Alternative Project Initiatives for Controlling the UAT Environment
(Part 2 of 2)
By: Mitchell H. Levine, CISA
Audit Serve, Inc.

The first article in this series discussed UAT control initiatives which related to security access controls to preserve the integrity of the UAT test and the enforcement of SDLC requirements to perform UAT Testing.

Quality UAT Environment

The most important project initiative for the establishment of the UAT environment is to provide a quality UAT environment to support the type of testing performed by an organization. This requires an analysis to be performed to identify the type of test being performed by the various business areas. One might think that test requirements are defined at an application level but business functions to be tested could cut across multiple applications. An inventory should be established of the business processes which require testing which is prioritized based on risk and the frequency of changes. These business processes should then be tied to the application which they utilize.

The type of testing required for each business process also needs to be defined. If the application is making frequent complex changes which can only be validated through the execution of a batch report, then an
integrated test environment needs to be supported. If the business processes are laden which extensive data interfaces then the test environment would need to extend through these interfaces.

An additional critical decision is whether an investment will be made to construct a regression test environment in which predefined transactions are established which represent the critical processing paths which is saved in a manner in which it can be restored. In this way, once a change is made to an application, the same test data can be used to ensure that the application functions as intended.

During an audit, an assessment should be made as to whether the test environment meets the requirements of the business. This would require the same analysis as described above.

Test Coordination

The UAT environment is intended to be used by the user community and should not be an extension of the developers test environment. However, in many cases, multiple software changes would need to be tested at the time. These multiple software changes could involve testing of data which could conflict with other changes being tested. In addition, one software change may need to have a data refresh (i.e., either from production or from the
regression test bed). These type of decisions needs to be coordinated otherwise someone's test could be impacted. For a large organization, it is common to have a test coordinator to perform these types of coordination activities with all possible impacted areas. Not having the right person to approve UAT data refreshes could lead to disastrous results.


For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at

Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.