Case Study - ClaimProof Insurance


Issues

Claim Process

The claim process uses an automated adjudication system that evaluates the claim details, frequency of customer claim history, probabilities and other complex factors in approving claim payments, suspending the payments with referral to a specialist or denial of claims. This process is material in the evaluation of the financial statements.

Audit Methodology

Unqualified Opinions Ltd. has determined that the most efficient audit methodology is to use a previous detailed audit of the process as a benchmark and focus on only the changes to the system. Because the basis for identifying changes to the system is the program change control process, the internal audit department has been asked to perform an audit of the controls affecting the program change control system (PCCS).

Program Change Control System (PCCS)

The PCCS controls the production source and executable program code, operating system configuration parameters, and any batch control processes (.BAT, .CMD and .JCL). The test libraries that contain source and executable code are open to all programmers throughout the installation. After a programmer has completed the testing of a program, the program source is submitted to the program change administrator. The administrator recompiles the program and moves the source and executable code into a production library that is accessible only to the production control team.

In a cost-cutting initiative, the production control team is only available during regular business hours. After hours, if a program change is required, one-time-use passwords are available. The programmer who makes the change must create a change ticket, obtain the one-time password from a file cabinet, and indicate in the password log the change ticket number and the date and time of the change. The programmer can then make the appropriate changes, move the program into production, and note on the move ticket the time and date of the completion of the move.

Each morning, the program change administrator reviews the sign-out log and verifies that the appropriate paperwork has been completed. During an initial interview, the administrator was asked whether further examination of off-hours changes was performed; the response was no. An incident reporting system records all processing disruptions, but there is no reconciliation between the system and the PCCS.

Auditor Concern

The external auditors from Unqualified Opinions Ltd. have expressed concern regarding the synchronization of the production source and executable code and whether any unauthorized changes to production logic have occurred.