S 2.62 Software acceptance and approval Procedure

Initiation responsibility: Head of IT section

Implementation responsibility: Head of IT section

The use of IT for dealing with certain tasks requires that computerised data processing works as perfectly as possible, as the individual results can in most cases not be checked. In the course of a software acceptance process, therefore, it is checked whether the software works without error, i.e. whether the software works with the desired degree of reliability and whether it creates any undesired side effects. With the subsequent approval of the software by the relevant body, permission is granted to use the software. At the same time, this body assumes the responsibility for the IT process implemented by the software.

In regard to software acceptance, a distinction is made between software which was self-developed or developed by a third party and standard software adapted for special uses.

Acceptance of self-developed software or software developed by third parties

Before the order to develop software is placed internally or externally, the software requirements must be defined. These are then used as the basis for the rough and detailed planning for implementation. Using these documents, the relevant body, not the body responsible for the software development, generally draws up an acceptance plan.

In general, test cases and the expected results for the software are determined. Using these test cases, the software is tested and the difference between the calculated and expected result is used as an indication for the correctness of the software.

In order to develop test cases and to implement these tests, the following should be observed:

• The test cases are developed by the relevant body

• No data of the actual operation should be used for test cases

• Test data, particularly if these are compiled by copying actual data, may not contain any confidential information; person related data should be made anonymous or simulated

• The implementation of the tests should have no effect on the actual operation; if possible, a test computer should be used which is logically or physically separate

Acceptance should be denied if;

• Serious errors are detected in the software

• Test cases occur where the calculated results do not correspond to the estimated results

• User manuals or operating instructions are not available or inadequate

• Documentation of the software is not available or inadequate

The results of the acceptance should be set down in writing. The documentation of the acceptance results should include.

• Name and version number of the software and the IT procedure, where applicable

• Description of the test environment

• Test cases and results

• Acceptance declaration.

Acceptance of Standard Software

If standard software is purchased, this should also be subject to acceptance and approval. The acceptance should include checks of whether

• The software is free of computer viruses

• The software is compatible with other products in use

• The software can operate in the intended working environment and which parameters should be set

• The software was delivered with the relevant manuals

• The required functionality is fulfilled.

Approval Procedure

When the software has been accepted, the software has to be approved for use. It should first be determined who is entitled to approve the software. The approval of software should be in writing and suitably filed.

The approval declaration should include:

• Name and version number of the software and the IT procedure, where applicable

• Confirmation that the acceptance has been correctly carried out

• Limitations for use (parameter setting, user group...)

• Approval date from when the software may be used

• The approval declaration itself.

If possible from the point of view of IT, the software should be prevented from being altered or manipulated after approval. Otherwise, this should be stipulated in a provision.

Even after intensive acceptance tests, it may be the case that errors in the software are detected when running. The procedure for such a case should be determined (contact person, troubleshooting, involvement of the relevant body, repetition of the acceptance and approval, version check).

See Chapter 9.1 Standard Software for more details.

Additional controls:

• Is there an acceptance and approval confirmation for all software used?

• Are errors eliminated without the involvement of the relevant body?

• Can software in use be manipulated without being detected?