effectively designed controls. They also are experts at interpreting risk and controls information from the
            results of CM programs.




            Change management

            For the CITP, the key aspect of change management is that program changes and systems acquisition,
            or development, are appropriately managed to ensure that the application software and automated
            controls adequately support financial reporting and business objectives. The CITP would consider
            whether the entity has identified the relevant risks that arise from change management and established
            mitigating controls effectively. Such controls would include not only properly designed and implemented
            application controls, but also change management controls upon which application controls depend.

            Although change management focuses on application changes, it would also include related changes
            such as relevant hardware and systems, operating systems, and configurations, especially those that
            house financial applications.


            The COBIT model lists change management as its own process (AI6), which is part of the phase acquire
            and implement. In AI6, COBIT describes the high-level control objective as managing changes to
            computer programs to ensure processing integrity; the formal management of IT changes via change
            control requests; authorization, risk, and impact assessment; documentation; and proper scope of
            policies and procedures. The stated goal is to minimize the likelihood of disruption of IT processing,
            unauthorized alterations, and mitigation of programming errors.

            The proper scope of policies and procedures would include subjects such as version control, release,
            distribution, implementation, testing, and so on. The change process should be formalized and structured
            in the change management P&P, beginning with the initiation of a change request and authorization of all
            changes. The proper authority for approving changes would need to be identified, as well as the
            standardized process. P&P should include how to keep the project sponsor informed about the status of
            the request.
            At a minimum, an appropriate set of policies and procedures needs to address these key aspects of
            change management: changes to applications and relevant hardware, operating systems, and
            configurations. The P&P would address initiation, authorization, purchasing or developing, testing,
            deployment, and maintenance of the pertinent aspects of the IT portfolio.


            Configuration management
            The issue with configuration management is the fact that they can interact with applications. Generally,
            this type of configuration is related to COTS applications, and allows an administrator to customize or
            change certain factors in the software. For instance, configurations of COTS usually allow customization
            of the general ledger account numbers for standard accounting transactions (for example, the debit and
            credit account numbers for a sale on account). Configurations often also provide authorization factors
            for initiating transactions, a key automated control.




            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-33