ITCi ITAC Change MGMT 0707

IT AUDIT CHECKLIS T SERIES
Change
Management
Practical guidance
for managers on
how to prepare for
successful audits
www.ITCinstitute.com
Research Sponsors
Solidcore
Tripwire
√I T AUDIT CHECKLIS T SERIES
Change Management
About the IT Compliance Institute
The IT Compliance Institute (ITCi) strives to be a Table of Contents
global authority on the role of technology in business
governance and regulatory compliance. Through 2 Executive Overview
comprehensive education, research, and analysis
3 Introduction to Change Management
related to emerging government statutes and affected
business and technology practices, we help organizations 4 What Is Change Management?
overcome the challenges posed by today’s regulatory
environment and find new ways to turn compliance 4 What Are the Benefits of Change Management?
efforts into capital opportunities.
6 The Auditor’s Perspective on Change Management
ITCi’s primary goal is to be a useful and trusted resource 6 Why Audit?

for Information Technology professionals seeking to
help businesses meet privacy, security, financial account- 7 Who Is Responsible for Change Management?
ability, and other regulatory requirements. Targeted at 9 Management’s Role in the Audit Process
CIOs, CTOs, compliance managers, and information
technology professionals, ITCi focuses on regional- and 10 What Auditors Want to See
vertical-specific information that promotes awareness
10 Auditors Like...
and propagates best practices within the IT community.
10 Auditors Don’t Like...
For more information, please visit: www.itcinstitute.com
11 How Companies Help (or Hinder) Auditors
Comments and suggestions to improve the IT
11 Who Should Talk to the Auditors?
Audit Checklists are welcome. Please send your
recommendations to editor@itcinsititute.com. 12 Change Management Audit Checklist
12 Audit Planning
All design elements, front matter, and content are copyright © 2007 IT Compliance 12 Audit Testing
Institute, a division of 1105 Media, Inc., unless otherwise noted. All rights are
reserved for all copyright holders.
13 Processes
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, except as permitted under § 107 or 108 of the 13 Steps
1976 United States Copyright Act, without the prior written permission of the
copyright holder.
14 Controls for Change Management
Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers,
and authors have used their best efforts in preparing this work, they make no
representations or warranties with respect to the accuracy or completeness of 30 Audit Reporting
the contents of this book and specifically disclaim any implied warranties of
merchantability or fitness for a particular purpose. No warranty may be created
or extended by sales representatives or written sales materials. The advice and 31 Preparing for an Audit
strategies contained herein may not be usable for your situation. You should consult
with a professional where appropriate. Neither the publishers nor authors shall be
liable for any loss of profit or any other commercial damages, including, but not 32 Communicating with Auditors
limited to, special, incidental, consequential, or other damages.
All trademarks cited herein are the property of their respective owners. 33 Appendix A—Change Management Resources
www.ITCinstitute.com 1
I T AU D I T C H E C K L I S T : C H A N G E M A N AG E M E N T
Executive Overview
What Is the IT Audit Checklist Series? Paper Contents

The ITCI IT Audit Checklists are a series of topical white • Regulations such as Sarbanes-Oxley and Basel II
papers that provide practical guidance for IT, compli- have exposed the reality that IT processes do not
ance, and business managers on preparing for successful merely underlie business processes: in many cases,
internal audits of various aspects of their operations. In they are indistinguishable. As companies have
addition to helping managers understand what auditors grown more dependent on interdependent IT
look for and why, the IT Audit Checklists can also help systems, the risks associated with untested changes
managers proactively complete self assessments of their in development and production environments have
operations, thereby identifying opportunities for system increased proportionately.
and process improvements that can be performed in
• Change management limits the risks associated with
advance of actual audit.
the introduction of new elements and other modifica-
tions in IT environments, focusing on prevention of
What Is This Paper About? unapproved ad hoc changes and rapid recovery from
This paper, “IT Audit Checklist: Change Management,” change-related problems.
supports an internal audit of the organization’s change
• Change management control objectives, policies, and
management policies in order to verify compliance
procedures should encompass both human errors and
and look for opportunities to improve efficiency,
malicious endeavors. Effective change management
effectiveness, and economy. The paper includes advice
controls risks without compromising business agility.
on assessing the existence and effectiveness of change
management in project oversight, development, procure- • This document provides a “base” IT audit checklist
ment, IT service testing, and IT operations; guidance you can use and modify to fit your specific situation.
for management and auditors on supporting change Controls cited in this paper are derived from Control
management; and information on ensuring continual Objectives for Information Technology (CobiT)
improvement of change management efforts. The paper from the Information Systems Audit and Control
is intended to help IT, compliance, audit, and business Association (ISACA); ITIL from the UK Office of
managers prepare for an audit of high-level processes Government Commerce (OGC); Special Publication
and resources and provide concrete tools managers can 800-53, “Recommended Security Controls for Federal
use to ensure that the audit experience and results are as Information Systems” from the National Institute of
beneficial as possible to both IT leaders and the company Standards and Technology (NIST); and the authors’
as a whole. own experience.
• In general, control objectives are categorized as

management, operational, or technical, following the
grouping mechanism in NIST 800-53. However, cited
change management control objectives go beyond
NIST’s recommended controls for information secu-
rity to address change considerations for
Introduction to
Change Management
project management, development, procurement, IT organizations are besieged by seemingly contradictory

service testing, IT operations, and other key mandates. They must contain costs in the face of swelling
business processes. demands and system volume. At the same time, they are
expected to provide unlimited services within the limita-
• Change management audits are opportunities for
tions of risk thresholds, and they must meet increasing
companies to improve, based on auditor analysis
functional demands in increasingly complex environ-
and advice. To preserve the integrity and authority
ments under stringent management and deadlines. And
of audits, auditors must maintain a delicate balance
in the process they must hit an ever-increasing number
between offering advice and making decisions.
of control “checkpoints” between conceptualization and
• Managers, not auditors, are ultimately responsible for implementation.
defining and implementing solutions to issues found
in the audit. Thus, it is in everyone’s best interest to Central to meeting all of these challenges is the factor of
have a cooperative, collaborative audit process that change: how organizations, technologies, user expecta-
respects the independence and discretion of all par- tions, oversight, and risk management are evolving
ticipants. Auditors should listen to management, and and impacting businesses. As companies become more
management should encourage staff to be open and dependent on interdependent IT systems, the risk associ-
honest with auditors. ated with untested changes in development environments
increases almost exponentially. Meanwhile requirements
for privacy and integrity of sensitive data in production
systems indicate the need for companies to monitor
changes to system access controls. And globalization of
the IT labor market—and management challenges associ-
ated with a distributed workforce—is sparking awareness
of the need for special oversight of outsourcers and the
changes they make.
In fact, the list of potential changes that can impact a

company is almost as vast and multiform as the universe
of IT systems and corporate organizations. As a practice,
change management attempts to tame this multitude by
systematically controlling sources and types of changes
that have significant or material risk potential. This
acknowledged relationship of change to risk also means
that internal auditors are increasing the frequency and
“depth” of their assessments of change management poli-
cies and processes.
What Is Change Management?

The goal of change management is to limit risks associ- Thus, prevention of unapproved ad hoc changes is at the
ated with the introduction of new elements and other heart of change management. Essentially, all changes
modifications into an IT environment; particularly, in must be separately reviewed and approved prior to
development, project management, procurement, out- implementation. Management defines an appropriate
sourcing, service testing, and operational areas. Effective change model, or workflow, for change requests based
change management achieves these control goals without on their potential business impact and urgency. An
compromising business agility. assigned review authority either approves the change and
schedules it for implementation or rejects the change
To ensure that IT risks are understood and properly and returns it to the requestor with an explanation. This
addressed, it can be useful for IT management to adopt basic workflow can be expanded or contracted, in rela-
a service management mindset. Traditionally, IT has tion to the nature of the change. After all, the purpose
seen itself primarily in terms of providing infrastructure of change management policies and procedures is not to
and applications to business users. This scope might impede development, but rather to provide controls that
have been sufficient, as long as IT operated primarily balance the need for the organization to change against
as a tactical and technical department, but the rapid change-related risks.
evolution of IT into a strategic factor and even business
competency of its own accord require a maturation of IT The other fundamental goal of change management is
management concepts. rapid recovery from change-related problems, when they
arise. Versioning and back-out plans are critical controls
Recent regulations, such as Sarbanes-Oxley and Basel II, that help organizations recover from system failures
have exposed the reality that IT processes do not merely related to patches, upgrades, updates, and other revisions
underlie business processes. In many cases, the two are that, for one reason or another, take a production system
indistinguishable. Accordingly, IT management (and down when they go live. Versioning is essentially a series
controls) must proactively address not only software and of backups (and metadata) of known working system
software development, but hardware, staff, documenta- states prior to any significant change. Back-out plans
tion, facilities, vendors, processes, and other integral are procedural documents that detail how staff should
components required to meet the needs of the business. respond to a change-related failure, back out of prob-
The use of the word “service” in the remainder of this lematic processes, restore a working system or database,
paper reflects this inclusive concept. and change procedures to prevent future such events.
Versioning and recovery planning are critical preventa-
ITIL terms such service elements “configuration items” tive controls. Unfortunately, many companies don’t think
and requires IT to define their relationship to one about them until they are in the midst of a failure and
another, in order to deliver the service the business the damage is already excessive.
needs. The concept of relationships and all of the risks
it might imply—misalignment, disruption, repurposing, What Are the Benefits of
even destruction—is critical to the concept of change
management. In the traditional IT view, ad hoc applica-
Change Management?
tion changes, for example, had very localized effects and Because change management provides a formal means to
little risk. But in reality, even small changes in today’s control changes, it is ideal for limiting a variety of behav-
complex, highly integrated IT environments can have iors stemming from malicious acts and human error. In
massive unintended downstream effects. fact, it is the latter that presents most risk to organiza-
tions, as employee mistakes are the most common source
of IT and business errors. Thus, the scope of change • Demonstrable integrity of proprietary code; preserva-
management control objectives, policies, and procedures tion of intellectual property value
should encompass both mistakes and malice.
• Lower risk of negative impact on production systems
from unapproved changes
In general, change management can help an organiza-
tion reduce risks to a level acceptable to management. • Tighter management of staff resources, time spent on
Appropriate change management controls benefit not projects, and adherence to deadlines
only regulatory compliance, but information security,
• Necessary creation of stable application testing
operations, and risk management functions. Moreover,
environment, wherein functional variables can be
since the goal of change management is largely to ensure
carefully controlled
that changes are appropriate and don’t product negative
consequences, good change management controls can • Less cost and delay associated with reconciling appli-
actually support both IT and business agility. cations across inconsistent of development, test, and
production environments
Specific benefits of sound change management include:
Procurement
Project Management • Congruity between contracted work and actual scope
• Less opportunity for scope creep and of work
requirement changes
• Better oversight of change orders and change-related
• Stronger adherence to budgets, milestones, project costs
and deadlines
• Better alignment of planned and actual services—and
• Improved product and project transparency planned and actual risk levels—associated with exter-
during development process nally developed applications
• Predictable project outcomes; better alignment

