Page 12 - Courses
P. 12

IT Change Management — IT Certificate

            software, hardware, and data/information) supporting the organization’s critical business processes
            and data repositories.

            Governance — Second and Third Lines

            As the organization’s second line, the change approval board is the group of IT and business leaders
            accountable for assessing and approving change requests before they are moved to production.

            As the organization’s third line, the internal audit activity can validate the existence and adequacy of
            the change management process and can provide assurance that the controls supporting the
            process are designed appropriately and operating effectively.

            Risks and Controls

            The treatment of risks and exploitation of opportunities related to change management requires
            controls to ensure all changes are authorized and auditable, and that unauthorized changes are
            investigated. Change management controls are an integral part of an organization’s IT general
            controls (ITGCs).

            Change management controls enable management to address new development projects,
            regulations, and system changes effectively and efficiently while appropriately utilizing resources. A
            key aspect of an effective control environment is that an organization has a comprehensive, well-
            defined combination of preventative, detective, and corrective controls.
              Preventive controls include segregation of roles/duties and change authorization.
              Detective controls should be designed to effectively monitor the production environment for
               changes, to reconcile these changes, reconcile the changes to approval, and report unauthorized
               variances.
              Corrective controls implemented during outages and service impairments allow change to be
               ruled out first in the repair cycle, thereby reducing repair time.

            Even with appropriate controls in place, new vulnerabilities and threats may cause the organization
            to implement compensating controls.
              Compensating controls are established to provide an additional safeguard should the primary
               control fail.

            In addition to general risks and controls, change management initiatives should consider risks and
            controls related to:
              Patches.
              Emerging threats and opportunities.
              End-user computing (EUC) and user-developed applications.
              Third parties.
              Compliance.




            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
   7   8   9   10   11   12   13   14   15   16   17