Documentation
Organizations should maintain detailed documentation for each application and application system in production. Thorough documentation enhances an organization’s ability to understand functional, security, and control features and improves its ability to use and maintain the software. The documentation should contain detailed application descriptions, programming documentation, and operating instructions. Standards should be in place that identify the type and format of required documentation such as system narratives, flowcharts, and any special system coding, internal controls, or file layouts not identified within individual application documentation.
Management should maintain documentation for internally developed programs and externally acquired products. In the case of acquired software, management should ensure (either through an internal review or third-party certification) prior to purchase, that an acquired product’s documentation meets their organization's minimum documentation standards. For additional information regarding acquired software distinctions (open/closed code) refer to the "Escrowed Documentation" discussion in the "Acquisition" section.
Examiners should consider access and change controls when assessing documentation activities. Change controls help ensure organizations appropriately approve, test, and record software modifications. Access controls help ensure individuals only have access to sections of documentation directly related to their job functions.
System documentation should include:
Organizations should maintain detailed documentation for each application and application system in production. Thorough documentation enhances an organization’s ability to understand functional, security, and control features and improves its ability to use and maintain the software. The documentation should contain detailed application descriptions, programming documentation, and operating instructions. Standards should be in place that identify the type and format of required documentation such as system narratives, flowcharts, and any special system coding, internal controls, or file layouts not identified within individual application documentation.
Management should maintain documentation for internally developed programs and externally acquired products. In the case of acquired software, management should ensure (either through an internal review or third-party certification) prior to purchase, that an acquired product’s documentation meets their organization's minimum documentation standards. For additional information regarding acquired software distinctions (open/closed code) refer to the "Escrowed Documentation" discussion in the "Acquisition" section.
Examiners should consider access and change controls when assessing documentation activities. Change controls help ensure organizations appropriately approve, test, and record software modifications. Access controls help ensure individuals only have access to sections of documentation directly related to their job functions.
System documentation should include:
 | System Descriptions – System descriptions provide narrative explanations of operating environments and the interrelated input, processing, and output functions of integrated application systems. |
| System Documentation – System documentation includes system flowcharts and models that identify the source and type of input information, processing and control actions (automated and manual), and the nature and location of output information. |
| System File Layouts – System file layouts describe collections of related records generated by individual processing applications. For example, personnel may need system file layouts to describe interim files, such as sorted deposit transaction files, in order to further define master file processing requirements. |
