This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.
VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent
auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.
Back to TOCClick
VALIC
.com 79
Control Objective 12A
- Controls provide reasonable assurance that changes to V-System are tested and approved
by VALICManagement.
Control Objective 12B
- Controls provide reasonable assurance that changes to distributed systems including
SAP are tested and approved by VALICManagement.
VALIC Control Activities
Tests of Operating Effectiveness
Results of Tests
12.4 (12B) Access tomigrate changes to the
production environment is limited to
authorizedVALICmigration personnel
separate fromdevelopment function.
Inspected user access to MS Team Foundation Server
(TFS) to determine whether developers did not
have access to migrate changes to the production
environment.
No exceptions noted.
12.5 (12A, 12B) Mainframe and distributed
application emergency moves and
production fixes are approved by
application managers.
Mainframe
Inspected a sample of mainframe application emergency
moves and minor production fixes to determine whether
they were approved by the application managers in the
Emergency ID database.
No exceptions noted.
Distributed Systems
Inspected a sample of distributed system application
emergency program changes to determine whether
they were approved by the application managers in the
CMNA system.
No exceptions noted.
12.6 (12B) SAP developer update access
to the production environment
is appropriately controlled and
restricted.
Inspected the client settings configuration in Table T000
(client settings) for the in-scope SAP instance to determine
whether client dependent settings and cross - client
independent settings are set to 'non-changeable' in the
production client.
Inspected the listing of users with access to transport
changes into the production environment through TMS to
determinewhether the access is granted via appropriate
roles and restricted to the SAP Solution Center BASIS team.
Inspected the listing of users with access to transport
changes into the production environment through SP2
to determinewhether the access is restricted to the SAP
Solution Center BASIS team.
Inspected the listings of users with access to develop and
transport changes to determinewhether the segregation
of duties exists between users with access to develop and
migrate changes.
Inspected the systemparameters for Generic System IDs
to determine if the access is appropriately configured and
restricted.
Inspected the listing of users with access to SAP_ALL and
SAP_NEWprofiles to determinewhether the access is
appropriately restricted to appropriate users.
No exceptions noted.
No exceptions noted.
No exceptions noted.
No exceptions noted.
No exceptions noted.
No exceptions noted.
12.7 (12B) Test plans and test results
are documented and signed offby
authorized employees for SAP changes.
Inspected a sample of SAP changes to determine
whether test plans and test results were documented
and approved.
No exceptions noted.
IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating
effectiveness and results of tests