Contributed 8/29/00 by Carolann Lazurus (Clazarus@business.buffalo.edu)

Program Change Review - MVS Audit Program

Objective: The objective of this review is to ensure that FSC program turnover procedures and standards are being followed.


A.	Review the prior audit report comments and management's replies to determine if prior concerns exist for the current review.

B.	Using the Librarian JCL LIBRINDX in NSA.XCHGCNTL.LIB, run a listing of IBM source programs changed within the last __ days from each Librarian production library.

C.	To verify that Production Control's procedure to ensure that the source equals the object is being utilized, select a sample of programs (Cobol,Assembler,PLI). from the above list and perform the following:

1.	Utilize the Librarian ELIPS facility to determine the last "history record" time and date for the production source (ie., the last time and date the source was updated in TEST before being ,moved to production).
Note 3: An additional procedure would be to run AMBLIST to get the link edit date for comparison to the source date.

Note 4: A second additional procedure would be to take a sample of load module members recently changed (by running IEHIJIST utility against each PDS load library), verify that the source exists, and perform steps 1 and 2.

Note 5: Some items in the sample should be within 5 days so physical documents within the Turnover department can be examined. Turnover documents are discarded if a SWR didn't generate the change (ie. There is no program packet to file the documents)

Step D or F below should be performed based on inquiry with the programmer who made the change.

Turnovers outside Panapt -

D.	From the sample in step C, verify the turnover documentation process by obtaining the Turnover Checklist (and supporting documents) and performing the following:

1.	Ensure forms are complete according to Standards,

2.	compare authorized signature to FSC authorized signature list, and

3.	that the date and time stamp on the LIBARIAN MEMBER AND LOAD MODULE TURNOVER FORM agrees to the program (source's last "history record" date or load module slat date).

4.	Ensure that an authorized user sign-off of acceptance testing was obtained.
2.	Agree the above date to the load module's Slat variable (type FIND SLAT at the command line when viewing the load module).

Note 1:	Exclude 4th generation languages such as Easytrieve from the sample since date/time (Slat) variables are not used.

Note 2:	An alternate sampling method can be employed for Panapt generated requests only. You can satisfy audit steps F through I by browsing Panapt for all recent move requests that have been moved to production. (Signon to Panapt, choose Action "M" to display move request choices, choose Action "B" to browse, and place an "X" in the "Moved to Production" field.) This will show you the most recent move requests first.

Panapt Turnovers -

E.	Review the Panapt Control File to ensure that personnel assigned with approval capacity are indeed the proper level of S&P management. All IDs with approval categories 1 & 2 can be obtained by running report APCS51O3 in NSA.XLIBR91.LIB. Inquiries for individual user IDs can be performed through ACF2.

F.	From the sample in step C, obtain the Panapt Move Request number from the programmer who made the change and perform the following:


1.	Sign on to Panapt and verify that S&P management approvals exist. Approval Categories 1 & 2 should represent s&p management. They can be seen by first performing an inquiry (INQ) on that move request number and then viewing approvals (by typing VA at the command line).

Note:	ensure that the approver did not submit the request.

2.	Verify that the date and time that s&p management approved the request on Panapt is not earlier than the program's (source's last "history record" date or load module slat date).

3.	Ensure that an authorized user sign-off of acceptance testing was obtained.

G.	Perform a coding review on the above sample to determine that the changes actually made agree to the approved request as follows:

1.	Run LIBRPRNT to get a complete listing of the program and LIBRCHG for a comparison of the changes (if not a new program). Note: The programs are in NSA.XCHGCNTL.LIB

2.	From the TURNOVER CHECKLIST, Panapt "Service Request" field, or inquiry with the programmer who submitted change, determine if a SWR, PIX, or System Support Problem caused the change. Obtain the appropriate support to determine the nature of the change and review it against the actual program changes. Note: If the source program includes subprogram changes, determine if they were also placed into production.

3.	Review the documentation in step 2 to FSC standards and determine run/user/program documentation were changed when applicable.

4.	Verify change comments were included in the source code according to FSC standards.

Step H. below is best performed based on inquiry with the programmer who made the change to determine if it occurred under Panapt's control.

H.	Select a sample of - recently changed production PROC's and JCL (from the listing created by running the SAS program JOBCHGS in NSA.XCI~GCNTL.LIB) and perform the following:

Turnovers outside Panapt -

1.	Ensure forms are complete according to Standards, and

2.	compare authorized signature to FSC authorized signature list.
note: Ensure the sample is for turnovers which occurred within 5 days in order for the documentation to be found in the Turnover department.

Panapt Turnovers -

3.	From the sample, obtain the Panapt Move Request number from the programmer who made the change and performing the following:

a.	Sign on to Panapt and verify that S&P management approvals exist. Approval Categories 1 & 2 should represent S&P management. They can be seen by first performing an inquiry (INQ) on that move request number and then viewing approvals (by typing VA at the command line).

Note:	ensure that the approver did not submit the request.

b.	Verify through ACF2 inquiry that the user ID listed (for Approval Categories 1&2) is indeed the proper level of S&P management.

Note:	If not already done globally in audit step E.

c.	Verify that the date and time that S&P management approved the request on Panapt is not earlier than the Proc/JCL date on the report.

I.	Perform a review of __ Control library member changes as indicated in step H. Obtain the sample by browsing the control libraries in TSO for recently changed members.