In fact, as noted in one prominent white paper,

                   The importance of configuration management in ITIL cannot be overstated. Change
                   management, problem management, incident management, security, and compliance all rely, to
                   some extent, on the accuracy and scope of underlying configuration management data.
                   [Configuration management data] will ultimately point to information about an asset, its
                   importance, and role, and critical operational details such as the interdependencies among other
                   assets and services. Ideally, configuration changes should be automatically captured when they
                                                           20
                   are made, possibly using integrated tools.
            The objective of configuration management is to control changes to configuration within a formalized
            structure, whether automated (as recommended) or manual.

            The more sophisticated the system, or the more key control factors — initiation, authorization,
            processing, recording, and reporting — are reliant upon the configuration, the higher the level of inherent
            risk, and more important configuration is to the CITP.

            Thus, systems like enterprise resource planning (ERP) are generally high-risk configurations. Such
            configurations should be controlled and managed closely and are generally in scope for the IT or
            financial audit. It usually requires a SME to audit and evaluate an ERP configuration. Things to consider
            are the same as the objectives for change management: authorized changes, limited access,
            documentation for changes and setup, a formal structured process for testing, and a formal structured
            process for approving and managing changes.

            Specific guidance on auditing and evaluating the configuration is provided by ISACA’s IS Auditing
            Guideline G37, Configuration Management Process, and COBIT process DS9, Manage the Configuration.
            G37 includes COBIT information and therefore serves as a single source for configuration. DS9 includes
            objectives such as the following:

              Establishing a central repository of all configuration items
              Identifying configuration items and maintaining them effectively
              Reviewing the integrity of all configuration data periodically
            Configuration measurements that can serve to facilitate the gathering of evidence related to these
            objectives includes the following examples:

              Number of business compliance issues caused by improper configuration of IT
              Number of deviations identified between configuration repository and actual IT assets
              Percent of licenses purchased but not accounted for in the repository
              Effective capture of configuration changes (for example, authorization and access control changes)

            Management of entities would want to consider these factors in developing thorough policies and
            procedures related to configuration management; for example, handling certain malicious activities and
            certain errors are highly dependent on configuration changes.


            20
              See “Ten Simple Steps to ITIL Network Compliance”, white paper, Netcordia (2007).
            http://hosteddocs.ittoolbox.com/wp-itil-network-compliance-us.pdf


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-34