INTERNAL AUDIT Program Development Framework

[aka System Development Lifecycle (SDLC)]

The framework is customized as needed based on the type of project as expectations vary depending on: cloud vs. on-premise, vendor out-of-box vs. vendor customized,
program / application development vs. data conversion / migration or combinations, etc. We used the PwC framework as the basis.

Tasks Risk SOX

Element
(We seek evidence to support) (What could go wrong if task not performed) Control
 Policies & procedures There is a risk of unexpected delays, reduced quality, increased costs and
 Project management (tasks, timing, dependencies, requirements, value erosion associated with missed deliverables, unrecognized
Overall
identification & inclusion of all key stakeholders, etc.) dependencies or failure to identify or consider the needs of all key
Management /
 Vendor management (SOW, deliverables, P&Ps, issues mgt, stakeholders. PD-01
Project
testing, approvals, etc.)
Governance Unauthorized Access to data and/or users may be granted incompatible
 Separate environments (DEV, QA, PROD with appropriate access
controls) duties within the application environment.
The project may not have clearly defined benefits, may not adequately
 Business sponsor approval achieve business goals and may the new technology not be readily adopted
by the business when complete.
Interfaces may have incomplete, inaccurate, invalid data being transferred
 System & interface dependencies
and this may result in the system not being able to record and produce
 High level functional design
accurate, complete and valid financial statements.
 Business requirements (including any legal or compliance Without key functional specifications, project goals and objectives, it is difficult
requirements, key reports, etc.) to design adequate test plans and difficult to assess overall project success.
System design is fully defined, documented, and final specifications reviewed
 System requirements (including business sponsor sign-off) and approved prior to full-scale development to provide reasonable assurance
that the specifications meet user requirements
Initiation, Analysis The system may compromise information integrity and the security of
 User access security design (access mgt, quarterly access reviews, PD-02
& Design information assets handled within business processes leading to potential
privileged user mgt, application of SOD analysis results, etc.)
fraud or financial misstatements.
Systems and processes may have inadequate internal controls, leading to:
overbillings, fulfilment errors, inaccurate financial reporting information,
 Design of controls (configuration, automated, interface C&A, SOD
reduced customer satisfaction levels, and other undesirable outcomes;
restrictions, etc.)
Systems may have inadequate IT general controls, leading to: system
 SOX Controls Impact assessment (impact to existing controls, new
performance issues, inappropriate /unauthorized user access,
controls, revised controls) if in-scope SOX application
inappropriate/unauthorized system changes, inaccurate data, and other
undesirable outcomes
Data integrity, completeness and accuracy could be compromised when

1
 Data conversion / migration strategy
transferring data between computer systems or storage formats.

Page
Flowers Foods Confidential
 INTERNAL AUDIT Program Development Framework
[aka System Development Lifecycle (SDLC)]
Tasks Risk SOX
Element
(We seek evidence to support) (What could go wrong if task not performed) Control
Without a robust risk management and mitigation process, there is greater
 Project risk assessment (including information & system security) probability that a risk may negatively impact scope, budget, quality, timing or
information security.

Failure to keep track of changes during development could introduce conflicts

Construction /  Version control (establish & communicate standards)
or problems including lost source code, overwritten code or difficult merging
Selection
changes made by multiple developers, resulting in systems integrity issues.
 Programming standards
Unauthorized Access to data and/or users may be granted incompatible
Segregation of  Segregation of Duties (impact of new / altered transactions,
duties within the application environment. The SOD Analysis should support PD-02
Duties database access, change mgt, etc.)
user access security design as well as design of controls.
 Test plans (documentation & evidence) If not tested adequately, the developed solution may not meet defined
 IT testing (unit, system, integrated, regression, volume / stress, business and technical requirements, handle the expected transaction volume
security, etc.) & response time, produce accurate results, or operate reliably.
Testing & Quality  Migration of code (between environments)
Program and system defects/issues may not be logged, tracked, categorized, PD-04
Assurance
 Business / User Acceptance testing (critical functions, key reports, or prioritized in a manner that allows for timely remediation of critical issues.
validation / reconciliation, interface C&A, SOX controls, user This could potentially lead to inaccurate financial reporting, lost sales
security, etc.) opportunities, etc.
 Data completeness (includes documented extraction plans,
transformation rules, data cleansing, data mapping, etc.) Incomplete, inaccurate, invalid data migration & cut-over activities may result
Data Conversion /
 Data accuracy in the system not being able to record and produce accurate, complete, and PD-06
Migration
 Data validity valid financial statements.
 Business sponsor/mgt approval of final results
Without sign-off and approval from all key stakeholders to go-live, there is the
risk that all affected areas may not be notified, unresolved issues could impact
 Implementation approval (all business sponsors and IT senior mgt)
system readiness for production and a successful transfer into the production
environment may not occur.
Program  Version Control (conformance to established standard) See above PD-05
Implementation  Risk management (during project and including issue mgt strategy
See above
post go-live)
 User / technical documentation (knowledge transition) Without adequate training, knowledge transition and reference material, it may

2
 Training (technical support, security administration, end user, etc.) be difficult to use and support the system after go-live.

Page
Flowers Foods Confidential
 INTERNAL AUDIT Program Development Framework
[aka System Development Lifecycle (SDLC)]
In addition to the above Development controls, we assess operational processes designed and communicated for ongoing maintenance and support beginning at Go-
Live, including:
 Program change mgmt.  Configuration change mgmt.  Patch/update mgmt.
 User administration & monitoring  Privileged access administration & monitoring  Emergency access management
 Database management  SOD monitoring  Job scheduling & monitoring
 System monitoring & mgmt.  Backup & restore / DRP  SOX compliance (if applicable)

3
Page
Flowers Foods Confidential