Test Application Once, then rely on Change Mgmt. testing ? 2394
Netmation last edited by
Have a situation where we have an internally developed financial application. We performed detailed testing as it relates to financial data end to end, last year. We felt that this was a one time exercise and as long as we perform detailed testing on any changes made to the system with documented test cases, we would not have to go through the time consuming exercise for performing a detailed end to end test.
However, our auditors are telling us differently, that we need to re-preform a complete test if any change was made to the system. Anyone else experiencing similar situations?
NC last edited by
Auditors will keep telling a lot.
Our auditors were good (sane) enough to understand what a time and resource consuming exercise an end to end review would be, so require us to carry out an end to end test only for new modules. application change management procedure would take care of the subsequent changes.
Note: I have experience scenarios where the IT department fail to test cross module dependencies and dependencies on validations previously configured, resulting in such validation controls rendered ineffective. It would be a better idea to include a dependency check in the application change management process as well
WrightLot last edited by
I have heard differing views on this but I my understanding from our auditors is that once a system is baselined then wewould not be required to repeat that the following year. There would however still be sample testing with a sample size of ‘1’ to demonstrate the system is still operating effectively and change management would have to be undertaken properly and tested accordingly.
I don’t think you are right that it is a one time exercise as various auditors have indicated to me that they would expect a revisit of the baselining exercise after 4 yeas or so irrespective of the change management process (I guess from a risk perspective they feel that the longer we leave it the greater the risk that something could happen that we’ve missed). As you say this baselining is costly and when I learnt that I had to redo it I began to wonder whether it was as ‘cost effective’ as auditors made out or whether it was ‘revenue effective’ for them.