with management expectations IT Operations
• Stronger technical security controls for information
• Ability to more tightly track developer
confidentiality, integrity and availability
time expenditures
• Less opportunity for human error; smaller “blast
• Opportunity to gain progressive buy-in from business
radius” for errors that do occur
stakeholders on midproject functional revisions
• Less unplanned IT work, enabling focus on core
• Higher confidence in IT staff by business
activities and planned initiatives, such as preventive
sponsors and stakeholders
maintenance and projects
Development • Faster recovery from unplanned failures and down-

time as a result of system upgrades and changes
• Better alignment of product functionality with
requirements and expectations • Faster identification of unauthorized changes or
system access based on comparison of existing
• Fewer certification issues stemming from lack of
production environment to “last known good state”
change management controls
system image
• Lower scrap and rework costs associated with inap-
propriate and nonfunctional development
The Auditor’s Perspective on

Change Management
Why Audit?
• Faster identification of control deficiencies allowing Change management audits are opportunities for com-
unauthorized changes, based on change monitoring; panies to improve, based on auditor analysis and advice.
faster response to and remediation of security events To preserve the integrity and authority of audits, auditors
maintain a delicate balance between offering advice and
• Faster, more effective staff response to system crashes
making decisions.
due to software changes or other factors, such as
spontaneous hardware failure
For each organization, the scope of auditor responsibility
• Higher customer satisfaction and an improved should be documented in the company’s internal audit
perception of IT by management, based on improve- charter and be approved by the audit committee. Because
ments to information confidentiality, integrity, and each organization has different goals and objectives—
availability, as well as worker productivity and certainly different issues and challenges—there is
no one-size-fits-all audit process, nor one audit approach,
• Fewer business losses due to change-based failures
that fits all situations.
of production systems
Audits should ensure that management and staff under-

stand and adhere to change management policies and
procedures. Because change management is itself a risk
management control, failure to follow mandated pro-
cesses means that risks to the organization are not being
properly mitigated.
The size and complexity of various organizations’ audit

efforts differ due to variations in operating environ-
ments, risk priorities and thresholds, and business and
audit objectives. In addition, the scope of audits can vary
from project to project, depending upon an auditor’s
focus (for example, on various business processes,
management controls, and technical controls). Ensuring
appropriate audit focus is another reason management
should communicate with auditors, and vice versa, early
and often for every audit project.
Internal auditors should perform organizational risk

assessments and evaluate the audit universe and support-
ing audit plans at least annually and sometimes more
frequently. At the micro level, an audit risk assessment
of the various entities being audited is completed to
support the audit project (sometimes also referred to as
the audit “terms of reference”). Planning for each audit since they are held accountable for protecting and
requires serious consideration of the organization’s many enhancing the value of the organization’s technolo-
risks and opportunities. Finally, in many companies, gies, applications, and systems. Managers must also
continuous auditing (ongoing audit evaluations) is being review and monitor change management controls to
implemented for key systems and/or key transactions. ensure they are appropriate, despite ever-changing
risks and business requirements. This is, in fact, a
Who Is Responsible for form of auditing.
Change Management? 3. In addition to these general roles, ITIL identifies

Management (of IT, staff, and business lines) and three roles specific to change management that
internal auditors all have significant roles in change should be identified in relation to any planned
management assurance and the auditing of change man- changes and projects:
agement controls. The big question for many companies
is how these stakeholders should work together to ensure The change owner is the managerial sponsor of the
that everything that should be done to protect sensitive change management process. This person is respon-
systems is being done—and that the company’s informa- sible for ensuring the new mandates are followed. In
tion assets are protected appropriately. order to facilitate any cultural change necessary to
support technology and process changes, the change
1. Executive management must provide leadership owner must have enough political power to get stake-
and set the correct tone from the top to ensure holder buy-in and, if possible, enforce compliance.
that change management efforts are supported
and understood across the organization—and The change manager is the person accountable for
demonstrating by example compliance with change the day-to-day process. This person has ultimate
management policies. authority to approve and reject change requests, and
is responsible for reviewing, filtering, and identifying
Executive management must also dedicate sufficient which change management model a given request
resources to allow controls to be effective. The work- should follow. The change manager follows the change
flows, approvals, and testing requirements required process and manages risks associated with changes.
by change management policies commonly add steps
to companies’ standard development processes. The change controller is an optional role for
Executive management should support and reinforce organizations that require a coordinator between
the message that these steps are necessary and the change manager and various people and func-
encourage IT managers, project managers, and busi- tions responsible for implementing the change.
ness stakeholders to schedule necessary time and staff Tasked with administrative work and other formally
for proper control adherence. delegated tasks, the change controller position is
intended to give the change manager sufficient
Finally, by ensuring that the change management support to effectively oversee the change manage-
program and its management are subject to audit and ment process.
reviewed by qualified professionals, corporate leaders
advance the goal of corporate oversight and promote These roles aren’t necessarily congruent with orga-
its continuous improvement and success. nizational titles, although they can be dedicated
roles. Thus, a data center manager might be both the
2. IT management must have a voice in the design and change owner and change manager for a particular
implementation of change management programs, request. Alternatively, the change owner could be the
businesses user who requested the change or even the To fulfill the audit’s potential, however, internal auditors
vice president of operations. And Change Manager need to:
might be an assigned IT title. Who has the roles is
1. Know what they are doing (have the skills to perform
less important than that change management policies
appropriate change management audits)
and procedures identify the roles and responsibilities,
and that job descriptions reflect these requirements.
2. Have a strong understanding of the technical and the
business environment and factors that might influ-
4. The internal audit function provides strategic, opera-
ence the effectiveness of change controls
tional, and tactical value to an organization. In relation
to change management, for example, internal audit:
3. Know what to ask for in assessing change manage-
ment programs
• Informs the board and management as to whether
business and IT units understand the importance
4. Complete regular and ongoing training to keep on
of change management and are adhering to poli-
top of new guidance and standards of practice
cies, whether key information assets and systems
are sufficiently protected, whether programs are
In addition, the auditing function should complement,
in place for continually updating and strengthen-
but never replace or overpower, management’s respon-
ing safeguards against unauthorized changes and
sibility to ensure that change management controls are
undue risk stemming from authorized changes,
existent and effective.
and whether existing policies are reasonable and
enforced. In brief, internal audits assess the state
of the change control environment and recom-
mend improvements.
• Independently validates that the organization’s

change management efforts are proactive and
effective against current and emerging threats.
To provide this level of assurance, internal audi-
tors may compare current organizational practices
with industry practices and regulatory guidelines.
Of course, auditing provides only a reasonable level of

assurance. Auditors cannot provide an insurance policy
against any fault or deficiency, particularly in regard to
activities that cannot be totally controlled, such as man-
agement-approved exceptions to mandated policies.
Management’s Role in the Audit Process

An internal audit engagement typically has three phases: During reporting, management receives and reviews
planning, testing, and reporting. Management has an the findings of auditors, plans and develops corrective
important role in each phase: actions, and implements change.
During planning, management should first focus on

the audit plan (the auditor’s “road map”) and ensure AUDIT COMMUNICATIONS FLOW
that managers understand and are generally agree
Audit team develops audit plan
with the audit purpose, focus, and approach. An open,
and communicates to management
positive discussion with the audit team regarding these
A
defining factors helps management and the audit
A M
team communicate their expectations up front. Audit PLANNING
planning should focus on critical or sensitive risks, PHASE
but all risks should be considered. To this end, active
Management and audit
involvement by management in audit planning is vital
teams discuss audit A M
to the overall success of an internal audit. goals, scope, purpose,
and criteria
Management should also discuss the evaluation criteria
auditors will use in assessing change management Auditors perform testing
A
controls. Finally, managers and auditors should broadly
Managers validate
discuss how auditors plan to test existing controls, M testing processes
although auditors ultimately have the authority and
TESTING
discretion to select tests they deem appropriate. PHASE
Management and audit
During testing, management facilitates the teams meet regularly to
A M
auditors’ access to appropriate people and systems. discuss audit progress
Management confirms the audit results, not re- and issues
performing the actual tests, but verifying processes

and data in order to gain confidence in the audit
Audit team issues draft report
findings. The audit team leader and senior executives A
of the areas being audited should meet regularly
throughout the audit process—usually weekly and M Management
at least once a month—to discuss audit progress, remits comments
identified issues, and potential actions.
A Audit team issues final report

An open, transparent dialogue between senior
members of both management and the audit team Management reviews
does much to avert misunderstandings or resolve findings and
REPORTING M begins planning
disputed findings before the audit team issues its draft PHASE
corrective actions
report. The audit team should communicate critical
findings to management as early as possible, even
Managers and auditors should work together throughout the audit
outside of the established meeting schedule. These process to ensure that auditors pursue appropriate goals and have
findings may also be reviewed during regular meetings, proper insight into IT and business processes. Good communication
throughout the audit process helps ensure that audit findings are
but prompt notice is necessary and usually appreciated.
relevant and can be used to benefit the company.
What Auditors Want to See Auditors Like ...

