Application-Maintenance Principles

In conjunction with a formal SDLC and project-management activities, the organization must implement change-management processes, which include change-control procedures both for software-development projects and for the production environment. The change-management process, usually facilitated by the change-control board (CCB), reviews all changes associated with the software-development project. The CCB has the authority to accept, deny, or postpone a requested change. The change-management process ensures that any deviations from the original requirements are approved before being added to the project. This process ensures that all changes meet the needs of the organization and that any additional resources (time, money, or personnel) are balanced against the existing project requirements and approved resources. In addition, the change-management process provides a formal environment for the documentation of changes and the decision process.

A change request can generally be submitted by anyone associated with the development project, including the end users. The submitter of the change request should specify the change as well as the justification for the change. The users of the system should be part of the approval process. User approvals of program changes ensure that changes are correct as specified by the user and that they are authorized.

The presence of a change-management process ensures that subject matter experts (organization managers, IT management, security, and so on) are aware of proposed changes and their impact on current resources and the IT environment.

Programmers should perform unit, module, and full regression testing following any changes to an application or system.

The organization should implement quality control (QC) procedures to ensure that proper testing is performed through the development life cycle. The QC team is responsible for conducting code reviews and tests to ensure that software is free of defects and meets user expectations. Unit, module, and regression testing ensure that the specific unit or module is complete, performs as expected, and meets requirements. Regression testing should be required for all changes introduced into the system, whether in development or in production. The purpose of regression testing is to ensure that the change introduced does not negatively impact the system as a whole.

Post-Implementation Review Techniques

After development, testing, and implementation have been completed and the new system is part of the production environment, a formal post-implementation review should be performed. When reviewing an organization's systems-development process, the auditor should first compare established formal standards to actual observed procedures. The IS auditor should carefully review the functional requirements to ensure that the project objectives and requirements were met. The IS auditor should review the functional requirements and, based on the evidence found, perform other testing to confirm that the necessary controls and functionality are in place. The development of test transactions also can be performed, if necessary. During the review the IS auditor should look at system utilization, end user satisfaction with the system, and error logs to determine whether there are resource or operating problems. A system fails to meet the needs of the business and users most commonly because of inadequate user participation during the systems-requirements definition.

If the organization determined the cost benefit or performed ROI assessments as part of the feasibility study, the IS auditor should ensure that the metrics associated with the production system are being measured, analyzed, and reported. Overall, the post-implementation review should determine whether the development project achieved stated objectives and whether the process of development was performed in an efficient and effective manner. In addition, the post-implementation review should allow the organization to identify areas of improvement through lessons learned. When these improvements are implemented, they improve the overall capability and maturity of the organization's software-development process, thus maximizing benefits and reducing costs and risks.