Audit Article, IT Audit Article, Security Article, Integrated Audit Article, Technical Article, IT Audit

Using Software Management Products as a Checkpoint to Enforce SDLC Deliverable Compliance

By: Mitchell H. Levine, CISA
Audit Serve, Inc.

Software management products used across various operating platforms share common control objectives. These products provide a controlled change migration process by allowing individuals to use the product to migrate software changes to predefined libraries. Source/load integrity is maintained for all compliable type of modules by first predefining compile procedures that are to be used and then securing the libraries which store these modules. The libraries storing the changed modules are secured from changes at a specific point in the software development life cycle to allow for user acceptance testing and program integrity reviews to occur. Typically the securing of the project's software changes occurs prior to entering the user acceptance test ph ase. Depending on the organizational structure of the environment, an independent control function (i.e., Quality Assurance or Change Control Group) performs the migration of the project's modules to the user acceptance test libraries and the control process of un-securing libraries to allow changes to occur based on problems identified in the user acceptance test.
By having an independent control function to enforce the software integrity prior to the user acceptance test, this checkpoint can be used to ensure that all SDLC (Software Development Life Cycle) deliverables that are required prior to this phase have be en developed appropriately. Therefore, prior to allowing a project to enter the user acceptance test environment, the deliverables from the Analysis (i.e., Functional Specifications), Design (i.e., Design Specifications), and Construction (i.e., Program Specifications) phases and the user acceptance test plan from the Testing phase should have been completed and available for review
Based on personal experiences of spending half of my time in the last five years working as a consultant for software development groups, many projects' SDLC deliverables are created at the end of a project to meet the requirements of the compliance review which occurs at later stages of a project. Establishing a review checkpoint of these SDLC deliverables earlier in the project's life cycle ensures that these deliverables are developed to support their intended purpose.
In summary, in order to establish the SDLC compliance checkpoint the following should be in place:

Software Management Product capabilities

  • Ability to perform software migration using pre-defined libraries which does not require the development group to have update access to these libraries.
  • A function is available to allow developers to freeze (i.e., secure) an individual project's components.
  • The function of promoting the project's components to the user acceptance test can be assign to installation designated individuals.

Control/Organizational Processes

  • A separate function performs the migration to the user acceptance test environment. Project managers can also perform this function only if they themselves are not responsible for coding.





For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at
Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.