Audits exist to assess how well a business unit or program Good management practices: planning, direction,
meets the performance goals of the organization, monitoring, reporting, etc.
as dictated by the CEO, CFO, board, and investors.
Proactive management including frequent, if not
Accordingly, the managerial goal in auditing is not
continuous, operational monitoring
simply to make auditors happy, but to demonstrate how
well operations, controls, and results meet the needs of
Supervisory review of key performance reports and
the business. During audit planning, managers help audi-
operating results
tors to design an audit process that truly reflects business
strategies and goals. Thus, the managerial response Organized, clear, and up-to-date documentation
to auditors throughout the audit process—planning,
testing, and reporting—is for the benefit of the business, Well documented policies and procedures
not its auditors.
Managerial actions based on facts, not habits
Auditors exist to provide the board and senior manage-
A documented chain of command, roles,
ment with an objective, independent assessment of a
accountability, and responsibilities
business unit or program (such as change manage-
ment), including what they see as key opportunities for
Consistent adherence to policy and procedures, from
improvement. To prepare their opinions and conclusions,
senior management through frontline staff
auditors need to review and assess evidence of the risk
management program and its performance. If auditors Good staff management, including workforce
are able to demonstrate performance and show that development (bench strength and cross training),
accountability has been established and is working, they assurance that absences do not compromise controls,
should produce a positive audit report. and policies for secure staff turnover
Accordingly, auditors and managers should work to A balance between short- and long-term focus, for
help each other reach common goals—auditors striving both objectives and results
to earnestly, honestly, and completely assess program
effectiveness, and management working to help auditors Managerial willingness to embrace new ideas
make valid assessments. In that vein, there are some
typical program characteristics and managerial processes Auditors Don’t Like ...
that auditors do and don’t like to see. As in all aspects of Managers who adopt the “letter” of change
audit and risk management programs, auditor likes and management requirements in order to satisfy audit
dislikes vary by company; however, the following list item- requirements, rather than embracing the “spirit” of
izes typical indicators of good and bad audits. the controls for the full risk mitigation they can offer
Interviewing defensive or uninformed managers and

executives
Wading through piles of disorganized analyses
Managers who can’t or won’t comprehend the level

of risk they are incurring
The opposite of the “like” items listed above
How Companies Help Who Should Talk to the Auditors?

(or Hinder) Auditors An efficient audit process depends on effective com-
munication between auditors, managers, and workers.
(Not) having requested documentation available at Management and auditors should strive to balance
the prearranged time efficiency (having a minimal number of staff dealing
directly with the auditors) with the need for “open
(Not) meeting deadlines and (not) stonewalling access” to management and staff by the audit team (when
needed).1 Obviously, it is impractical and unproductive
(Not) communicating at an appropriate
for both teams to put too many staff in front of auditors.
managerial level
Instead, management should:
(Not) ensuring key staff are available to auditors,

especially at critical milestones Provide knowledge of operations through several
informed “point” people to interact with auditors.
(Not) informing relevant staff about the audit and A “short list” of interviewees within the program
its goals, affecting the time and effort auditors must area being audited can more quickly answer auditor
spend to explain the audit to affected personnel queries and provide better continuity of audit support.
(Not) having administrative support where needed Allow ready access to all management and staff, if
required by the audit team to gain a clearer picture of
(Not) providing accurate documentation overall operations
(Not) having an audit charter for the internal Work with the audit team to draw up a staff
audit function interview schedule as part of the planning effort.
Update the schedule as necessary during the audit
fieldwork phase, if circumstances change.
In many situations, a single point of contact for

each audited program provides the vast majority of
documentation to the audit team. The role of that
individual—and, indeed, for all auditor contacts—is
to ensure that the audit team receives accurate and
adequate information for the task. Auditors still use
their professional judgment to determine if and when
additional sources of information (other staff interviews)
are required. The audit team also conducts a variety of
audit tests, if necessary, to confirm their audit analysis.
1
The audit team is always expected to ensure all their interactions (with all staff) are
professional and result in a minimal disruption.
Change Management
Audit Checklist
Your audit’s goals, scope, and purpose determine the Audit Testing
appropriate audit procedures and questions. An audit of Management has a responsibility to ensure that audit
change management controls should determine that key testing is productive. The audit team performs tests to
risks to the organization are being controlled, that key independently assess the performance of the change
controls are operating effectively and consistently, and management program. Although the audit team
that the relevant functional area management and staff ultimately determines the nature of these tests and the
have the ability to recognize and respond to new threats extent of testing (e.g., the sample sizes to use), manage-
and risks as they arise. ment should engage auditors in discussions about their
testing methods and goals.
The following checklist generally describes change
management audit steps that management might follow In tone, management should try to strike a balance,
in preparation for and during an audit. The list does not neither entirely deferring to the audit team nor micro-
attempt to itemize every possible change management managing the internal audit efforts. The key is to provide
objective, but rather to provide general guidance on productive input on the evaluation methodology before
defensible controls and a logical control hierarchy. audit management signs off on it.
Audit Planning As the testing phase winds up, the audit team prepares
summaries of its key findings. Change managers (or IT
The audit team develops an initial draft of the internal management responsible for interacting with auditors
audit plan on their behalf) should be prepared to provide feedback
and comments on audit summaries, prior to the more
Those change owner, change manager, and other final, formal audit report.
stakeholders meet with the audit team to review
audit program steps and define key players and Proactive communication, candor from all parties, and
necessary resources thorough documentation can prevent many surprises and
conflicts that might otherwise arise during the testing
Change management staff collects program phase; however, managers might still disagree from time
documentation in preparation for audit to time with audit results. Management should strive to
provide solid evidence—not just argument—that sup-
Management supports a preliminary survey of
ports its contrasting position. Facts are the most powerful
the change management program (by the internal
tool for swaying an adverse opinion before the audit
audit team)
report is finalized.
The audit team drafts the internal audit program plan

Since the audit report often forms the basis of future
Management and board members provide feedback change management control development and support,
on the draft plan management should ensure that every audit point
raised—and its related recommendation—is relevant and
valid. Likewise, every action plan proposed by managers
or auditors should be achievable, appropriate, cost effec-
tive, and able to produce lasting effect.
Audit Testing Processes Audit Testing Steps

The following activities may be repeated in each of the
Managers and auditors complete a “kick-off” meeting aforementioned audit processes.
Managers support auditors’ assessment of

Auditors evaluate information on change
change management controls with interviews and
management processes and procedures
documentation of:
Managers assist auditors with walkthroughs of
__ Scope and strategy, including how thoroughly the
selected processes and control documentation
controls addresses potential risks and compares
with industry best practices Auditors evaluate the quality of information
generated by the change management program,
__ Structure and resources, reflecting managerial
considering the ease, reliability, and timeliness of
commitment to effective change management
access to such information by key decision makers;
and the program’s robustness relative to the
and the operational consistency with which such
potential impact of adverse events
information is generated
__ Management of policies and related
Auditors assess change management performance
procedural documentation
metrics: existence, effectiveness, monitoring, and
__ Communication of program policies and responses to deviation
expectations to stakeholders
Auditors evaluate whether risk management controls
__ Impact of program efforts on are sufficiently preventive, detective and, if applicable,
corrective
organizational culture
__ Internal enforcement processes and consistency Auditors define tests to confirm the operational
effectiveness of change management activities. Tests
__ Ongoing improvement efforts might include management and staff interviews,
documentation and report review, data analysis, and
Managers support more detailed audit analysis of the result sampling for recent initiatives.
change management program
Managers provide requested data, documentation,
Auditors complete the evaluation of design adequacy and observations
Auditors complete the evaluation of Auditors identify and recommend opportunities for
control effectiveness improvement of change management activities
Managers and auditors complete an exit meeting to

discuss audit findings, auditor recommendations, and
managerial response
Controls for Change Management

