What Is the IT Audit Checklist Series?
The ITCI IT Audit Checklists are a series of topical white papers that provide practical guidance for IT, compliance, and business managers on preparing for successful internal audits of various aspects of their operations. In addition to helping managers understand what auditors look for and why, the IT Audit Checklists can also help managers proactively complete self assessments of their operations, thereby identifying opportunities for system and process improvements that can be performed in advance of actual audit.
This paper, “IT Audit Checklist: Change Management,” supports an internal audit of the organization’s change management policies in order to verify compliance and look for opportunities to improve efficiency, effectiveness, and economy. The paper includes advice on assessing the existence and effectiveness of change management in project oversight, development, procurement, IT service testing, and IT operations; guidance for management and auditors on supporting change management; and information on ensuring continual improvement of change management efforts. The paper is intended to help IT, compliance, audit, and business managers prepare for an audit of high-level processes and resources and provide concrete tools managers can use to ensure that the audit experience and results are as beneficial as possible to both IT leaders and the company as a whole.
- Regulations such as Sarbanes-Oxley and Basel II have exposed the reality that IT processes do not merely underlie business processes: in many cases, they are indistinguishable. As companies have grown more dependent on interdependent IT systems, the risks associated with untested changes in development and production environments have increased proportionately.
- Change management limits the risks associated with the introduction of new elements and other modifications in IT environments, focusing on prevention of unapproved ad hoc changes and rapid recovery from change-related problems.
- Change management control objectives, policies, and procedures should encompass both human errors and malicious endeavors. Effective change management controls risks without compromising business agility.
- This document provides a “base” IT audit checklist you can use and modify to fit your specific situation. Controls cited in this paper are derived from Control Objectives for Information Technology (CobiT) from the Information Systems Audit and Control Association (ISACA); ITIL from the UK Office of Government Commerce (OGC); Special Publication 800-53, “Recommended Security Controls for Federal Information Systems” from the National Institute of Standards and Technology (NIST); and the authors’ own experience.
- In general, control objectives are categorized as management, operational, or technical, following the grouping mechanism in NIST 800-53. However, cited change management control objectives go beyond NIST’s recommended controls for information security to address change considerations for project management, development, procurement, service testing, IT operations, and other key business processes.
- Change management audits are opportunities for companies to improve, based on auditor analysis and advice. To preserve the integrity and authority of audits, auditors must maintain a delicate balance between offering advice and making decisions.
- Managers, not auditors, are ultimately responsible for defining and implementing solutions to issues found in the audit. Thus, it is in everyone’s best interest to have a cooperative, collaborative audit process that respects the independence and discretion of all participants. Auditors should listen to management, and management should encourage staff to be open and honest with auditors.
Introduction to Change Management
IT organizations are besieged by seemingly contradictory mandates. They must contain costs in the face of swelling demands and system volume. At the same time, they are expected to provide unlimited services within the limitations of risk thresholds, and they must meet increasing functional demands in increasingly complex environments under stringent management and deadlines. And in the process they must hit an ever-increasing number of control “checkpoints” between conceptualization and implementation.
Central to meeting all of these challenges is the factor of change: how organizations, technologies, user expectations, oversight, and risk management are evolving and impacting businesses. As companies become more dependent on interdependent IT systems, the risk associated with untested changes in development environments increases almost exponentially. Meanwhile requirements for privacy and integrity of sensitive data in production systems indicate the need for companies to monitor changes to system access controls.
