Page 22 - Courses
P. 22

IT Change Management — IT Certificate

            Auditors can look to the 2200 series of the Standards for guidance on performing the engagement:
              IIA Standard 2200: Engagement Planning.
              IIA Standard 2201: Planning Considerations.
              IIA Standard 2210: Engagement Objectives.
              IIA Standard 2220: Engagement Scope.
              IIA Standard 2230: Engagement Resource Allocation.
              IIA Standard 2240: Engagement Work Program.

            For example, Standard 2200 states that “internal auditors must develop and document a plan for
            each engagement, including the engagement’s objectives, scope, timing, and resource allocations.
            The plan must consider the organization’s strategies, objectives, and risks relevant to the
            engagement.”

            According to Standard 2201, “in planning the engagement, internal auditors must consider:
              The strategies and objectives of the activity being reviewed and the means by which the activity
               controls its performance.
              The significant risks to the activity’s objectives, resources, and operations and the means by
               which the potential impact of risk is kept to an acceptable level.
              The adequacy and effectiveness of the activity’s governance, risk management, and control
               processes compared to a relevant framework or model.
              The opportunities for making significant improvements to the activity’s governance, risk
               management, and control processes.”

            Engagement Scope

            Regarding engagement scope, Standard 2220 states that “the established scope be sufficient to
            achieve the objectives of the engagement.” Standard 2220.A1 further explains that “the scope of the
            engagement must include consideration of relevant systems, records, personnel, and physical
            properties, including those under the control of third parties.” The scope of the audit or review can
            be affected by factors such as internal audit staffing, time sensitivity, mitigating processes, prior
            deficiencies, and newly identified risks, among others.

            Engagement Fieldwork

            Although each engagement work program (audit program) will differ, internal auditors should
            consider performing these general steps when conducting an audit or review of an organization’s
            change management and control processes.
              Understand the basic components of change management and its implementation in the
               organization.
              Perform a walk-through of the change management process, seeking evidence of the key
               elements outlined in this course.
              Understand how IT management is measuring the process and whether it meets the needs of the
               business.
              Determine if management has a method of reporting metrics for process results and
               effectiveness.
            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
   17   18   19   20   21   22   23   24   25   26   27