To ensure processing integrity between versions of systems and to ensure consistency of results from period to period, changes to the IT infrastructure (hardware, systems software, and applications) must be managed via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures.
Program change controls provide assurance that all modifications to programs are authorized, and ensure that the changes are completed, tested, and properly implemented. Changes in documentation should mirror the changes made to the related programs. Figure 8.3 depicts the stages through which programs should progress to ensure that only authorized and tested programs are placed in production, which means that the programs are in use by the organization in the conduct of business. Notice that separate organizational entities are responsible for each stage in the change process. These controls take on an even higher level of significance with enterprise systems. Should unauthorized or untested changes be made to such systems, the results can be disastrous. For example, let’s say that a change is made to the inventory module of an enterprise system without testing to see the impact that change will have on the sales module used to enter customer orders. Since these two modules work together, and orders from customers for inventory cannot be processed without the inventory module, changes to either module must be carefully planned and executed.
Name and describe the four IT control processes in the acquisition and implementation domain.