The objectives cited in this section represent a “menu” NIST’s recommended controls for information security 5
of widely accepted change management controls that to address change considerations for project manage-
the reader may organize, cull, and implement in a ment, development, procurement, service testing, IT
manner that meets unique organizational requirements. operations, and other key business processes.
Objectives are drawn from Control Objectives for
Information Technology (CobiT) 2 from the Information The actual change management controls to be audited
Systems Audit and Control Association (ISACA); ITIL 3 are determined during the audit planning phase.
from the UK Office of Government Commerce (OGC); Controls are assessed during the audit testing phase.
Special Publication 800-53,4 “Recommended Security Management should determine which change manage-
Controls for Federal Information Systems” from the ment controls are appropriate for each organizational
National Institute of Standards and Technology (NIST); environment, based on the corporate risk profile, and
and the authors’ experience. In evaluating an organi- compare the list to the controls in this section, which
zation’s change management, auditors might review the reflect audit best practices.
controls listed in this section—and potentially others,
depending on the audit’s purpose and focus. The organizational approach to change management is
reflected in Figure 1, which reflects CobiT’s IT control
In general, control objectives are categorized as structure. Change management controls (including
management, operational, or technical, following the access controls that protect information integrity) should
grouping mechanism in NIST 800-53. However, cited be considered throughout any development or imple-
change management control objectives go beyond mentation cycle—from planning through delivery and
post-implementation evaluation.
Plan and Acquire and Deliver and Monitor and

organize implement support evaluate
Change management
Information security
Project
Development Procurement Testing IT operations
management
Figure 1: An operational approach to change management.
2 5
Information Systems Audit and Control Association (ISACA), “Control Objectives for NIST 800-53 and an additional publication, FIPS 199 (“Standards for Security
Information and related Technology (COBIT)”: http://www.isaca.org/cobit Categorization of Federal Information and Information Systems” <http://csrc.nist.
gov/publications/fips/fips199/FIPS-PUB-199-final.pdf>. February 2004.), provide
3
UK Office of Government Commerce Information Technology Infrastructure Library much more extensive guidance on information security controls than is reproduced
v3. June 2007. http://www.itil.co.uk in this paper. Of particular note is the three control impact ratings or “baselines”
4
defined in FIPS 199 and specified for individual controls in NIST 800-53. The
US NIST Special Publication (SP) 800-53, Recommended Security Controls for NIST guidelines do not simply assign each control a baseline; rather, they provide
Federal Information Systems. February 2005. http://csrc.nist.gov/publications/ guidance on how controls must be implemented to meet the criteria for increasingly
nistpubs/800-53/SP800-53.pdf stringent levels of control baselines.
Management Controls
Management controls ensure a well-run and effective
change management program. In general, management
controls assess whether:
Change management policies and procedures have

been established
Performance is measured using established and

documented metrics
Budgets support actual change management

requirements
A continuous improvement program is in place and

operates effectively
A disciplinary process exists for personnel who choose

not to follow change management procedures
More specifically, change management control

objectives include:
Risk Assessment (RA)

Organizations must periodically assess the risk to organizational operations (including mission, functions, image,
or reputation), organizational assets, and individuals, resulting from the operation of organizational information
systems and the associated processing, storage, or transmission of organizational information.
Description
Risk Assessment Policy and Procedures: The organization develops, disseminates, and periodically reviews/updates: 1) a
formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, and compliance; and 2) formal,
documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls
System Risk Profile: The organization categorizes the IT system, processes, and services, including 1) business purpose,
2) impact on the business in terms of dollars (or other relevant goal units), 3) business owner, 4) data owner, 5) relationships
of various configuration items (for example: parent-child relationships) within systems and services, 6) security requirements,
and 7) other data relevant to the business
Risk Assessment: The organization conducts assessments of the risk and magnitude of harm that could result from the
unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that
support the operations and assets of the agency
Risk Assessment Update: The organization updates the risk assessment whenever there are significant changes to the
information system, the facilities where the system resides, or other conditions that may impact the security or accreditation
status of the system
Management Controls
Assessment and Managerial Certification of Change Management

Management actively oversees policies and processes related to IT product and service changes and related risks.
Description
Change Management Assessment Policies and Procedures: The organization develops, disseminates, and periodically
reviews/updates: 1) documented change management assessment and certification policies that address purpose, scope,
roles, responsibilities, and compliance; and 2) documented procedures to facilitate the implementation of the change man-
agement assessment and certification policies and associated assessment, certification controls
Change Management Assessment and Certification: The organization conducts an assessment of change management
controls to determine the extent to which the controls are functional and effective
Plan of Action and Milestones: The organization develops and updates a plan of action and milestones that documents
the organization’s planned, implemented, and evaluated remedial actions to correct any deficiencies noted during the
assessment of change management controls and to reduce or eliminate known vulnerabilities in the information system
Continuous Monitoring: The organization monitors change management through key performance indicators (KPIs),
including 1) number of changes authorized per week, 2) number of changes implemented per week, 3) number of unau-
thorized changes detected, 4) change success rate, 5) number of changes resulting in service affecting outages, 6) amount
of downtime in hours resulting from unauthorized changes, 7) cost of downtime associated with unauthorized changes, 8)
number of emergency changes, and 9) number of standard changes
Planning
In each area that requires change management, proper planning is vital to mitigate organizational risks and opti-
mize efficiency, effectiveness, economy, and compliance. Organizations must develop, document, periodically
update, and implement change management plans for organizational information systems that describe the change
management controls in place or planned.
Description
Change Management Plan: The organization develops, documents, and implements a change management plan that pro-
vides an overview of change management requirements for the services and a description of controls in place or planned for
meeting those requirements. The plan clearly identifies scope of coverage of change management policies and procedures
and identifies change management controls based on the specific characteristics and requirements of particular staff groups
or environments (e.g., production environments vs. development environments, onsite vs. offsite developers, internal vs.
contracted developers, etc). Designated officials within the organization review and approve the plan.
Change Management Plan Updates: The organization has a defined review period, reviews the change management
plan, and revises the plan to address system/organizational changes or problems identified during plan implementation or
security control assessments
Management Controls
Planning (continued)
Description
Change Management Models: The organization develops a variety of change models and defines clear criteria for when
each model should be applied. Models indicate varied workflows and processes to accommodate variations in risk and
urgency associated with different scenarios and requirements. Common change management models include:
• Standard: Simplified policies and processes associated with low-risk changes—generally comprising a single review,
approval, and logging
• Significant: Policies and procedures associated with higher-risk changes, often requiring the involvement of a change
advisory board (CAB) to evaluate and accept or reject the proposed change
• Emergency: Polices that support abbreviated change management processes in the case of an urgent need. Emergency
procedures support rapid implementation of a change and forestall thorough testing and verification until after the
crisis has passed.
All change models reduce residual risk to a level acceptable by management. Each model defines testing protocols commen-
surate with associated risks.
Scheduling: In order minimize the disruptive impact of changes on the business and prevent change scheduling conflicts, the
organization: 1) defines maintenance windows for IT services, 2) manages change scheduling through a “forward schedule
of change,” 3) documents and any planned downtime beyond that defined in the negotiated maintenance windows in a
planned service availability (PSA) document, and 4) evaluates the success or failure of changes following implementation.
Changes that must be scheduled outside of planned maintenance windows follow a defined emergency change model that
defines: 1) criteria for allowing exceptions, 2) individuals and/or roles authorized to approve emergency changes, 3) protocols
for reviewing emergency changes to determine if they were truly emergencies and not attempts to circumvent normal change
management procedures, and 4) protocols for testing emergency changes to ensure related risks are properly managed.
Change Advisory Board: The organization establishes a change advisory board (CAB) that provides perspectives on
changes to the Change Manager. As an adjunct to the CAB, the organization establishes an emergency committee
(CAB/EC) that supports change management in urgent scenarios.
Service Development Life Cycle (SDLC): The organization defines and enforces standards around the creation of new
services and service updates. The SDLC covers: 1) the collection and documentation of requirements; 2) design of the new
system or update; 3) development procedures, including development standards; 4) testing protocols; 5) deployment into
production of new services and updates; 6) requirements for services in production; 7) requirements for service mainte-
nance; and 8) standards for decommissioning of services.
Rules of Behavior: The organization establishes and makes readily available to all relevant staff a set of rules that describes
their responsibilities and expected behavior with regard to change management. The organization receives signed acknowl-
edgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before
authorizing access to development and production systems.
Enforcement: The organization defines a disciplinary process for employees that flout change management controls. To
ensure change management policies are upheld by both internal employees and third parties, management defines disciplin-
ary procedures for: 1) employees, 2) contractors, and 3) vendors.
Management Controls
Communications
Management actively oversees policies and processes related to IT product and service changes and related risks.
Description
Change Communication Plan: The organization develops, disseminates, and enforces a change communication plan to
inform staff stakeholders about the nature and impact of potential changes. The plan includes: 1) a formal, documented
communication policy that addresses communication purpose, scope, roles, responsibilities, schedules, and compliance; 2)
formal, documented procedures for communication; and 3) procedures for evaluating and responding to staff feedback
throughout the project process. Designated officials within the organization review and approve the plan.
Stakeholder Analysis: The organization: 1) identifies all staff who are involved in or stand to be impacted by a change or
project, 2) categorizes stakeholders into communication groups, and 3) analyzes stakeholder expectations for communication
Communication Approval: The organization specifies how communications should be generated and approved, including
allocation of approval authority only to personnel formally authorized by management
Communication Record Retention: The organization retains a record of all change-related communications
Procurement (System and Service6 Acquisition)

Since all procurement implies some degree of change, procurement controls ensure that 1) participants in purchas-
ing processes consider change-related risks before committing to purchase, and 2) all stakeholders in purchasing are
aware of changes to procurement approval processes when they occur.
Description
System and Service Acquisition Policy and Procedures: The organization develops, disseminates, and periodically
reviews/updates polices and procedures for the procurement of IT products and services that addresses: 1) application of
change management policies and procedures to acquisitions, and 2) the need for an impact assessment to analyze the
ramifications of a requested change related to new or existing, software or services
Contract and Purchase Order Change Management: The organization develops, disseminates, and periodically reviews/
updates policies and procedures for making changes to existing purchase orders and contracts
System and Service Acquisition Approval: The organization specifies how purchase requests should be processed and
approved, including designation of purchase authority to personnel formally authorized by management
Notification to Vendors of Procurement Process Changes: Vendors are notified of changes to procurement policies; for
example, if the purchasing organization stops accepting verbal orders and begins requiring purchase orders
Procurement Training: Personnel receive formal training on procurement policies and procedures
6
According to the ITIL definition of service, configuration items can include hardware,
software, people, facilities, services, documentation, and other technical and non-
technical components that contribute to workable IT processes. System specifically
relates to hardware and software and is used here to clearly differentiate procure-
ment of IT products from procurement of services, such as outsourced application
hosting, etc.
Operational Controls
Operational controls ensure the effective performance
of the change management program. In general, opera-
tional controls assess whether:
• Controls exist to meet regulatory requirements
• Rules and requirements exist and are documented
• Staff performance appraisals are completed regularly
• Supervisory review of key management reports and

operating results occurs regularly
Operational controls for change management include:
Awareness and Training

