equipment and hardware were delivered and set up as required. Are the serial numbers and descriptions recorded? Is the inventory list updated? Are there inspection reports? Was the equipment tested when installed? Was there a sign-off of acceptance by the user departments? Was the user department notified of the installation date? 6. Determine if all required components have been identified, including computer (PC, micro, mini, etc.), printer, modems, etc. Is the equipment ordered within the established project budget? Were all vendors considered? - terminal vendor - modem vendor
�Has Are Are Are
- phone company - electricians - carpenters/construction the site been reviewed recently? current floor plans available? there facility changes planned? all needed other equipment considered? - desks - tables - cables - counters - other machines (adding machines, fax, etc.) determine the
7. Determine if the site has been reviewed thoroughly to physical layout of the installation of the hardware. Are all design changes made? Were all wires pulled and connectors installed? Were all telephone lines installed? F. Post-Implementation Review
To determine if the results of the new system met the original objectives as stated in the business proposal. a. Processing To determine if the results of the new system met the objectives as stated in the business proposal. original
1. Determine at the project's conclusion whether the project met the objectives defined in the original proposal. Were the expected benefits of the new system realized? Does the system perform as expected? If there were differences found in expectations and actual results, were they investigated and dispositions noted? If there were inefficiencies noted, were they documented and the dispositions noted? b. Cost/Benefit To determine if the system was within budget and met the cost/benefit analysis. original
1. Determine if the cost/benefit analysis was correct. Compare the actual vs budgeted costs and benefits. Were the actual costs within reason? Were price changes and increases in volumes taken into account in the original estimate?
�2. Evaluate the reasons for the differences in actual vs and benefits. Do the reasons for the variances appear valid? c. User Satisfaction To determine if the user is satisfied with the new system what points should be considered in another project.
budgeted costs
and evaluate
1. Determine if the user is satisfied with the operations of the new system. Are there problems or inefficiencies in the new system that can be corrected? Is there a need for ongoing training? Have all problems been corrected? Does the system meet the user requirements? Does the system provide all the required information? 2. Conduct a survey of the users (a sample is acceptable) to determine if training was sufficient, the system is operating as expected, reports are providing the required information, problems are being resolved. 3. Determine if there projects. Are there suggestions Are there suggestions Are there suggestions Are there suggestions Are there suggestions are any suggestions for for for for for for improvement in other operations?
improved reports? improved or more efficient improved training? smoother installations? a smoother conversion?
4. Determine if all identified problems have been III. Application Controls A. General Requirements
corrected.
To determine that the application was adequately designed to meet the functional business requirements. 1. Review any changes to the application during all phases of the project to determine if they significantly change the project's original goal. Are all changes documented? Are all changes reviewed and approved by the project team? Are all changes which affect the project scope approved by upper management? For any significant changes, is the project re-evaluated to determine the feasibility/costs/benefits? 2. Determine if there are any legal considerations which considered. must be
�Are there legal or regulatory reporting requirements from the system? Is the system being designed to conform to new regulatory requirements? What are the legal and contractual requirements concerning the system software, if a vendor product? 3. Review the system specifications. Is the system written in a common programming language? Are there programming resources available to maintain the system? B. Program Design To determine if the program design was documented and prepared in sufficient detail to permit the programmers to code the system. (This may not be done in a vendor purchased system.) 1. Determine if the program specifications are complete and consistent. Does the specifications include all program descriptions? Are all program modules documented? 2. Determine if the program documentation is complete. Does the program documentation include all required information, including: - system flowcharts - data flow diagrams - decision tables - program narratives 3. Determine if the program contains adequate controls over data integrity. Are there controls built into the system, including edits, verifications, etc.? C. Input Design To determine if the input requirements are adequately defined and documented. (Input includes: manual input via terminals from forms; tapes; or disks.) 1. Review the documentation for the input requirements of the system. Does the documentation include: - editing and validation - security provisions - control totals - appropriate authorization 2. Determine if the input file definitions are defined and documented. Have the files been defined, including all record layouts? Have the databases been defined? Have the security levels been established and defined for file and database access? Are extracted files time/date stamped? Are extracted files created from the most current data?
