Question

Case-IT Auditing

Code developers modify or create programs. The IT testing team performs all internal IT testing; however, the business areas perform their own user acceptance testing. The IT Departments Middleware team is responsible for migrating all code to production (except for database triggers). The Middleware Team does not perform any code development activities. Although SQL database triggers are developed or modified by code developers, the migration for the triggers is performed by the Database Administrators from test databases to production databases since this code development is specific database centric. Question: What are the Controls and what are the GAPS.

Question: What are the Controls and what are the GAPS

Answer 1

As per the case explained below are various teams working on specific functions:

1. Development team responsible for create & modify programs and also development & modification of SQL database troggers

2. IT Testing team responsible for all internal testing

3. Business users responsible for their own User Acceptance Testing (UAT).

4. IT Middleware Team responsible for code migration to Production except for database triggers. They do not perform code development activities.

5. Database Administrators migrate database triggers from test databases into Production databases.

From above data, we understand below are the controls which are in place and Gaps which exist.

Controls:

1. Development Team are only responsible for writing & modifying code & database triggers but have no rights to deploy into Production

2. Seperate Team called IT Middleware team is in place which deploy code into Production

3. IT Testing Team is in place who perform internal testing but have no rights on User Acceptance Test environment

4. Business User team which is not part of IT teams is conducting their own User Acceptance Testing which is very good practice followed so that they can test on real life data & scenarios and can sign-off based on their validation against requirements they had raised

5. Middleware team do not perform any code development activities

Gaps:

1. Database Administrators are responsible for deploying/migrating SQL database triggers which is incorrect as per IT software process guidelines. They should only be responsible for managing the database infrastructure, schema & support any queries/issues raised by users/support/development teams in application databases. They shouldn't be deploying any database specific changes into Production. This should be managed by IT Middleware or a Application Production Support team or a Release Management Team

2. Also As mentioned Database administrators teams are migrating triggers from test databases into Production databases. This is incorrect as per guidelines. Any SQL code whether Stored procedures, Create, Alter scripts or Cursors, Triggers should be deployed/run by IT Middleware or a Application Production Support team or a Release Management Team as said in point 1 above and not from test database but from a source code repository or a shared loacation. So Ideally once the code is deployed to UAT or test environment and is passed/sign-offed by Business users same code should be deployed into Production. There should be a mechanism of code sharing such as a protected shared drive on NAS or a Source code repository or through a Service Now release management software.