Day 22 (16 Nov 2022)

Continue yesterday’s work, today I will be focusing on the remaining part of the ITFC working papers, there are other three sections that I need to complete, which are program change, program development and computer operations. Program change is to determine whether the company have established adequate control to ensure changes to the existing system or applications are authorized, tested, approved and properly implemented and documented. The first control for it is whether there is proper authorization given for th echanges, every changes need to have approval given by the top management and IT manager. For our case, we inquiry Mr Jason and confirmed that the company did not have any program changes happened during the year under audit and if there is changes being requested, its procedure it employee will request to IT team by submitting the new IT Requistion form with approval from HOD, IT team then assess the changes requested and perform the implementation. Another control is related to testing of changes, it is to determine whether management has controls in place to ensure the changes made are adequately tested prior to migration to the production environment. We inquiry Mr Jason whether there is process for testing the changes to the in-scope applications, Mr Jason noted that User Acceptance Testing will be conducted by user before the migration. User’s sign off will then be required to indicate the UAT is successfully conducted. Beside, we also know that the testing environment is established and separated from the production environment. The next control is on migration to production environment, it is to determine whether controls are in place to restrict access for migrating changes into the production environment for systems and applications used in the financial reportng processes. In proper way, only a limited number of personnel should have access to migrate changes to the production environment to ensure that this process is controlled such that only authorized, tested and approved changes are migrated into production and the log of changes migrated to the production environment is complete. We asked Mr Jason what is company’s practice in migration of changes to the production environment, Mr Jason replied that upon successful UAT, changes will be migrated to the production environment and it is performed by the IT department. To test the effectiveness, we inspected the user access rights and found out that only user ID ‘pro01’ has the migration access right. The last control for program changes is on emergency changes, it is to determine whether management has controls in place to ensure that changes requiring immediate implementation are properly handled on a timely basis, with no impact to the systems and application related to the financial reporting process. We asked Mr Jason what is company’s process if there is emergency change happened, he replied that the process will be same as the control of authorization of changes and testing of changes. Until this, the second area has been done, and at the end we documented what is our finding, we can say taht there is no deficiencies found as all the procedure are well prepared.

Jumping to the next section is focusing on program development, the objective of this area is to determine whether adequate controls are established to ensure that the new system or application are properly acquired, authorized, tested and approved. There are three controls included in this areas, the table below illustrate its respective description.

Since there is no program development happened, there is no need for us to test the effectiveness of the control. I will stop at this area and plan to continue the remaining part on tomorrow.

Main things that have learnt

• I performed the audit for the sections of program changes and program development.

Comment/idea/opinion

I know from senior that mostly of the company will not have the program change and program development but if there is any, then we will have a lot more procedure for our audit.