Page 24 - Courses
P. 24

IT Change Management — IT Certificate

            Engagement Outcomes – Audit Findings/Observations

            When discussing and writing audit observations, internal auditors should present the business value
            of effective change management, as well as the risks related to ineffective processes. Internal
            auditors should clearly articulate the operational, financial, and regulatory risks that are not being
            managed appropriately, and relate the findings to the risk tolerances management has established
            in support of its business goals and objectives.

            According to IIA Standard 2400: Communicating Results, “Internal auditors must communicate the
            results of engagements.” Internal auditors should consult with management throughout the
            engagement process and obtain management’s recognition of any observations (including the
            severity) and any action plans, before issuing any reports. The 2400 series of the Standards can be
            used to guide the CAE’s communications with senior management and the board.
              IIA Standard 2400: Communicating Results.
              IIA Standard 2410: Criteria for Communicating.
              IIA Standard 2420: Quality of Communications.
              IIA Standard 2421: Errors and Omissions.
              IIA Standard 2430: Use of “Conducted in Conformance with the International Standards for the
               Professional Practice of Internal Auditing.”
              IIA Standard 2431: Engagement Disclosure of Nonconformance.
              IIA Standard 2440: Disseminating Results.
              IIA Standard 2450: Overall Opinions.

            Risk Management Processes and Controls

            Internal auditors, together with management, want to ensure risks have been identified and are
            being mitigated or managed properly. While IT management’s responsibility is to protect the
            production environment and support the organization’s pursuit of its business objectives, internal
            auditors should assess and validate that appropriate risk management processes and controls are in
            place.

            Internal auditors should independently verify that management has identified risks that could arise
            from changes and assist in determining whether such risks are consistent with the organization’s
            risk appetite and tolerance. Internal auditors also can determine whether a culture of disciplined
            change management exists, and can promote the benefits of good change management protocols to
            key stakeholders.

            A sample IT change management audit program can be found in Appendix F on pages 33-35 of The
            IIA “Global Technology Audit Guide: IT Change Management: Critical for Organizational Success.”

            Outsourced Function Considerations

            Some organizations fully or partially outsource or cosource their IT functions, including the change
            management function. When the organization outsources IT activities to a service provider, internal
            auditors should verify that the organization’s expectations are identified clearly in service-level

            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
   19   20   21   22   23   24   25   26   27   28   29