Introduction
Under ITIL Organizational Change Management, system and program changes should be standardized, documented, tested, and formally approved before being placed into production. This audit evaluated whether Gee Mail's production deployments followed two Change Control guidelines:
- Changes are approved by a manager (not a developer).
- Approvals occur before deployment.
The audit's two questions, in plain terms: who signed off, and did they sign off in time?
Methodology
Audit objectives were to confirm testing/approval timing and segregation of duties for production deployments. Using the provided Git log, testing log, and IT employee list, the following tests were performed:
-
Matched each production commit (
SHA1) to a test approval record using the application hash. - Compared test approval timestamp to production deployment timestamp to identify any post-deployment testing.
- Mapped each tester employee ID to job title to verify that approvals were made by a manager.
- Flagged self-testing where the author and tester were the same person.
- Aggregated results to compute compliance rates and identify exceptions.
Results
The sample contained 43 production deployments. All deployments had a matching test record and all tests were approved before deployment (0 post-deployment approvals). The primary control gap was segregation of duties: 3 deployments (7.0%) were approved by developers, and all of these were self-tests. Typical approval lead time was about 23.3 hours before deployment, with a range of 19.2 to 26.4 hours.
| Control test | Count | Percent |
|---|---|---|
| Production deployments in sample | 43 | 100.0% |
| Has a test record | 43 | 100.0% |
| Test approved before deployment | 43 | 100.0% |
| Test approved after deployment | 0 | 0.0% |
| Test approved by a manager | 40 | 93.0% |
| Test approved by a developer (exception) | 3 | 7.0% |
| Self-tested (author also approved test) | 3 | 7.0% |
| Fully compliant (manager-approved + pre-deploy) | 40 | 93.0% |
The managers are Heidi Pound, Bethel Hindman, Wyatt Tubbs, and Rachelle Munsterman.
| Deployed (CommitDate) | Commit | Author | Tester | Issue |
|---|---|---|---|---|
| 2023-02-04 04:48 | e2372fe8 |
Jessica Pettie | Jessica Pettie | Developer approved own change |
| 2023-05-31 07:12 | 14a706c4 |
Jessica Pettie | Jessica Pettie | Developer approved own change |
| 2023-09-17 14:24 | 5afe24ff |
Vita Harryman | Vita Harryman | Developer approved own change |
From the Source Data
The numbers above are reproducible directly from
SecurityDataAnalysis.xlsx. The workbook contains three
relevant sheets — employeelist, gitlog, and
testinglog. Aggregating them produces the following
breakdowns.
Commits by author
Counting rows in the gitlog sheet by the
Name column:
| Author | Title | Commits |
|---|---|---|
| Jessica Pettie | Developer | 28 |
| Vita Harryman | Developer | 15 |
| Total | 43 | |
Test approvals by tester
Counting rows in the testinglog sheet by tester, after
joining EmployeeID to employeelist:
| Tester | Title | Approvals |
|---|---|---|
| Bennett Sanchez | Manager | 14 |
| Wyatt Tubbs | Manager | 13 |
| Bethel Hindman | Manager | 13 |
| Jessica Pettie | Developer | 2 |
| Vita Harryman | Developer | 1 |
| Total | 43 | |
The three developer-approved rows in this table are the same three exceptions surfaced in Table 2 above — the segregation of duties failures are isolated to two developers (Jessica Pettie and Vita Harryman) who also happen to be the only authors in the sample.
Workforce composition
From the employeelist sheet — useful context when
interpreting how concentrated approval responsibility is at Gee Mail:
| Title | Count |
|---|---|
| Developer | 45 |
| Manager | 5 |
| Total | 50 |
Risk Analysis
While timing controls were effective (100% of approvals occurred pre-deployment), the segregation-of-duties control failed for 3 deployments. Developer self-approval increases the likelihood that defects, insecure code, or unauthorized changes reach production without independent review.
Even a low exception rate can be high impact because a single unreviewed change may introduce data exposure, service interruption, or noncompliance findings during external audits.
Timing was perfect; segregation was not. The audit shape — green on one control, three red rows on another — is a clean illustration of why both halves of "approved by a manager, before deployment" matter independently.
Recommendations
- Enforce manager-only approval: require a manager role for test sign-off in the testing workflow and block deployments without it.
- Prevent self-testing: require tester employee ID to differ from author employee ID for standard changes.
- Implement an emergency change path: allow expedited deployment only with documented emergency reason and mandatory post-implementation manager review within 24 hours.
- Add automated controls that verify (a) test approval exists, (b) approval timestamp precedes deployment, and (c) approver role is manager.
- Monitor and report: weekly exception report to management covering any developer-approved or post-deploy-tested changes.