Page 21 - Courses
P. 21

IT Change Management — IT Certificate

            Internal auditors also should apply IIA Standard 1220: Due Professional Care to their change-
            management related audits. As stated in IIA Standard 1220.A1, “Internal auditors must exercise due
            professional care by considering the:
              Extent of work needed to achieve the engagement’s objectives.
              Relative complexity, materiality, or significance of matters to which assurance procedures are
               applied.
              Adequacy and effectiveness of governance, risk management, and control processes.
              Probability of significant errors, fraud, or noncompliance.
              Cost of assurance in relation to potential benefits.”

            As required by IIA Standard 1230: Continuing Professional Development, “internal auditors must
            enhance their knowledge, skills, and other competencies through continuing professional
            development.”

            Continuing professional development in IT change management can be achieved through on-the-job
            training and through courses like this, webinars, seminars, and other similar offerings.

            Engagement Planning

            As required by IIA Standard 2130: Engagement Planning, “Internal auditors must develop and
            document a plan for each engagement, including engagement’s objectives, scope, timing, and
            resource allocations. The plan must consider the organization’s strategies, objectives, and risks
            relevant to the engagement.” The timing and frequency of change management engagements may
            be regulated, but even when not mandated, internal auditors should consider conducting reviews
            on a regular basis, based on risk. The review of an organization’s change management process can
            be a stand-alone assessment, or be included as a part of a larger audit, such as a component in the
            periodic review of the organization’s internal controls over financial statements.

            Use a Risk-Based Approach

            Since internal audit departments typically do not have the resources to review every facet of the
            organizations in which they work, engagement plans are based on a risk assessment. The risk helps
            to determine the scope, depth, and magnitude of the review. This is consistent with IIA Standard
            2010: Planning, which states that “the chief audit executive must establish a risk-based plan to
            determine the priorities of the internal audit activity, consistent with the organization’s goals.”

            Planning considerations should include gathering relevant information and understanding the
            organization’s governance structure and the specific strategies, objectives, and risks of the change
            management process. This risk assessment should consider the impact and likelihood of risks that
            could occur due to untimely or insufficient patch application.

            Sufficient engagement planning will provide internal auditors with the necessary information and
            background to develop relevant questions and steps to perform an audit or review of the change
            management process and controls.


            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
   16   17   18   19   20   21   22   23   24   25   26