Organizations must ensure that managers and users of IT services are made aware of 1) risks associated with changes
to IT systems; and 2) laws standards, policies, and procedures that govern change management. Moreover, manage-
ment must ensure that organizational personnel have adequate training to meet change management objectives.
Description
Change Management Awareness and Training Policy and Procedures: The organization develops, disseminates, and
periodically reviews/updates: 1) a documented change management awareness and training policy that addresses purpose,
scope, roles, responsibilities, and compliance; and 2) procedures for the implementation of change management awareness
and training, as well as related security awareness and training controls
Change Management Awareness: The organization ensures that all employees (including managers and senior execu-
tives) are made aware of change management awareness materials before gaining access to information systems
Change Management Training: The organization identifies personnel whose job roles empower them to make significant
changes to IT systems and services, documents their roles and responsibilities, and provides appropriate information change
management training before authorizing access to information systems
Training Records: The organization documents change management training activities at the individual level
Training Change Management: The organization ensures that changes to training and awareness processes and programs
adhere to general change management policies
Change Management
Organizations The organization ensures that change requests are 1) registered, seen and approved by proper authori-
ties; and 2) supported to a degree that allows management to appropriately evaluate risk associated with the change.
Description
Change Request Template: The organization develops, disseminates, and periodically reviews/updates a change request
template that documents a description and status of the change request. The change request template should contain: 1)
date of request submission; 2) date of managerial review; 3) intended impact of the change; 4) potential risks associated
with the change; 5) disposition of the review (approved, rejected, etc.); and 6) current status of the change (also reflecting
the status of an associated project plan, if appropriate)
Change Request Log: The organization maintains a log of all change requests. The log records information required by the
change request template.
Review and Approval Process: All IT service, process, and product changes are submitted and reviewed in written format.
At least one appropriate manager, as defined by the organization, reviews every change request. The change approval
authority reviews requests with the change owner prior to approving any change. Approval authorities notify change
requestors of change acceptance or rejection.
Change Evaluation: Management reviews change requests for: 1) business justification (cost vs. benefit); 2) technical fea-
sibility; 3) project budget impact; 4) operating budge impact, both for the IT department and other affected departments;
5) project timeline impact; 6) information security impact; 7) compliance impact; 8) impact on other planned functionality
related to the project; 9) impact of any delay or expedition of the change; and 10) historical precedence (whether the
change has been previously attempted and the outcome of that effort)
Post-Implementation Reviews: Management defines a policy, procedures, a timeline, and roles for post-implementation
change reviews. The timeline for a change review is generally at least 30 days after the implementation of a change. The
goal of the review is to determine the success or failure of a change, specifically: 1) Whether the change delivered the
expected outcome, and 2) whether any incidents or problems occurred as a result of the change.
Periodic System, Product, and Service Audits: The organization periodically audits IT systems and services to identify
any deviations from approved conditions. If audits reveal unauthorized changes, the organization performs an investigation
to determine the root causes of the changes and takes steps to correct any staff issues or control deficiencies revealed by
the audit.
Segregation of Duties
Segregation of duties controls prevent IT staff from posting unauthorized changes to development, production, and
testing environments. In smaller IT environments, where staffing limitations prevent complete segregation of duties,
management should instill compensating controls that meet commensurate control objectives.
Description
Control of Changes to Source Code: In order to control source code changes, managers establish controls to prohibit
access to the source code repository by: 1) test engineers and test administrators, 2) database administrators, 3) system
administrators, 4) IT operations personnel
Role Prohibitions: Management establishes controls to prohibit developers from also acting as: 1) system administrators,
2) security administrators, 3) database administrators, and 4) test engineers and test administrators
Compensating Controls: If staff limitations prevent full segregation of duties, management defines compensating controls
that meet the goal of protecting development, testing, and production environments from unreviewed changes
Protection of Development Environments
Change control must be strictly enforced in development environments, where tight deadlines, complex projects,
and high pressures can facilitate mistakes and unauthorized changes. Organizations must protect the integrity of IT
services, retain information about application versions, and track all changes to source code.
Description
Integrity of the Development Environment: The development environment is separate from test and production environments
Access to Development Environments: The organization ensures that access to the source code repository is formally
controlled through documentation requiring relevant management approval
Version Control: The organization ensures that serial versions of software are tracked and noted by: 1) a check-in,
check-out procedure, and 2) incremental versions of software are denoted by unique names or version numbers, generally
assigned in increasing order
Source Code Audits: Procedures exist for auditing the source code control system to verify that all activity surrounding the
source code repository can be accounted for
Change Metadata: The organization retains metadata about every change, including: 1) date of change, 2) the individual who
implemented the change, 3) any new software version number associated with the change, and 4) the nature of the change
Third Party Code: The organization manages the impact of third-party development by: 1) ensuring that third-party devel-
opers follow standard access management protocol, including unique logins, 2) establishing a “quarantine” environment for
third-party code, and 3) separately testing third-party code for quality and security issues prior to releasing the code into
development or production environments
Protection of Test Environments