�3. Determine if the application allows for batch or control totals. Are the totals logged? Can the control totals be reconciled between input and output? 4. Determine if provisions have been made for data preparation and computer processing errors to be reviewed and reentered correctly. Can the errors be detected and corrected prior to completion of the processing cycle? Who will be performing the review process? Frequency? Who will be performing the re-entry function? 5. Determine if provisions have been made for any internal parameter files to be periodically reviewed by the users for accuracy. What is the frequency of the review? Who makes changes to these files? How are errors corrected? tables or
6. Determine if error files are to be reviewed to determine the extent and type of outstanding errors for trend analysis purposes. Who will be doing the analysis? Frequency of review? What types of errors will be included in the review? 7. Determine if defaults and/or hard-coded values can be displayed for user review and approval. What are the values used for? When and how can they be changed? D. Processing Design To determine if the processing requirements are defined and adequately. documented for the
1. Determine if there is adequate balancing procedures in place conversion process through to the Accounting systems, if applicable.
2. Determine that the transactions and account balances are properly recorded on the Accounting systems, if applicable. What accounts will the transactions affect? 3. Determine if written procedures have been prepared error codes and messages, and corrective action for each. Are all error codes/messages included? Error codes for operators as well as data entry should that explain all
be included.
4. Determine if the application has provisions that prevent concurrent file/record updates.
�Is the file/record locked when one user is accessing in Are there appropriate error messages provided?
update?
5. Determine if the application has routines for checking internal file header labels before processing. The header checks should be for correct file, date, etc. Are appropriate error messages provided? Are appropriate corrective actions to be taken provided? 6. Determine if the application has controls to check for integrity (run-to-run controls), etc. data
7. Determine if the system generated transactions can be traced back to the source for reconciliation. Are these transactions readily identifiable? Is there adequate audit trails for tracing purposes? E. Output Design To determine if the output requirements are defined and documented adequately. (Outputs may be already defined in a vendor purchased system and this step may not be done for those applications.) 1. Determine if output data has been classified as per the Policy/Plan. Information can be classified as restricted, confidential, public, etc. Security
2. Review the adequacy of the documentation for output requirements. (Output includes reports as well as files.) Are all departments' concerns considered? Does the documentation include: - organization of the output - who is to receive the reports - retention of reports and files - audit trail considerations 3. Determine if the output provides the users with the ability to control and ensure the completeness, accuracy, and authorization of the data. Do the reports include the ability to trace the originator of each transaction? Do the reports include control totals, if applicable? Is there a means to verify the information included on the reports? Have the calculations used to develop data (accruals, fees, rates, etc.) been checked for accuracy? Have the routing and distribution procedures been established? 4. Determine if there are adequate controls in place over negotiable instruments generated by the application. Negotiable items include checks, warrants, drafts, etc.
�5. Determine if provisions have been made for the user to scan output reports/datasets/files to detect obvious errors. These can include missing files, unreasonable values, incorrect report dates, formats, etc. Is there a means to identify the incorrect values for correction purposes? 6. Determine if service level agreements between Operations/ vendor and the user are in place or are being negotiated. These include: Response time System "up" time F. Interfaces To determine if there is adequate security and controls over application interfaces. 1. Determine if the application interfaces with other Which systems will the new system interface with? How will it interface? 2. Determine if all interfaces were tested adequately. 3. Determine the controls over the application interfaces. G. User/Departmental Procedures To determine if adequate documentation and user manuals are developed for proper operations of the system. 1. Determine if the user manuals are complete prior to implementation. Have the user manuals been drafted and reviewed by the user department? Will the manuals be printed and ready for use when the system is implemented? 2. Review the user manuals to determine if they appear to be and relatively easy to understand. Does the user manual include all information needed for: - preparation of input documents - data entry - documentation of output - balancing procedures - error resolution - error messages for on-line systems or error reports - timing and distribution of output reports - security procedures - password - logon and logoff procedures - descriptions of terminal screens complete the
systems.
