Page 277 - ITGC_Audit Guides
P. 277

   Potential unintended outcomes/problems that may be caused by change, the impact of those
                       outcomes/problems, and remediation plans.
                      The cost and benefits of the change.

                   This information should be reported to senior management regularly and objectively using metrics
                   and indicators, for example, in dashboard-type reports. Such reports allow senior management to
                   gauge IT’s progress toward:

                      Aligning end-users with IT changes to meet business needs.
                      Creating defined, predictable, and repeatable processes with defined, predictable, and
                       repeatable results.
                      Coordinating and communicating with stakeholders affected by changes.

                   In addition, more rigorous, formal measures and specific metrics should be reported to provide
                   maximum visibility into the impact of the strategy on the effectiveness of IT change management.
                   Indicators may include:

                      Number of changes authorized over a specific period.
                      Number of changes implemented over a specific period.
                      Number of unauthorized changes that circumvent the documented change process.
                      Change success rate (percentage of changes made that did not cause outages, service
                       impairments, or an occurrence of unplanned work).
                      Number of emergency changes (including patches).

                      Average duration from patch release date until patch is deployed to vulnerable IT systems.
                      Percentage of time spent on unplanned work.
                      Percentage of projects delivered later than planned.

                   Analyzing the results may indicate whether the organization has an effective change
                   management process, whether the process benefits the business, and where to focus more
                   resources.
                   Appendix D lists sample questions to assess effective change management.


                   Results of Effective Change Management Processes

                   Organizations with effective change management require fewer system administrators and
                   typically have increased effectiveness and productivity of IT personnel. When change
                   management is operating effectively, IT personnel are better equipped to:

                      Upgrade software and applications regularly, improving the overall security and functionality
                       of systems.
                      Update systems in compliance with regulatory standards.

                      Protect systems from cybersecurity incidents.
                      Operate in a continuous integration/continuous deployment environment.





                   14 — theiia.org
   272   273   274   275   276   277   278   279   280   281   282