Organizations must be able to protect the integrity of IT services through efficient and effective testing.
Description
Integrity of the Test Environment: The test environment is separate from development and production environments
Access to Test Environments: The organization ensures that access to test environments is formally controlled through
documentation requiring relevant management approval
Segregation of Duties: The organization enforces segregation of duties sufficient to protect the test environment.
Developers and production personnel cannot create or change access privileges to test environments
Change Management: The organization ensures that changes to test environments follow defined change management
procedures such that testing is performed on systems operating within known parameters
Test Environment Audits: Procedures exist for auditing the test systems to verify that they do match defined build criteria
Change Metadata: The organization retains metadata about every change, including: 1) date of change, 2) the individual
who implemented the change, 3) request for change identifiers, and 4) the nature of the change
Protection of Production Environments
Change control must be strictly enforced in production environments, where tight deadlines, complex projects, and
high pressures can facilitate mistakes and unauthorized changes. Organizations must be able to protect the confi-
dentiality, integrity and availability of production systems.
Description
Integrity of the Production Environment: The production environment is separate from test and production environments
Access to Production Environments: The organization ensures that access to test environments is formally controlled
through documentation requiring relevant management approval
Segregation of Duties: The organization enforces segregation of duties sufficient to protect the production environment.
Developers and test personnel cannot create or change access privileges to production environments.
Change Management: The organization ensures that changes to test environments follow defined change management
procedures such that testing is performed on systems operating within known parameters
Production Environment Audits: Procedures exist for auditing the production systems, in order to verify that they do
match defined build criteria
Change Metadata: The organization retains metadata about every change, including: 1) date of change, 2) the individual
who implemented the change, 3) request for change identifiers, and 4) the nature of the change.
Personnel Security
Compliance and risk management programs must consider not only how technology enables change management
controls, but how employees interact with technical controls, enact policies, and implement procedures.
Description
Personnel Screening: The organization screens prospective contractors and employees through interviews and performs
criminal and employment background checks prior to engagement
Personnel Termination: Management ensures that, upon any individual’s employment termination, voluntary or invol-
untary: 1) system administrators revoke the individual’s access to all systems, and 2) the individual cannot effect further
changes or participate in a change management process
Personnel Transfers: The organization promptly processes employee transfers to ensure that: 1) system access and prohibi-
tions reflect changes to job roles and responsibilities, and 2) change management roles and responsibilities reflect changes
to job roles and responsibilities
Job Descriptions: The organization formally documents staff responsibility for an effective control environment. Job
descriptions include: 1) a requirement to comply with change management policies and procedures, and 2) affirmation of
disciplinary action in cases of noncompliance with change management policies and procedures
Third Party Change Management Oversight: The organization contractually requires third parties to adhere to change
management controls. The organization has access to documentation demonstrating control adherence.
Physical and Environmental Protection
Environmental security—including physical access to machinery and changes to the physical environment that might
impact system performance—is a critical, but often-neglected, facet of change management. Organizations must
take steps to ensure that technical security and change management controls are not undermined by weak physical
security controls.
Description
Physical and Environmental Protection Policy and Procedures: The organization develops, disseminates, and periodi-
cally reviews/updates: 1) a formal, documented, physical and environmental protection policy that addresses purpose, scope,
roles, responsibilities, and compliance, and 2) formal, documented procedures to facilitate the implementation of the physi-
cal and environmental protection policy and associated physical and environmental protection controls.
Physical Access Authorizations: The organization develops and keeps current lists of personnel with authorized access
to facilities containing information systems (except for those areas within the facilities officially designated as publicly acces-
sible) and issues appropriate authorization credentials (e.g., badges, identification cards, smart cards). Designated officials
within the organization review and approve the access list and authorization credentials.
Physical Access Control: The organization controls all physical access points (including designated entry/exit points) to
facilities containing information systems (except for those areas within the facilities officially designated as publicly accessi-
ble) and verifies individual access authorizations before granting access to the facilities. The organization also controls access
to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk.
Access Control for Transmission Medium: The organization controls physical access to information system transmission
lines carrying unencrypted information to prevent eavesdropping, in-transit modification, disruption, or physical tampering
Monitoring Physical Access: The organization monitors physical access to information systems to detect and respond
to incidents
Visitor Control: The organization controls physical access to information systems by authenticating visitors before authoriz-
ing access to facilities or areas other than areas designated as publicly accessible
Access Logs: The organization maintains a visitor access log to facilities (except for those areas within the facilities officially
designated as publicly accessible) that includes: 1) name and organization of the person visiting, 2) signature of the visitor,
3) form of identification, 4) date of access, 5) time of entry and departure, 6) purpose of visit, and 7) name and organization
of person visited. Designated officials within the organization review the access logs after closeout.
Power Equipment and Power Cabling: The organization protects power equipment and power cabling for the informa-
tion system from damage and destruction
Delivery and Removal: The organization controls information system-related items (hardware, firmware, software)
entering and exiting the facility and maintains appropriate records of those items
Alternate Work Site: Individuals within the organization employ appropriate information physical security controls at
alternate work sites
Changes to Physical and Environmental Services: Changes to the physical and environmental protection services and
controls adhere to change management policies
Contingency Planning
A risk management approach to change management should facilitate not only successful changes, but mitigation
of risk in the event of change failure. In some cases, contingency plans include resources at remote sites. And in all
cases, plans should consider the potential impact of differences between primary and contingency technologies,
staff, and facilities on service operation and performance.
Description
Contingency Plan: The organization develops, documents, and implements a contingency plan that reduces the risks and
costs associated with failed change implementations. The plan identifies roles, responsibilities, policies, and procedures
associated with contingency responses. Designated officials within the organization review and approve the plan.
Rollback Plan: The organization develops a rollback plan and procedures that allow developers to revert to a previous
version of software if an update or new installation fails. Management periodically audits the rollback plan and procedures
to ensure that older software versions implicated in the rollback plan are compatible with existing systems.
Contingency and Rollback Plan Updates: The organization periodically reviews contingency and rollback plans and
revises them to address system/organizational changes or problems identified during previous plan implementation or IT
control assessments
Synchronization of IT Operations and Sites: The organization’s change management procedures ensure that the pro-
duction and contingency sites are managed such that the ability to fail over in the planned manner is not at risk
Changes to Contingency Plans: The organization’s contingency plans are governed by change management to ensure
that impacts are properly understood and addressed
Configuration Management
Management should consider how variables in application options, user access, and performance setting impact
IT service offerings. Even apparently minor configuration changes can have major (and sometimes unintended)
consequences.
Description
Configuration Change Management: The organization ensures that configuration changes adhere to general change
management policies. If configuration management services are automated, the software is configured to conform to orga-
nizational change management controls.
Configuration Authority: The organization limits authority for configuration changes to specific staff roles. All configura-
tion changes are performed by authorized staff.
Configuration Change Monitoring: Management reviews any configuration changes to assess impact on the broader
systems and control environment
Periodic Configuration Audits: The organization conducts audits to determine whether configurations have “drifted”
from their documented state; for example, in the event of unauthorized configuration changes. If audits reveal unauthorized
changes, the organization performs an investigation to determine the root causes of the changes and takes steps to correct
any staff issues or control deficiencies revealed by the audit.
Maintenance
Standard application maintenance often involves or indicates required changes. In some cases, however, application
updates and regular maintenance may fall to employees outside of the core development group; for example, if
business users are allowed to install updates issued from an application vendor’s servers. Management and auditors
should consider all sources and types of software maintenance when developing change management controls.
Description
Maintenance Change Management: The organization ensures that maintenance that results in configuration changes
adheres to general change management policies. If maintenance services are automated, the software is configured to
conform to organizational change management controls.
System and Information Integrity

In general, organizations should implement controls that 1) identify, report, and correct information and informa-
tion system flaws in a timely manner; 2) protect systems and data from malicious code; and 3) implement protec-
tion measures in response to security alerts and advisories. Although some protection measures, like patch updates
or antivirus software updates, might be implemented in an atmosphere of high pressure or anxiety, organizations
must balance the need for urgent action against the risk that an untested system update (for example) will nega-
tively impact system performance or business processes.
Description
Security and Protection Change Management: The organization ensures that information and system protection
processes adheres to general change management policies. If protective services and updates are automated, the software is
configured to conform to organizational change management controls.
Design of Change Management Controls: Change management policies and procedures are designed to mitigate risks
associated with both human error and malicious software code
Alignment of Information Integrity and Change Management: Organizations ensure that: 1) change management
policies and procedures align with other policies and procedures designed to protect system and information integrity, and
2) information protection processes do not undermine change management controls
Media Protection
In general, organizations should implement controls that 1) identify, report, and correct information and informa-
tion system flaws in a timely manner; 2) protect systems and data from malicious code; and 3) implement protec-
tion measures in response to security alerts and advisories. Although some protection measures, like patch updates
or antivirus software updates, might be implemented in an atmosphere of high pressure or anxiety, organizations
must balance the need for urgent action against the risk that an untested system update (for example) will nega-
tively impact system performance or business processes.
Description
Media Protection Change Management: The organization ensures that media protection processes adhere to general
change management policies. If protective services and updates are automated, the software is configured to conform to
organizational change management controls.
Incident Response
Incident response controls generally ensure that an organization establishes an operational incident handling capa-
bility for information systems that includes adequate preparation, detection, analysis, containment, recovery, and
user response activities; and that the organization tracks, documents, and reports incidents to appropriate orga-
nizational officials and/or authorities. Like information integrity processes, incident response can carry a sense of
urgency that tempts both staff and management to autonomously circumvent change management controls.
Description
Incident Response Change Management: The organization ensures that incident response processes adhere to general
change management policies
Emergency Change Management Procedure: The organization develops, documents, and implements an emergency
change management procedure designed to balance expediency and risks during incident response
Technical Controls
Technical controls ensure that change management enactment is effective and efficient. Technical controls include:
Access Control
Controlling access to information systems is a critical component of change management. Organizations must limit infor-
mation system access to authorized users, processes acting on behalf of authorized users, or devices (including other
information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
Description
Access Control Policy and Procedures: The organization develops, disseminates, and periodically reviews/updates: 1)
a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, and compliance; and 2)
formal, documented procedures to facilitate the implementation of the access control policy and associated access controls
Account Management: The organization manages information system accounts, including establishing, activating, modify-
ing, reviewing, disabling, and removing accounts. The organization reviews information system accounts.
Information Flow Enforcement: The information system enforces assigned authorizations for controlling the flow of
information within the system and between interconnected systems in accordance with applicable policy
Separation of Duties: The information system enforces separation of duties through assigned access authorizations
Least Privilege: The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or
processes acting on behalf of users) for the performance of specified tasks
Unsuccessful Login Attempts: The information system enforces a limit on consecutive invalid access attempts by a user
during a defined time period. If the limit is exceeded, the information system automatically locks out the user for a defined
period of time.
Previous Logon Notification: The information system notifies the user, upon successful logon, of the date and time of the
last logon, and the number of unsuccessful logon attempts since the last successful logon
Concurrent Session Control: The information system limits the number of concurrent sessions for any user to a defined
number of sessions
Technical Controls
Access Control (continued)
Description
Session Lock: The information system prevents further access to the system by initiating a session lock that remains in
effect until the user reestablishes access using appropriate identification and authentication procedures
Session Termination: The information system automatically terminates a session after a defined period of inactivity
Supervision and Review: The organization supervises and reviews the activities of users with respect to the enforcement
and usage of information system access controls
Permitted Actions without Identification or Authentication: The organization identifies and documents specific user
actions that can be performed on the information system without identification or authentication
Automated Marking: The information system marks output using standard naming conventions to identify any special
dissemination, handling, or distribution instructions
Automated Labeling: The information system appropriately labels information in storage, in process, and in transmission
Remote Access: The organization documents, monitors, and controls all methods of remote access (e.g., dial-up, wireless,
Internet) to the information system. Appropriate organization officials authorize each remote access method for the informa-
tion system and authorize only the necessary users for each access method.
Wireless Access Restrictions: The organization: 1) establishes usage restrictions and implementation guidance on the use
of wireless technologies; and 2) documents, monitors, and controls wireless access to the information system. Appropriate
organizational officials authorize the use of wireless technologies.
Access Control For Portable And Mobile Devices: The organization: 1) establishes usage restrictions and implementa-
tion guidance for portable and mobile devices; and 2) documents, monitors, and controls device access to organizational
networks. Appropriate organizational officials authorize the use of portable and mobile devices.
Personally Owned Information Systems: The organization restricts the use of personally owned information systems for
official business involving the processing, storage, or transmission of federal information
Access Control Change Management: The organization ensures that access control processes adhere to general change
management policies and that automated services are configured to conform to organizational change management controls
Identification and Authentication