�- description of report layouts and fields Were the user manuals used in testing? Are the manuals distributed to the correct staff? All applicable departments? Are the manuals readily available to all applicable staff? 3. Determine if the user manuals include the normal day-to-day processing, including commonly occurring errors, as well as month- and year-end processing. Do the manuals include back-up procedures? Do the manuals include the special procedures for month-end, quarterend, and year-end processing? Do the manuals include a list of commonly occurring error messages, easily referenced? Correction procedures? H. Conversion Procedures To determine the adequacy of the conversion procedures. 1. Determine if there are an adequate separation of duties conversion. 2. Determine if there is balancing of all dollars, records, the conversion. Are there run-to-run totals? Are there before and after file compares done? Are there record counts? in the accounts in
3. Determine if the rejects and errors are reentered and properly accounted for during the conversion. Is there monitoring of all rejected transactions in the conversion? Are these rejects reentered? 4. Determine if there was a before and after conversion compare the old to new systems. 5. If a manual conversion, determine the procedures to entries. 6. If an automated conversion, was a compare done to records to new? run made to
verify all
compare old prior to
7. Has the user department signed off on the conversion discontinuing the old system? 8. Was audit involved in the conversion? I. Audit Trails and Procedures
�To determine if there are adequate and effective audit trails reports designed in the system. 1. Determine if audit trail reports are produced by the system. Are audit reports listed on the report distribution schedule?
and
2. Determine if the reports include all necessary information as determined by the user department and management. Are the user departments satisfied with the information produced on the audit reports? Will the reports meet the user and management needs? 3. Review the reports to determine if they appear adequate for audit review purposes. Is the audit department satisfied with the information produced on the audit reports? Will the reports satisfy audit needs? 4. Review the schedule of reports to determine if they - error reports - logs of all logon attempts - logs of all invalid signon attempts - balancing reports - transaction registers include:
5. Determine the security and integrity of the audit trail reports. Can users input information which will alter the audit trail reports? Are the reports distributed and reviewed by the appropriate people? 6. Determine if computer-assisted audit techniques can be the current audit software can be used. 7. Document the application controls for the business control file. applied or
audit's internal the next
8. Determine that an audit program outline can be prepared for business audit. 9. Determine the impact of the system on the next business IV. System Environment A. Acquisition Controls
audit.
To determine if the application software and hardware was purchased in accordance with the State and agency's established guidelines. 1. Determine if the software and hardware was purchased in accordance with the State and agency's established guidelines. and evaluated
�Was the purchase of the software and hardware appropriate department and the agency's upper management?
approved by the
2. Determine if the legal department was involved in the purchase of the software and hardware. Was a copy of the contract reviewed by the appropriate area? (Legal/contracts/DIS) Is a copy of the vendor contract on file with the proper area (Legal/contracts/DIS) 3. Determine if the hardware purchased meets the State and agency's established standards. If the purchase does not meet the standards, was a waiver approved by the appropriate level of management? B. Security To determine if the security over the hardware, software, adequate, and determine if the data security procedures are in place. a. Physical Security To determine if the physical security over the hardware and adequate. software is and data is
1. Review the plans for the physical security of the computer and peripherals (printer, modems, etc.) Are the items secured in some way? Are they in a locked room, limited access area, or someway controlled? Are the terminals or Pcs in a locked, inaccessible area, kept away from the public and unauthorized users? Is there control over the modem? Is the mainframe in a controlled environment - limited access by card, badge, guard, sign-in monitored? 2. Review the plans for the physical security of the software. Where will the diskettes be stored? Will the hard disk be locked? Key control? Will the diskettes be locked in a fireproof cabinet? Are backups stored offsite? How many generations? Will the tapes be stored in a secure tape library? Will terminals or PCs have keyboard locks? Who will have key control? Will the hard disks on PCs be locked? 3. For systems using a modem, determine if there is a fully dedicated line and the security surrounding the modem use. Are there verification procedures used when using the modem?
