Page 284 - ITGC_Audit Guides
P. 284

   Determine whether changes to the production environment are documented, auditable, and
                       retained in a way that cannot be manipulated or destroyed (i.e., audit trails).
                      Apply data analytics techniques and develop or use indicators of effective and ineffective
                       change management processes to assess the organization’s relative effectiveness.

                   In auditing IT change management processes, internal auditors should at least validate
                   authorization, segregation of duties, testing of changes, approval to move changes into
                   production, and validate emergency changes. These areas may be the most critical and if not
                   properly managed, could expose the organization to the most significant risks.

                   Specific Change Management Controls
                   Preventive – controls that deny certain changes unless specific actions or conditions are met,
                   such as:
                      Appropriate authorizations, including by the change advisory board when necessary.

                      Segregation of roles/duties, including:
                                 o  The physical act of migrating the change should be performed by an
                                     employee who is independent of the actual change process. Typically, this is
                                     completed by the change and release manager.

                                 o  Implementer did not authorize their own changes. (See additional details in
                                     the “Migration and Segregation of Duties” section below.)

                      Completion of minimum required steps.
                      Appropriate and complete documentation of changes (i.e., description, risk, systems
                       impacted, rollback/backout plan).
                      Appropriate permissions are in place.
                   Detective – controls that monitor completed changes to determine if any undesirable changes or
                   unintended outcomes have occurred. These controls could include:

                      Detection of unauthorized or incorrectly authorized changes.
                      Monitoring of valid, objective change management metrics.
                   Corrective – predetermined actions taken when certain post-change conditions or behaviors are
                   found. These controls could include:

                      Post-implementation reviews.
                      Change information fed into early problem diagnosis steps.

                   Migration and Segregation of Duties
                   When evaluating the migration of changes between environments, internal auditors should look
                   for assurance that specific segregation of duties are in place and consistently observed, such as
                   the actual migration of a change being completed by a person who is independent from the
                   development team, as there is a risk that unauthorized changes may be made to production
                   code. In many organizations, the change and release manager performs this function

                   Internal audit should validate that only authorized personnel can migrate a change into the
                   production environment by checking the security access profiles of users. While conducting this




                   21 — theiia.org
   279   280   281   282   283   284   285   286   287   288   289