In order to control access to information systems, organizations must identify information system users, processes
acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices,
as a prerequisite to allowing access to organizational information systems.
Description
Identification and Authentication Policy and Procedures: The organization develops, disseminates, and periodically
reviews/updates: 1) a formal, documented, identification and authentication policy that addresses purpose, scope, roles,
responsibilities, and compliance; and 2) formal, documented procedures to facilitate the implementation of the identification
and authentication policy and associated identification and authentication controls
User Identification and Authentication: The information system uniquely identifies and authenticates users (or processes
acting on behalf of users)
Technical Controls
Identification and Authentication (continued)
Description
Device Identification and Authentication: The information system identifies and authenticates specific devices before
establishing a connection
Identifier Management: The organization manages user identifiers by: 1) uniquely identifying each user, 2) verifying the
identity of each user, 3) receiving authorization to issue a user identifier from an appropriate organization official, 4) ensur-
ing that the user identifier is issued to the intended party, 5) disabling user identifier after a defined period of inactivity, and
6) archiving user identifiers
Authenticator Management: The organization manages information system authenticators (e.g., tokens, PKI certificates,
biometrics, passwords, key cards) by: 1) defining initial authenticator content; 2) establishing administrative procedures for
initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and 3)
changing default authenticators upon information system installation
Authenticator Feedback: The information system provides feedback to a user during an attempted authentication and
that feedback does not compromise the authentication mechanism
Cryptographic Module Authentication: for authentication to a cryptographic module, the information system employs
authentication methods that meet standards adopted by the organization
Identification and Authentication Change Management: The organization ensures that access control processes
adhere to general change management policies and automated services are configured to conform to organizational change
management controls
Change Testing
The need for testing and approval of all code changes is a central tenet of change management. The primary purpose
of testing controls is to reduce the risk that changes to source code will adversely affect production systems.
Description
Testing Policy and Procedures: The organization develops, disseminates, and periodically reviews/updates: 1) a formal,
documented application testing policy that addresses purpose, scope, roles, responsibilities, and compliance; and 2) formal,
documented procedures to facilitate the implementation of the testing policy and associated controls
Testing Change Management: The organization ensures that testing processes adhere to general change management
policies and automated services are configured to conform to organizational change management controls
Alignment of Testing, Development, and Production Environments: The organization ensures that the testing
environment is congruent with production and development environments to a degree that applications perform similarly in
both testing and production environments
Coordination of Changes and Testing Schedules: The organization creates a Forward Schedule of Change (FSC) for the
test environment(s), so that changes do not adversely impact testing
Technical Controls
Audit and Accountability
Organizations must: 1) create, protect, and retain information system audit records to the extent needed to enable
the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information sys-
tem activity; and 2) ensure that the actions of individual information system users can be uniquely traced to those
users so they can be held accountable for their actions.
Description
Audit and Accountability Policy and Procedures: The organization develops, disseminates, and periodically reviews/
updates: 1) a formal, documented, audit and accountability policy that addresses purpose, scope, roles, responsibilities, and
compliance; and 2) formal, documented procedures to facilitate the implementation of the audit and accountability policy
and associated audit and accountability controls
Auditable Events: Change management procedures are designed such that they are auditable
Audit Records Policy and Procedures: Audit policies and procedures specify: 1) what change management documenta-
tion is to be retained, 2) how long change management documentation must be retained, 3) methods of short-term storage
and space requirements, 4) method of long-term archiving and space requirements, 5) security considerations for audit
records, and 6) the proper method of destruction for change management records.
Content of Audit Records: The information system captures sufficient information in audit records to establish what
change events occurred, the sources of the events, and the outcomes of the events
Audit Storage Capacity: The organization allocates sufficient audit record storage capacity and configures auditing to
prevent such capacity being exceeded
Audit Processing: In the event of an audit failure or audit storage capacity being reached, the information system alerts
appropriate organizational officials and takes predetermined actions
Audit Monitoring, Analysis, and Reporting: The organization at least annually reviews/analyzes audit records for
indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to
appropriate officials, and takes necessary actions
Audit Reduction and Report Generation: The information system provides an audit reduction and report
generation capability
Date and Time Stamps: The information system provides date and time stamps for use in audit record generation
Protection of Audit Information: The information system protects audit information and audit tools from unauthorized
access, modification, and deletion
Non-repudiation: The information system provides the capability to determine whether a given individual took a particular
action (e.g., instigated a configuration change or created information)
Audit Retention: The organization retains audit logs for a predetermined period to support after-the-fact investigations of
change incidents and to meet regulatory and organizational information retention requirements
Audit and Accountability Change Management: The organization ensures that audit and accountability processes
adhere to general change management policies and automated services are configured to conform to organizational change
management controls
Audit Reporting
During the reporting phase, management and the board Auditors debrief management, formally discussing
of directors receive formal feedback from the audit team. significant audit findings and conclusions before they
This knowledge transfer should be an open and transpar- issue the final audit report
ent process.
Managers receive a written draft report from auditors
Almost every audit identifies opportunities for improve- __ The report communicates audit results clearly
ment. The primary goal of management and auditors and precisely
should be to address critical issues first, followed by impor-
tant issues. Both management and auditors should work to __ Results are presented in an unbiased tone,
ensure that, whatever action plans they agree to, the goals noting where management has taken actions
are achievable and beneficial to the organization. to correct deficiencies and acknowledging
good performance
During the reporting phase, management must deter-
Management and auditors discuss the draft report
mine which corrective actions it will implement and when,
based on audit findings. Mangers will provide oversight Management provides feedback on the draft report
and support to ensure the timely resolution of found
issues. Although the audit team may make recommenda- Auditors review managerial comments and
tions based on its assessments of risks and consequences, action plan(s)
it cannot make or dictate managerial decisions.
Auditors finalize and distribute the final audit report
The following are typical steps an audit team takes to Auditors close out the internal audit project and
confirm and release the audit results. plan any necessary follow-up efforts regarding
management’s action plans
Auditors might also choose to communicate some audit

findings that might be useful for change management
efficiency and effectiveness, but do not warrant inclusion
in the formal report. This type of communication should
be documented, if only as a note in audit findings that
the topic has been verbally discussed.
Preparing for an Audit
A well-managed business unit or governance program In selecting documentation, management should not
includes robust plans, procedures, goals, objectives, try to overload the audit team with information, but to
trained staff, performance reporting, and ongoing provide genuine insight into how the change manage-
improvement efforts. The internal audit team looks ment program is run and how well it is doing. A change
for evidence that the business unit and governance management periodic risk assessment and organizational
program is well organized and well managed. The business impact analysis (BIA) are two key management
change management program must also specifically and efforts to share with auditors.
traceably mitigate risks related to key business objectives.
Managerial preparation should mainly be routine, day- Other steps management should take to prior to the audit:
to-day practices.
Learn early and contribute often to the internal audit
Management’s ultimate goal in the audit process is goals, objectives, purpose, approach, and procedures
not to make auditors happy, but rather to demonstrate (audit tests). In particular, setting an appropriate
that change management efforts meet the demands of purpose and the audit approach are the two most
the CEO, board of directors, regulators, and investors. important elements of every successful audit.
Likewise, auditors’ requests should be aligned with these
overarching needs; that is, to support responsible program Discuss with audit management the evaluation criteria
performance within a sound, ethical business environment. and standards and how the audit will actually be
conducted, in order to ensure that you’ll receive a
While the audit is in the planning phase, manage- quality audit. Ask whether they audit in accordance
ment should proactively work with the audit team and with international standards for the professional
“educate” the auditors. As a rule, managers should practice of internal auditing.
provide constructive input on the evaluation methodol-
Learn who is on the audit team and their
ogy before audit management approves it. Expectations
qualifications, talents, and motivations. The audit
are a two-way street: management must help auditors
team exists to help make your operations more
ensure that audit expectations are aligned and that par-
efficient and effective, but they are also individuals
ticipants understand each other.
with strengths and weaknesses common to many
employees. It pays to know the experience of your
Prior to the audit, managers should collect the informa-
auditors, whether they’re rookies or veterans (and
tion and documentation necessary to demonstrate
perhaps to push for the latter). Showing an interest
how well they manage their operations in concert with
in their work can also influence and increase the
the overall organizational business objectives. They
benefits from the audit—within reason. At the end
should be prepared to provide auditors with evidence of
of the day, auditors still need to be independent
well-managed change management efforts and results.
and objective.
This might include documentation of change manage-
ment plans, supporting budgets, policy and procedure Throughout its discussion with the audit team prior to
manuals, assignments of responsibilities (such as up- the audit, management should try to strike a balance
to-date job descriptions), results reporting and other between influence and deference. Managers should
trending information, and finally, any other relevant neither yield entirely to the audit team nor micromanage
guidance (to management and staff) that demonstrates a its efforts.
“well-run” and performing program.
Communicating
with Auditors
Like any interaction between people, but particularly in

the work environment, a professional and trusting rela-
tionship is a strong precursor to successful collaboration.
When managers interact with the auditors in a profes-

sional manner, they tell the audit team that its function is
respected and supported. Likewise, lackadaisical efforts
by managers and staff reflect poorly on the business
unit or process, its capabilities, and its performance.
Managers should also expect professional interaction
from the audit team and push back whenever they see an
exception to this practice.
To contribute to a successful and accurate audit report,

managers should be receptive to auditor observations
and the audit team’s recommendations. Managers should
also be firm when discussing anything they see as incor-
rect, in order to ensure there are no misunderstandings.
Finally, always remember: managers, not auditors, are

responsible for defining and implementing solutions to
issues found in the audit. Thus, it is in everyone’s best
interest to have a cooperative, collaborative audit process
that respects the independence and discretion of all par-
ticipants. Auditors should listen to management. And for
its part, management should encourage staff to be open
and honest with auditors.
APPENDIX A—
Change Management Resources
British Educational Communications and Technology
Agency (BECTA)Framework for ICT [information
and communications technology] Technical Support
http://www.becta.org.uk/tsas
Institute of Internal Audit (IIA) Guide 2: Change

and Patch Management Controls: Critical for
Organizational Success
http://stage.theiia.org/guidance/technology/gtag/
gtag2/
IT Process Institute Control Performance Benchmarking

