Page 297 - ITGC_Audit Guides
P. 297
Appendix F. Sample Change
Management Audit Program
Table F.1: Sample Change Management Audit Program
Change Management Process
Control Objective: To communicate process objectives, requirements, and roles and responsibilities.
Risk: Errors are made due to lack of understanding of the process.
Control: The change management process is defined and communicated to those involved in the process, including
employees and service providers.
Work Steps:
Determine whether the process is documented and where it is located.
Determine how changes to the process are communicated.
From discussions with a sample of those involved, assess their understanding of the process objectives
and procedures, as well as the importance of their roles in the process. Validate that they have ready
access to related documentation and tools.
Segregation of Duties
Control Objective: To delegate responsibilities such that unintentional errors or intentional, inappropriate actions will
be detected.
Risk: Unexpected to adverse results.
Control: At a minimum, separate people/groups perform the responsibilities for change advisory/approval and
implementation. Ideally, a separate person or group performs design change and testing of the changes. When this is
not feasible or ideal, appropriate detective or monitoring controls are in place.
Work Steps:
Validate that changes are reviewed and approved by an appropriate level of management.
Validate that those who approve changes do not have access to implement them in the production
environment.
Determine how changes are tested to ensure they function as intended and do not impair the integrity,
availability, or confidentiality of data.
Validate appropriate detective or monitoring controls are in place to mitigate or enhance segregation of
duties controls.
34 — theiia.org
