In an internally developed application (created using Oracle 9i / Developer 2000) dealing with finance and accounts, I am thinking of bringing about best practices so that external auditors do not go about trying to push us into adopting extremely expensive (JOPS) or anyother ERP for lack of controls in the current environment.
Not being a software development company, I can think of bringing minimal segregation of duties to start with, which will involve, segregating application developers from database admin.
Then there would a separate Test environment where code changes would be tested by end users prior to being pushed into the production.
I am also thinking of hiring/identifying an independent Quality Control/Assurance function who would review the code prior to being pushed into the live environment.
Now, I am having a hard time to find out, how would I assure independent ‘preventive’ controls over DB admin activities? For detective controls, I have already tested a nifty utility which allows me to Audit Oracle tables and store it’s historical/changed values in an independent database.
Also, is there a cheaper alternative to hiring a QA function?
What should I use for Version Control management for d2k?
Pls advise.