�Callback procedures? Password and terminal verifications? Is the line fully dedicated to the use of the
PC/terminal and the modem? during non-
4. Determine if terminal(s) are inactivated or locked business hours. b. Data Security
To determine if the data security procedures are in place. 1. Determine if the system meets the minimum standards the State and agency's Information Security Standards/ policies. as set forth in
2. Review the data security access levels and assignments to determine if they appear adequately controlled. Are there varying levels of security access for different types of transactions: - inquiry only - update non-monetary transactions - update financial transactions - add/delete records Are the levels appropriately assigned to the user department staff? Management approving transactions should not have the authority to input the transactions. 3. Review the control over the password access. Who has the ability to change passwords? Are the password assignments controlled by the user department or data security? If controlled by the user department, does the staff member also have authority to input transactions? 4. Review the system password access - are passwords masked, encrypted, stored in a visible file? 5. Determine if there are controls to log and monitor all sign-on attempts, both valid and invalid. Is all access to the system monitored? Are all invalid sign-on attempts logged and monitored? By whom? 6. Determine if the application has controls in place to prevent unauthorized access to the system. Does the system lock out after a certain number of invalid sign-on attempts? Is both a password and logon-id required for access to the system? Is there a security system in place (ACF2)? c. Backup and Recovery Procedures
�To determine if there are adequate backup and recovery developed for the system. 1. Determine if there are procedures developed for restart for the system. Have the recovery/restart procedures been written?
procedures
disaster recovery and
2. Determine if there are procedures developed for periodic backup of the system. How often will backups be done? How long will the backups be kept? What media will the backups be done on? (Tape, disk, diskette) Have the backup procedures been written? 3. Review the procedures to determine if they are adequate. Do the procedures include all foreseeable circumstances? Do the plans include recovery of hardware and software? - PCs or terminals - printer - software (and documentation) - modem - phone lines 4. Determine how many backups will be stored, and the location of the storage. Offsite storage? Will there be daily backup? Weekly? Monthly? Quarterly? Yearly? Will the backups be shipped to off-site storage periodically? What periods? Will daily backups be stored in a fireproof cabinet on-site? 5. Determine how the backups (diskettes or tapes) will recorded, and marked. How will the backups be labeled? On what media will the backups be stored? Is the labeling consistent? be stored,
6. Determine the retention period for the backups. How long will the daily backups be kept? Will the month-end backups be kept for a different period? Will the quarter-end backups be kept for a different period? Will the year-end backups be kept for a different period? d. Database Integrity To determine if there is adequate security over the database and interfaces. 1. Determine if there are controls in place to prevent unauthorized access to the application source and object code. Are programmers prevented from accessing production code? Is access to the code logged?
�2. Determine if there are reports that log all system access, or attempted access. Is all access monitored? Are the access reports reviewed? By whom? Are there reports on unauthorized access attempts? Who reviews and reports on unauthorized access attempts? 3. Determine if there is a monitoring of the terminal(s) to log all activity. Is terminal access logged? Is terminal validation required? C. System Documentation To determine if the system documentation is complete. 1. Determine if an operations manual has been prepared prior to implementation of the system. Does the manual include complete instructions on the system operation? Does the manual include run books with all program documentation? Does the manual include all job steps, including the sequence the jobs should be run, and prioritization? Does the documentation include: - each program function - hardware requirements - description of all console messages and operator response - disposition of output - identification of output file labels - restart procedures - run-to-run control points Were the operator's manuals used in testing? Are the operator's manuals readily available to all operators? 2. Do Do Do Review the department's proposed procedures for the new system. the procedures include adequate segregation of duties? the procedures include all aspects of balancing? the procedures include security procedures: - password changes - logon/logoff - PC/ terminal control - diskette/ tape/ disk control - access to the workstation - key control - report distribution and control
3. Determine if the responsibility for on-going, post-implementation tasks have been assigned. Has the system maintenance organization been determined? Has the responsibility for quality control been determined? Has the responsibility for system balancing been assigned? Are there system change control procedures established?
�(For post-implementation changes rather than during
design.)
4. Review the system documentation to determine if it appears complete. This includes: - error codes - system operations - samples and descriptions of reports and forms - system flowcharts - descriptions of interfaces to other systems, if applicable - system operating instructions, if applicable, including scheduling runs - database descriptions and layouts - file descriptions and layouts - data dictionary - field and record layouts 5. Determine if the proposed procedures include adequate duties, particularly in: - data entry and review - data entry and approvals - verification of the data entry - error corrections - balancing - password maintenance and authorizations Diana Lindsley March 28, 1994 segregation of
