Page 265 - ITGC_Audit Guides
P. 265

Executive Summary









                   IT change management can be a difficult and
                   complex process to implement and maintain. It         Note
                   requires collaboration among cross-functional teams
                   throughout an organization, and its success or failure   The cover, logo, and references in
                   can have a significant impact on an organization’s    this guide have been updated. The
                   operations. As technology advances and                content has not changed.
                   organizations move from manual to automated and
                   digital processes and cloud applications, the number of processes subject to change
                   management will only increase. In addition, the need for these systems to function properly and
                   with appropriate and effective controls will be of utmost importance.
                   Throughout this guide, “change management” is defined broadly as “the technology changes that
                   affect an organization’s systems, programs, or applications.”

                   Change management controls are an integral part of an organization’s IT general controls
                   (ITGCs), and in most organizations, the question isn’t whether a change management process
                   exists; it’s whether the process is as effective and efficient as possible and is followed for all
                   changes. Generally, effective change management can assist an organization in addressing risk,
                   reducing unplanned work, limiting unintended results, and ultimately improving the quality of
                   service for internal and external customers

                   Responsibility for change management is no longer the responsibility of IT management only. An
                   organization’s entire senior management team should be accountable for managing their risks to
                   levels that enable the achievement of their objectives; and the organization’s board, in turn, is
                   responsible for holding management accountable.

                   The internal audit activity is in a unique position to help senior management and the board
                   recognize the importance of implementing or strengthening their change management program
                   and to help organizations assess and improve their governance, risk management, and control
                   processes related to change management.

                   This Global Audit Technology Guide (GTAG) will help readers understand the change
                   management process and know the right questions to ask to assess the organization’s change
                   management capability. It will help internal auditors assess the overall level of process risk and
                   determine whether a more robust process may be necessary. The guide will also provide an audit
                   approach to assess key areas related to change and patch management.











                   2 — theiia.org
   260   261   262   263   264   265   266   267   268   269   270