Study
http://www.itpi.org/home/controls_benchmark.php
IT Process Institute Visible Ops Handbook:

Implementing ITIL in 4 Practical and Auditable Steps
http://www.itpi.org/home/visibleops2.php
National Institute of Standards and Technology (NIST)

Special Publication 800-53–Recommended Security
Controls for Federal Information Systems
http://csrc.nist.gov/publications/nistpubs/800-53/
SP800-53.pdf (PDF)
Office of Government Commerce (OGC) Best

Management Practice for Project, Programme, Risk
and Service Management
http://www.best-management-practice.com/
officialsite.asp
Office of Government Commerce (OGC) IT

Infrastructure Library (ITIL)
http://www.itil.co.uk/
Microsoft Microsoft Operations Framework (MOF)

Service Management Functions (SMF)
http://www.microsoft.com/technet/itsolutions/cits/
mo/smf
Research Sponsors
Solidcore Tripwire
Solidcore is a leading provider of change control for critical Tripwire delivers immediate value to the business by assuring
systems. Organizations worldwide trust Solidcore to improve continuous operational, regulatory and security compliance
service availability and lower the costs of complying with across the dynamic data center. As the clear leader of the
Payment Card Industry (PCI) and Sarbanes-Oxley (SOX) configuration audit and control market, Tripwire ensures the
standards. Solidcore enables customers to automate the continuous control of configuration activity in real-time across
validation of controls and eliminate the expensive, time the IT infrastructure, automatically correlating configuration
consuming and error-prone manual processes that consume activity with policies and generating actionable reports.
IT resources.
• Continuous Compliance
As the industry’s first and only solution to automate the Tripwire provides a holistic and continuous view of security,
enforcement of change polices, Solidcore S3 Control allows risk and compliance across the IT infrastructure, so users
organizations to prevent and alert rather than detect and can take a proactive approach to assessing, controlling and
remediate. Solidcore uses real-time change detection reporting compliance.
capabilities along with automated, highly-accurate change
• Configuration Assessment
reconciliation to provide an automated way of validating
Only Tripwire integrates configuration assessment
changes against authorizations. Out-of-process changes, such
functionality with change management to automatically
as emergency fixes, can be automatically documented and
validate configuration settings against policy.
reconciled for easier audit-ability.
• Real-Time, Tunable Change Detection

Solidcore’s partnerships with industry leaders such as
Tripwire is the only solution to combine event-driven
Opsware, BMC, HP, and IBM help make it the preferred
real time harvesting with detailed ‘scan-based’ change
choice for ensuring compliance and change control across
detection, delivering all the advantages of each approach in
the enterprise. As an Opsware partner, customers can
one system of record and unmatched flexibility.
integrate Solidcore’s S3 Control software with the Opsware
System 6 Solutions suite to proactively enforce Opsware as • Integration
an authorized change agent. Solidcore’s integrations with Tripwire reconciles change data with other management
BMC Remedy, HP Service Center and IBM Tivoli also enable systems. Certified integrations with the leading change
customers to drive all change through those approved management and service desk systems – like BMC, CA and
changed management processes, and effectively eliminate HP – plus an open API for customer integrations, provide
ad hoc change. the most comprehensive configuration audit and control
solution available.
Solidcore also provides change control for embedded systems
and is used by major device manufacturers to securely Tripwire, Inc. is the recognized leader of configuration
leverage open systems to meet their business requirements. audit and control solutions, serving over 5,700 enterprises
Solidcore is also a Gold-level partner in the Microsoft worldwide. Global enterprises rely on Tripwire to strengthen
Windows Embedded Partner Program. For more information, their compliance and security, reduce unplanned work,
please visit http://www.solidcore.com. increase availability, and accelerate success with CMDB
initiatives. Tripwire is headquartered in Portland, OR with
offices in the UK and Japan. For more information, visit:
http://www.tripwire.com.
ABOUT THE AUTHORS

George Spafford Dan Swanson, CMA, CIA, CISA, CISSP, CAP
George Spafford is Principal Consultant with Dan Swanson is a 25-year internal audit veteran who was
Pepperweed and an experienced practitioner in business most recently director of professional practices at the
and IT operations. He is a prolific author and speaker, Institute of Internal Auditors. Prior to his work with the
and has consulted and conducted training on regulatory IIA, Swanson was an independent management consul-
compliance, IT Governance, and process improvement in tant for over 10 years. Swanson has completed internal
the U.S., Australia, New Zealand and China. Publications audit projects for more than 30 different organizations,
include co-authorship of “The Visible Ops Handbook.” spending almost 10 years in government auditing at the
George Spafford’s Daily News is read by over 2,500 federal, provincial, and municipal levels, and the rest
subscribers, including high-level executives from Fortune in the private sector, mainly in the financial services,
500 and leading international companies. George transportation, and health sectors. The author of more
holds an MBA from Notre Dame, a BA in Materials and than 100 articles on internal auditing and other manage-
Logistics Management from Michigan State University ment topics, Swanson is currently a freelance writer and
and an honorary degree from Konan Daigaku in Japan. management consultant with Seccuris.
He is a Certified Information Systems Auditor (CISA)
and holds ITIL Practitioner Release and Service Manager Swanson led the writing of the OCEG internal audit
certifications. George is a current member of ISACA, the guide for use in audits of compliance and ethics pro-
IIA, and the IT Process Institute. grams (www.oceg.org) and participated in the COSO
small business task force efforts to provide guidance for
smaller public companies regarding internal control
over financial reporting (http://www.coso.org). Swanson
is a regular columnist for Compliance Week and writes
regularly for ITCI.
Series Editor: Cass Brewer

Editorial and Research Director,
IT Compliance Institute (ITCi)
If you have ideas for improving ITCi’s IT Audit Checklists, please write editor@itcinstitute.com.
Legal Disclaimer
When assessing any legal matter, do not rely solely on materials published by third parties, including the content in this paper, without additionally seeking legal counsel familiar with your
situation and requirements. The information contained in this IT Audit Checklist is provided for informational and educational purposes and does not constitute legal or other professional advice.
Furthermore, any applicability of any legal principles discussed in this paper will depend on factors specific to your company, situation, and location. Consult your corporate legal staff or other
appropriate professionals for specific questions or concerns related to your corporate governance and compliance obligations.
ITCi makes every effort to ensure the correctness of the information we provide, to continually update our publications, and to emend errors and outdated facts as they come to our attention.
We cannot, however, guarantee the accuracy of the content in this site paper, since laws change rapidly and applicability varies by reader.
The information in this publication is provided on an “as is” basis without warranties of any kind, either expressed or implied. The IT Compliance Institute disclaims any and all liability that could
arise directly or indirectly from the reference, use, or application of information contained in this publication. ITCi specifically disclaims any liability, whether based in contract, tort, strict liability,
or otherwise, for any direct, indirect, incidental, consequential, punitive or special damages arising out of or in any way connected with access to or use of the information in this paper.
ITCi does not undertake continuous reviews of the Web sites and other resources referenced in this paper. We are not responsible for the content published by other organizations. Such
references are for your convenience only.
www.ITCinstitute.com

ITCi ITAC Change MGMT 0707

Uploaded by

Copyright:

Available Formats

ITCi ITAC Change MGMT 0707

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ITCi ITAC Change MGMT 0707

Uploaded by

Copyright:

Available Formats

IT AUDIT CHECKLIS T SERIES

ITCi’s primary goal is to be a useful and trusted resource 6 Why Audit?

What Is the IT Audit Checklist Series? Paper Contents

• In general, control objectives are categorized as

project management, development, procurement, IT organizations are besieged by seemingly contradictory

In fact, the list of potential changes that can impact a

What Is Change Management?

• Predictable project outcomes; better alignment

Development • Faster recovery from unplanned failures and down-

The Auditor’s Perspective on

Audits should ensure that management and staff under-

The size and complexity of various organizations’ audit

Internal auditors should perform organizational risk

Change Management? 3. In addition to these general roles, ITIL identiﬁes

• Independently validates that the organization’s

Of course, auditing provides only a reasonable level of

Management’s Role in the Audit Process

During planning, management should ﬁrst focus on

performing the actual tests, but verifying processes

identiﬁed issues, and potential actions.

A Audit team issues final report

What Auditors Want to See Auditors Like ...

Interviewing defensive or uninformed managers and

Wading through piles of disorganized analyses

Managers who can’t or won’t comprehend the level

The opposite of the “like” items listed above

How Companies Help Who Should Talk to the Auditors?

(Not) ensuring key staff are available to auditors,

In many situations, a single point of contact for

The audit team drafts the internal audit program plan

Audit Testing Processes Audit Testing Steps

Managers support auditors’ assessment of

Managers and auditors complete an exit meeting to

Controls for Change Management

Plan and Acquire and Deliver and Monitor and

Figure 1: An operational approach to change management.

Change management policies and procedures have

Performance is measured using established and

Budgets support actual change management

A continuous improvement program is in place and

A disciplinary process exists for personnel who choose

More speciﬁcally, change management control

Risk Assessment (RA)

Assessment and Managerial Certiﬁcation of Change Management

Procurement (System and Service6 Acquisition)

• Controls exist to meet regulatory requirements

• Rules and requirements exist and are documented

• Staff performance appraisals are completed regularly

• Supervisory review of key management reports and

Operational controls for change management include:

Awareness and Training

Protection of Test Environments

System and Information Integrity

Identiﬁcation and Authentication

Auditors might also choose to communicate some audit

Preparing for an Audit

Like any interaction between people, but particularly in

When managers interact with the auditors in a profes-

To contribute to a successful and accurate audit report,