Page 298 - ITGC_Audit Guides
P. 298
Table F.1 (continued)
Change Management Procedures
Control Objectives:
To ensure a change meets business needs.
To ensure a change will not negatively impact availability, integrity, and confidentiality of systems and data.
Risk: Unexpected or adverse results.
Controls:
A standard and centralized process exists for processing all changes.
All changes are approved by the appropriate level of management.
All changes are categorized and assessed for impact.
All changes are successfully tested by IT and business area personnel prior to implementation into
production.
All changes are scheduled and communicated to those impacted prior to implementation.
All changes to production have an associated rollback/backout plan.
Work Steps: Select a sample of changes and validate that the controls were performed from initiation through
implementation of each.
Emergency Change 1
Control Objective: To ensure business needs are met.
Risk: Inability to respond effectively to emergency change needs.
Control: Procedures exist to identify, assess, and approve genuine emergency changes.
Work Steps: Select a sample of emergency changes and validate that they meet the definition/criteria of a genuine
emergency change and that proper controls were performed from initiation through implementation for each.
Emergency Change 2
Control Objective: To ensure a change will not negatively impact availability, integrity, and confidentiality of systems
and data.
Risk: Unexpected or adverse results.
Control: A post-implementation review is conducted to validate that emergency procedures were properly followed
and to determine the impact of the change.
Work Steps: Select a sample of emergency changes and validate that they meet the definition/criteria of a genuine
emergency change and that proper controls were performed from initiation through implementation for each.
35 — theiia.org
