Page 21 - Courses
P. 21
IT Change Management — IT Certificate
Internal auditors also should apply IIA Standard 1220: Due Professional Care to their change-
management related audits. As stated in IIA Standard 1220.A1, “Internal auditors must exercise due
professional care by considering the:
Extent of work needed to achieve the engagement’s objectives.
Relative complexity, materiality, or significance of matters to which assurance procedures are
applied.
Adequacy and effectiveness of governance, risk management, and control processes.
Probability of significant errors, fraud, or noncompliance.
Cost of assurance in relation to potential benefits.”
As required by IIA Standard 1230: Continuing Professional Development, “internal auditors must
enhance their knowledge, skills, and other competencies through continuing professional
development.”
Continuing professional development in IT change management can be achieved through on-the-job
training and through courses like this, webinars, seminars, and other similar offerings.
Engagement Planning
As required by IIA Standard 2130: Engagement Planning, “Internal auditors must develop and
document a plan for each engagement, including engagement’s objectives, scope, timing, and
resource allocations. The plan must consider the organization’s strategies, objectives, and risks
relevant to the engagement.” The timing and frequency of change management engagements may
be regulated, but even when not mandated, internal auditors should consider conducting reviews
on a regular basis, based on risk. The review of an organization’s change management process can
be a stand-alone assessment, or be included as a part of a larger audit, such as a component in the
periodic review of the organization’s internal controls over financial statements.
Use a Risk-Based Approach
Since internal audit departments typically do not have the resources to review every facet of the
organizations in which they work, engagement plans are based on a risk assessment. The risk helps
to determine the scope, depth, and magnitude of the review. This is consistent with IIA Standard
2010: Planning, which states that “the chief audit executive must establish a risk-based plan to
determine the priorities of the internal audit activity, consistent with the organization’s goals.”
Planning considerations should include gathering relevant information and understanding the
organization’s governance structure and the specific strategies, objectives, and risks of the change
management process. This risk assessment should consider the impact and likelihood of risks that
could occur due to untimely or insufficient patch application.
Sufficient engagement planning will provide internal auditors with the necessary information and
background to develop relevant questions and steps to perform an audit or review of the change
management process and controls.
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.