IT Change Management — IT Certificate

            Consequences of Poor Change Management

            A poor change management program may expose the organization to many risks, including
            unauthorized or unrecorded changes being applied, system or application failure/downtime,
            security issues, inefficient business processes, inconsistent results, and even misstated reports and
            financial statements. In addition, inefficient or ineffective change management can cost an
            organization through:
              Failure to achieve business objectives.
              Control deficiencies that may result in inconsistent compliance or negative audit results.
              Attrition of highly qualified IT staff due to frustration over low-quality results.
              Poor quality systems that can hinder employee productivity or frustrate customers.
              Missed opportunities to provide innovative or more efficient products and services to customers.
              Outages and unplanned work.
              Failure to properly engage the organization in the CAB/change approval process, which increases
               the chance that change could impact the completion of a critical business activity.
              System changes that do not meet process owner needs, resulting in processing errors, lost time
               due to rework, and other negative outcomes.
              Slow information processing or instability in system operations.

            Risk Factors of Patches

            Patches tend to affect many critical system libraries and other software used by application
            programs. Failure to conduct a threat analysis or test and implement necessary patches can
            introduce new critical security vulnerabilities or reintroduce prior vulnerabilities.

            Patches can be large and/or complex changes, and often are intended to correct critical
            vulnerabilities. In addition, documentation of the change may be limited. Even small configuration
            variances may cause drastically different outcomes.

            Patches are often pushed by vendors automatically and could potentially occur outside of the
            change schedule. Although this can be an inconvenience, it can also introduce additional risks. IT
            personnel should not only be aware of the timing for patches being pushed to allow for appropriate
            preparation, but should also understand the implications a patch may have across the organization.

            Risk factors can potentially affect the change success rate and may require more comprehensive
            planning, execution, and testing.

            Emerging Threats and Opportunities

            As the global community continues to navigate the fourth industrial revolution, which includes
            automation, artificial intelligence, and blockchain, and embarks on the fifth industrial revolution,
            which includes re-humanization, there is a potential for profound risks to emerge. These risks may
            be difficult or impossible to foresee.




            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.