I have been searching for the answer to that for a while. As far as I can tell...
Macros and multi-use programs should be formally validated. This means following the Software Development Life Cycle. There is a FDA guidance "General Principles of Software Validation" that was really helpful in learning more about the SDLC.
One time use programs, like those made for just one study, should be validated by means of peer review or independent programming. The book mentioned earlier seems pretty good at explaining this.
While these are only two references I did also find many papers on the topic that supported them by searching old SAS Global Forum presentations. SAS-L also had some useful discussion.
Since I am new to validation too I would really like to hear what others think.
