Separate QA test environment? 976

  • I’m looking for suggestions on compensating controls when the client doesn’t have a separate QA test environment. Developers test in their own libraries. QA testing is performed but it is performed using individual libraries for data and executing the program from a QA library. This approach is fine but there could be some risk that not all defects are caught because the data used to test with is localized. The QA testing is performed by another person.
    Does anyone have suggestions for compensating controls?

  • This separate QA environment issue was mentioned to the external auditor. They don’t think of it as any big deal, which was a complete surprise.
    I guess we could conclude that a separate QA environment can be a key control but we could actually move it to a non-key control status since the external auditor was not concerned about it. There is a part of us that still worries if they will reverse themselves like they have done so many times before. We have learned not to trust what they say since it changes all the time.

  • ugogirl
    Excuse me, but I dont understand, if your client has the 3 environment, Production - QA -Test, the only things that it need to do, is separate the enviroments, is more easy that find a control. Are the end user test and approach the changes?
    Any comments, please send me a email . Best Regards

  • skyranch,
    I’m looking for suggestions on compensating controls when the client doesn’t have a separate QA test environment.
    The client does NOT have a separate QA environment even though the current policy states that they should.
    A separate QA environment was identified as a key control last year and a deficiency was documented for the lack of a separate QA environment.
    QA testing is peformed in individual libraries. SOD exists but there is not a shared QA test environment.

  • It may be enough to seperate production and development environments depending on the other controls arounf programme change.
    Whilst it is certainly desirable to have three environments, if you do not have bespoke or highly customised systems the lack of the third environment may not be a material or significant weakness.

  • We have a lot of custom developed applications. We are now considering a separate QA environment as best practice (not a SOX requirement) since the external auditor doesn’t seem to have any issues, which is a bit surprising.

Log in to reply