Example: tourism industry

Implementing an Application Change Control System

82-02-50 Implementing an Application ChangeControl SystemH. Van TranCynthia D. HeagyPayoffTraditionally, firms have adopted stringent systems development controls to ensure thatnew Application systems are efficient and reliable in meeting an organization's and theusers' needs. Application Change controls have been neglected, however, despite the factthat large firms generally spend between 60% and 80% of their Application software dollarson maintenance activities. A new breed of Application Change Control System is emergingthat ensures that all changes made to Application systems are properly authorized, tested,and approved for implementation. This article examines the design and implementation ofthese Control Application systems are typically developed by in-house programmers in adevelopment environment and then transferred into a production environment to be used tosupport daily business operations.

Application change control systems typically are developed by a joint effort of four groups: system owners from various user departments, application change control administrators, programmers, and auditors.

Tags:

  Applications, System, Change, Control, Implementing, Implementing an application change control system, Application change

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Advertisement

Transcription of Implementing an Application Change Control System

1 82-02-50 Implementing an Application ChangeControl SystemH. Van TranCynthia D. HeagyPayoffTraditionally, firms have adopted stringent systems development controls to ensure thatnew Application systems are efficient and reliable in meeting an organization's and theusers' needs. Application Change controls have been neglected, however, despite the factthat large firms generally spend between 60% and 80% of their Application software dollarson maintenance activities. A new breed of Application Change Control System is emergingthat ensures that all changes made to Application systems are properly authorized, tested,and approved for implementation. This article examines the design and implementation ofthese Control Application systems are typically developed by in-house programmers in adevelopment environment and then transferred into a production environment to be used tosupport daily business operations.

2 After being placed in production, however, applicationsystems frequently must be changed to improve the efficiency of the applications , adjust theapplications to changing business conditions, or correct defects in the changes affect computer programs, screen and file definitions, and Job ControlLanguage instructions, with the bulk of the changes being made to computer applications systems development and maintenance have different controlobjectives. Systems development controls provide assurance that Application systems areefficient and reliable and meet the organization's and the users'needs. Application changecontrols ensure that all changes to Application components are properly authorized, tested,and approved for implementation. If Application Change controls are adequate, businessusers can be confident that the Application System being used is the one that was initiallydeveloped but with known and approved general, large firms spend 60% to 80% of their Application software dollars onmaintenance activities and the remainder on systems development activities.

3 Each new largesystems development project generally is expensive and highly visible; in contrast, eachapplication System Change usually is small and low-key. The high visibility and costlinessof large systems development projects have compelled firms to adopt stringent systemsdevelopment controls; however, they have neglected Application Change systems development controls are grounded in a defined systems developmentlife cycle methodology. The development project is subdivided into phases with tightlycontrolled milestones, deadlines, coding and testing schedules, and budgets. Moreover, theroles and responsibilities of both programmers and System owners are clearly defined. (Asystem owner is an individual in a user department who is a liaison between the businessusers and the programmers and who has stewardship over a particular Application System .)

4 However, substantial systems development controls would yield little value ifsubsequent modifications to Application systems were to undermine these expensivesystems development controls. Thus, the integrity of an Application System could be injeopardy without adequate Control over Application changes. This article describes anemerging new breed of Application Control systems. Specifically, the article discusses: Traditional approaches to Application screen Risks associated with these traditional approaches. Design and implementation of an Application Change Control Approaches to Application ChangesIn the authors' experience as consultants, traditional approaches to Application changes areused by many large mainframe computer centers. Firms that do not use contemporaryapplication Control procedures store computer programs in common libraries on secondarystorage devices.

5 For example, all Common Business Oriented Language source program(which contain English-like instructions) are stored in a common production sourceprograms library. All COBOL load or machine-executable programs (which contain binaryor machine-readable instructions) are stored in a common production load program creating a new program, the programmer initially codes a source programs andthen uses a compiler to generate its load program equivalent. Both programs, after beingfully tested, are moved into the common production source and load program libraries,where the load program is executed by the computer to support the organization's dailybusiness program Change process consists of a series of tasks. When a program Change isrequested and authorized by the System owner, a programmer copies the source programsfrom the common production source programs library into the programmer's developmentsource programs library.

6 Development libraries are private libraries that can be created,deleted, read, or written to by a particular programmer and no one the source programs is in the private development source programs library, theprogrammer modifies the program, compiles the program to produce a load program, linksthe program with all essential compiled subroutine, tests the program by executing the loadprogram using test data, and informs the System owner of the successful , the System owner approves the Change without any additional testing andauthorizes the copying of both source and load programs to the common production sourceand load libraries. The newly generated load program is now used for daily , organizations have taken two approaches to Application changes.

7 Oneapproach provides hundreds of maintenance programmer with update access to the twocommon production libraries ( , source and load ) so they can copy programs directlyfrom production to development and back to production at any time. After being givenupdate access, a programmer can read, modify, and delete any program stored in commonproduction main advantage of this approach is efficiency, because programmers can movechanged programs to production libraries in a timely fashion without any red tape,burdensome paperwork, or time-consuming bureaucracy. However, this is a dangerousapproach to Application changes. Because hundreds of maintenance programmers haveupdate access to common production libraries, intentional errors and fatal attacks bydisgruntled programmers are difficult to other traditional approach to Application changes uses a librarian to perform the taskof copying programs from development libraries to production libraries.

8 In this approach,only the librarian has update access to common production libraries. As a result, the risk ofattacks is greatly reduced. After a program has been modified successfully and tested by aprogrammer, forms must be completed authorizing the librarian to move both the sourceand the load programs from the development libraries to the production disadvantage of this second approach is that moving the changed programs into theproduction libraries can take several days under this procedure. For emergency changes,the use of a librarian hinders the timely update of production libraries. Therefore, dailyPrevious screenbusiness operations that depend on the successful outcome of these changes may Associated with the Traditional ApproachesIn addition to the unique inherent risks in each of the two traditional approaches toapplication changes, they share several other risks.

9 For example, use of commonproduction libraries causes information privacy problems, because a programmer who hasread access to the production source library can read and copy any program in this or dishonest programmers can engage in industrial espionage by copyingproprietary programs for sale to the addition, if only the programmer tests changes, erroneous program instructions canslip into production and the System may fail to meet the needs of the organization and theusers. Moreover, having the programming staff perform such incompatible duties as testingchanges and moving the changed program to production creates an opportunity for errorsand irregularities to risk is that programs are subject to accidental loss if there is no strict versioncontrol.

10 Both programmers and the librarian can accidentally copy one program overanother and thereby destroy the first program. Moreover, conflicting changes may be madeto the same program when two or more programmers concurrently modify the sameprogram without being aware of the other's addition, the source programs and its corresponding load program may not becompatible if the load version is copied into the load production library but the sourceprograms is not. Incompatibility between the source and load programs makes futurechanges to a program much more difficult and of the risks associated with the traditional approaches to Application changes,organizations should consider more effective methods. The following section discusses thedesign of an improved System for managing Application of an Application Change Control SystemNew Application Change Control systems are emerging that mitigate the risks associated withapplication System changes, thereby protecting the Application System 's integrity.


Related search queries