Page 20 - Courses
P. 20
IT Change Management — IT Certificate
Data Protection
Change management is an evolutionary process, and each organization’s progression along the
spectrum of maturity is unique. Many factors affect the organization’s position, trajectory, and rate
of progress. Organizations should evaluate and improve change management processes on a
consistent basis to keep up with technology and the global environment as much as possible.
Care should be taken, when introducing a new change management process or updating an existing
one. Changes that are poorly designed and implemented may result in unnecessary expenditures
and unplanned/emergency work to minimize any negative impacts. Progressing to another maturity
level is less important than the quality and integrity of the process to get there.
TOPIC 4: PROVIDING ASSURANCE OVER IT CHANGE MANAGEMENT
Providing Assurance Over Change Management
The internal audit activity is in a unique position to help senior management and the board
recognize the importance of effective change management. Internal auditors can contribute to the
organization’s change management initiatives through consulting or assurance services.
For example, internal audit can:
Assess the governance, risk management, and control processes related to IT change
management.
Make recommendations consistent with leading IT change and patch management processes.
Demonstrate how effective IT change management can help the organization reap the benefits
of better risk management, greater effectiveness, and lower costs.
Assist management in identifying practical, effective approaches to IT change management.
Participate as nonvoting members of the change approval board.
This unit largely focuses on providing assurance over IT change management, in accordance with
The IIA’s International Standards for the Professional Practice of Internal Auditing.
Proficiency and Due Professional Care
IIA Standard 1210: Proficiency states that “internal auditors must possess the knowledge, skills, and
other competencies needed to perform their individual responsibilities. The internal audit activity
collectively must possess or obtain the knowledge, skills, and other competencies needed to
perform its responsibilities.”
IIA Standard 1210.A3 further explains that “internal auditors must have sufficient knowledge of key
information technology risks and controls and available technology-based audit techniques to
perform their assigned work. However, not all internal auditors are expected to have the expertise of
an internal auditor whose primary responsibility is information technology auditing.”
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.