IT Change Management — IT Certificate

            Many organizations simply focus their change management process on managing changes within
            their on-premise systems. The scope of the change management process also should consider
            emerging risks of a more global and cyber nature. Specific considerations include:
              Cloud applications and how changes are applied to those applications that support
               infrastructure, which are sources of third-party risk.
              Mobile device applications and how changes are applied to the hardware, operating systems,
               and applications.
              BYOD policies and whether the changes are managed by an organization or the individual device
               owners.

            Complexities of Applications

            Many organizations operate systems that are inherently complex because they involve EUC
            including acquired systems. In these systems, end-users may build their own processing or reporting
            applications using existing applications and tools such as Excel, Access, SQL, columnar databases,
            visualization tools, or robotic process automation (RPA) tools. Designing comprehensive controls
            around these systems may be challenging because they are complex and customized.

            In addition, some of these projects, which may have previously been adopted as larger scale IT
            change initiatives, may be overlooked or dismissed due to the smaller magnitude (e.g., less than a
            certain number of hours) or when weighed against an arbitrary return-on-investment equation.
            Management and internal auditors should understand these complex systems, including their
            capacity, capability, and pervasiveness. Users should also be considered. Understanding these
            factors will help management and internal auditors assess relevant risks and the applicability of the
            change management controls around these critical processes and systems.

            Third-Party Vendors and Control Reports

            With the proliferation of vendor relationships, understanding who is responsible for associated
            change management controls can be challenging. Vendor offerings range from applications
            completely hosted in the cloud to applications in private clouds, completely controlled by the
            organization.

            Many vendors produce a report on their system-level and organizational/entity-level controls, which
            may offer various levels of assurance. Obtaining and evaluating these reports may be necessary for
            the organization’s regulatory compliance (e.g., SSAE 18 SOC 2, Type 2).

            However, merely obtaining a vendor’s report over their controls does not guarantee those controls
            are effective. Management should understand how to read the report and its scope. Management
            should also evaluate whether the vendor’s controls are effective. Additionally, management should
            understand which control responsibilities belong to the vendor and which belong to the
            organization (the latter are known as Complementary User Entity Controls [CUEC]).

            In addition, ensuring all contracts with managed service providers (MSPs) and other cloud and third
            party providers include specific language regarding patches and patch deployment notification

            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.