Page 24 - Courses
P. 24
IT Change Management — IT Certificate
Engagement Outcomes – Audit Findings/Observations
When discussing and writing audit observations, internal auditors should present the business value
of effective change management, as well as the risks related to ineffective processes. Internal
auditors should clearly articulate the operational, financial, and regulatory risks that are not being
managed appropriately, and relate the findings to the risk tolerances management has established
in support of its business goals and objectives.
According to IIA Standard 2400: Communicating Results, “Internal auditors must communicate the
results of engagements.” Internal auditors should consult with management throughout the
engagement process and obtain management’s recognition of any observations (including the
severity) and any action plans, before issuing any reports. The 2400 series of the Standards can be
used to guide the CAE’s communications with senior management and the board.
IIA Standard 2400: Communicating Results.
IIA Standard 2410: Criteria for Communicating.
IIA Standard 2420: Quality of Communications.
IIA Standard 2421: Errors and Omissions.
IIA Standard 2430: Use of “Conducted in Conformance with the International Standards for the
Professional Practice of Internal Auditing.”
IIA Standard 2431: Engagement Disclosure of Nonconformance.
IIA Standard 2440: Disseminating Results.
IIA Standard 2450: Overall Opinions.
Risk Management Processes and Controls
Internal auditors, together with management, want to ensure risks have been identified and are
being mitigated or managed properly. While IT management’s responsibility is to protect the
production environment and support the organization’s pursuit of its business objectives, internal
auditors should assess and validate that appropriate risk management processes and controls are in
place.
Internal auditors should independently verify that management has identified risks that could arise
from changes and assist in determining whether such risks are consistent with the organization’s
risk appetite and tolerance. Internal auditors also can determine whether a culture of disciplined
change management exists, and can promote the benefits of good change management protocols to
key stakeholders.
A sample IT change management audit program can be found in Appendix F on pages 33-35 of The
IIA “Global Technology Audit Guide: IT Change Management: Critical for Organizational Success.”
Outsourced Function Considerations
Some organizations fully or partially outsource or cosource their IT functions, including the change
management function. When the organization outsources IT activities to a service provider, internal
auditors should verify that the organization’s expectations are identified clearly in service-level
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.