CSD-RT RFP Recordkeeping_Administration Services Response 3-

This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 79

Control Objective 12A

- Controls provide reasonable assurance that changes to V-System are tested and approved

by VALICManagement.

Control Objective 12B

- Controls provide reasonable assurance that changes to distributed systems including

SAP are tested and approved by VALICManagement.

VALIC Control Activities

Tests of Operating Effectiveness

Results of Tests

12.4 (12B) Access tomigrate changes to the

production environment is limited to

authorizedVALICmigration personnel

separate fromdevelopment function.

Inspected user access to MS Team Foundation Server

(TFS) to determine whether developers did not

have access to migrate changes to the production

environment.

No exceptions noted.

12.5 (12A, 12B) Mainframe and distributed

application emergency moves and

production fixes are approved by

application managers.

Mainframe

Inspected a sample of mainframe application emergency

moves and minor production fixes to determine whether

they were approved by the application managers in the

Emergency ID database.

No exceptions noted.

Distributed Systems

Inspected a sample of distributed system application

emergency program changes to determine whether

they were approved by the application managers in the

CMNA system.

No exceptions noted.

12.6 (12B) SAP developer update access

to the production environment

is appropriately controlled and

restricted.

Inspected the client settings configuration in Table T000

(client settings) for the in-scope SAP instance to determine

whether client dependent settings and cross - client

independent settings are set to 'non-changeable' in the

production client.

Inspected the listing of users with access to transport

changes into the production environment through TMS to

determinewhether the access is granted via appropriate

roles and restricted to the SAP Solution Center BASIS team.

Inspected the listing of users with access to transport

changes into the production environment through SP2

to determinewhether the access is restricted to the SAP

Solution Center BASIS team.

Inspected the listings of users with access to develop and

transport changes to determinewhether the segregation

of duties exists between users with access to develop and

migrate changes.

Inspected the systemparameters for Generic System IDs

to determine if the access is appropriately configured and

restricted.

Inspected the listing of users with access to SAP_ALL and

SAP_NEWprofiles to determinewhether the access is

appropriately restricted to appropriate users.

No exceptions noted.

12.7 (12B) Test plans and test results

are documented and signed offby

authorized employees for SAP changes.

Inspected a sample of SAP changes to determine

whether test plans and test results were documented

and approved.

No exceptions noted.

IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating

effectiveness and results of tests