Page 14 - Courses
P. 14
IT Change Management — IT Certificate
Many organizations simply focus their change management process on managing changes within
their on-premise systems. The scope of the change management process also should consider
emerging risks of a more global and cyber nature. Specific considerations include:
Cloud applications and how changes are applied to those applications that support
infrastructure, which are sources of third-party risk.
Mobile device applications and how changes are applied to the hardware, operating systems,
and applications.
BYOD policies and whether the changes are managed by an organization or the individual device
owners.
Complexities of Applications
Many organizations operate systems that are inherently complex because they involve EUC
including acquired systems. In these systems, end-users may build their own processing or reporting
applications using existing applications and tools such as Excel, Access, SQL, columnar databases,
visualization tools, or robotic process automation (RPA) tools. Designing comprehensive controls
around these systems may be challenging because they are complex and customized.
In addition, some of these projects, which may have previously been adopted as larger scale IT
change initiatives, may be overlooked or dismissed due to the smaller magnitude (e.g., less than a
certain number of hours) or when weighed against an arbitrary return-on-investment equation.
Management and internal auditors should understand these complex systems, including their
capacity, capability, and pervasiveness. Users should also be considered. Understanding these
factors will help management and internal auditors assess relevant risks and the applicability of the
change management controls around these critical processes and systems.
Third-Party Vendors and Control Reports
With the proliferation of vendor relationships, understanding who is responsible for associated
change management controls can be challenging. Vendor offerings range from applications
completely hosted in the cloud to applications in private clouds, completely controlled by the
organization.
Many vendors produce a report on their system-level and organizational/entity-level controls, which
may offer various levels of assurance. Obtaining and evaluating these reports may be necessary for
the organization’s regulatory compliance (e.g., SSAE 18 SOC 2, Type 2).
However, merely obtaining a vendor’s report over their controls does not guarantee those controls
are effective. Management should understand how to read the report and its scope. Management
should also evaluate whether the vendor’s controls are effective. Additionally, management should
understand which control responsibilities belong to the vendor and which belong to the
organization (the latter are known as Complementary User Entity Controls [CUEC]).
In addition, ensuring all contracts with managed service providers (MSPs) and other cloud and third
party providers include specific language regarding patches and patch deployment notification
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.