Page 13 - Courses
P. 13
IT Change Management — IT Certificate
Consequences of Poor Change Management
A poor change management program may expose the organization to many risks, including
unauthorized or unrecorded changes being applied, system or application failure/downtime,
security issues, inefficient business processes, inconsistent results, and even misstated reports and
financial statements. In addition, inefficient or ineffective change management can cost an
organization through:
Failure to achieve business objectives.
Control deficiencies that may result in inconsistent compliance or negative audit results.
Attrition of highly qualified IT staff due to frustration over low-quality results.
Poor quality systems that can hinder employee productivity or frustrate customers.
Missed opportunities to provide innovative or more efficient products and services to customers.
Outages and unplanned work.
Failure to properly engage the organization in the CAB/change approval process, which increases
the chance that change could impact the completion of a critical business activity.
System changes that do not meet process owner needs, resulting in processing errors, lost time
due to rework, and other negative outcomes.
Slow information processing or instability in system operations.
Risk Factors of Patches
Patches tend to affect many critical system libraries and other software used by application
programs. Failure to conduct a threat analysis or test and implement necessary patches can
introduce new critical security vulnerabilities or reintroduce prior vulnerabilities.
Patches can be large and/or complex changes, and often are intended to correct critical
vulnerabilities. In addition, documentation of the change may be limited. Even small configuration
variances may cause drastically different outcomes.
Patches are often pushed by vendors automatically and could potentially occur outside of the
change schedule. Although this can be an inconvenience, it can also introduce additional risks. IT
personnel should not only be aware of the timing for patches being pushed to allow for appropriate
preparation, but should also understand the implications a patch may have across the organization.
Risk factors can potentially affect the change success rate and may require more comprehensive
planning, execution, and testing.
Emerging Threats and Opportunities
As the global community continues to navigate the fourth industrial revolution, which includes
automation, artificial intelligence, and blockchain, and embarks on the fifth industrial revolution,
which includes re-humanization, there is a potential for profound risks to emerge. These risks may
be difficult or impossible to foresee.
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.