05. The Nature and Evaluation of IT General Controls
05.03. IS Change Management
Briefly reflect on the following before we begin:
- Why is change management critical in the context of information systems?
- How do adequate change management controls contribute to organizational stability and security?
- How can the effectiveness of change management controls be evaluated?
IS change management involves overseeing and facilitating software, hardware, and IT process modifications. This section will underline how effective change management contributes to IT systems’ smooth operation and evolution. We will also delve into the key underlying risks and the change management ITGCs, or mechanisms and policies that govern how changes are made in an IT environment to ensure that changes are implemented securely and efficiently. This includes areas like documentation, approval processes, and testing protocols. We will discuss how to assess the effectiveness of such change management controls by looking at how changes are tracked, reviewed, and authorized.
Change Management Process
IS change management ITGCs encompass a structured approach to implementing IT system changes, ensuring they are made securely, efficiently, and controlled. The essence of IS change management ITGCs lies in their ability to manage the transition of IT systems from one state to another. This transition could involve software updates, system enhancements, or integrating new technologies. The nature of these ITGCs is to provide a consistent and standardized method for handling changes, minimizing the potential for disruptions or errors that could arise from ad-hoc modifications.
The change management process typically begins with initiating a change request, which can originate from various sources, including end-users, IT teams, management, or external stakeholders. It may be driven by the need to enhance existing systems, fix issues, or introduce new features. Initiators submit change requests outlining the proposed change’s scope, objectives, and rationale. Once a change request is received, it undergoes a preliminary evaluation involving an in-depth assessment of its feasibility, impact, and urgency. Key considerations include the potential benefits, risks, resource requirements, and alignment with strategic goals. A Change Advisory Board (CAB) reviews and prioritizes change requests based on these factors. The next step in detailed planning for approved change requests includes defining the scope, objectives, timelines, and resources required for the change. A change plan is developed, outlining the specific tasks, responsibilities, and dependencies. In larger organizations, a project manager may oversee the change project. Before implementing changes in the production environment, thorough testing and validation are essential. Testing includes various phases, such as unit testing, system integration testing, and user acceptance testing (UAT), where test cases are created and test results are documented to ensure that the change functions as intended without introducing unforeseen issues.
Once testing is successful, the change plan is presented to the CAB for final approval. The CAB reviews the test results, verifies that all prerequisites are met, and ensures that the change aligns with organizational goals and priorities. After approval, a change authorization is granted, specifying the date and time for implementation. The change is implemented during a scheduled maintenance window or a low-impact time to minimize disruptions to normal operations. The implementation team follows the approved change plan, closely monitoring the process. Back-out plans are sometimes prepared to revert to the previous state in case of unexpected issues. After the change is implemented, ongoing monitoring is crucial to detect and address any issues/problems that may arise. A post-implementation review (PIR) is conducted to evaluate the effectiveness of the change, whether it met its objectives, and if any lessons learned can be applied to future changes. The PIR includes feedback from end-users and stakeholders. Throughout the change management process, documentation should be comprehensive and well-maintained to change requests, change plans, test results, implementation records, and post-implementation reports. Such robust and complete documentation ensures transparency and serves as a knowledge base for future reference. Effective communication throughout the change management process keeps the stakeholders (end-users, IT teams, and management) informed about the progress, timelines, and any potential impacts of the change. Clear communication helps manage expectations and reduces resistance to change.
The change management process concludes with formal closure activities, including archiving all relevant documentation, updating configuration management databases, and ensuring the change project is officially closed. All suitable and appropriate lessons should be documented to improve future change management processes. Lastly, as a part of continuous improvement, organizations must review their change management practices, identify areas for enhancement, and iterate on their processes to adapt to evolving technology and business needs.
Change Management Considerations
The importance of effective IS change management ITGCs must be recognized. Without these controls, organizations risk introducing changes that could destabilize their IT systems, leading to potential downtime, data inconsistencies, or security vulnerabilities. Conversely, well-managed change processes ensure that modifications to IT systems enhance functionality, address security needs, and align with business objectives without causing disruptions to operations. They protect the integrity and stability of IT systems when changing. They ensure that every modification, whether minor or significant, undergoes a rigorous planning, testing, approval, and documentation process.
A critical aspect of IS change management ITGCs is a risk assessment of the IS changes and their impact on the organization before implementation. This assessment includes understanding how the change will interact with existing systems, the potential for data loss or system downtime, and the implications for user experience. Organizations can make informed decisions about whether to proceed with a change and how best to implement it by conducting these assessments. Another vital element of IS change management ITGCs is documentation requiring detailed records of all changes, including why they were made, who approved them, and how they were implemented. In addition to providing a historical record, such detailed documentation also aids in troubleshooting if issues arise post-implementation to ensure transparency and accountability in the change management process.
Lastly, in the rapidly evolving world of technology, IS change management ITGCs play a crucial role in facilitating innovation by providing a structured way for organizations to integrate new technologies and capabilities into their IT infrastructure. By managing these integrations carefully, organizations can stay ahead of the technology curve, adopting new tools and technologies that can give them a competitive edge.
Relevant Risks
In IS change management, organizations face several primary risks that can significantly impact their operations and strategic objectives. Understanding these risks is vital for effective risk management and ensuring information systems’ successful change design, development, deployment, and ongoing monitoring. Let’s consider some of these risks.
- Unauthorized changes
- Only authorized changes occur when changes to IT systems are made with proper authorization or oversight. Unauthorized changes can lead to system failures, security breaches, and data loss. They undermine the stability and reliability of IT systems. To mitigate this risk, organizations need robust controls that ensure all changes are authorized, documented, and tracked.
- Inadequate testing of changes
- When changes to IT systems are not thoroughly tested, they can introduce errors and vulnerabilities. These issues can disrupt business operations and compromise data security. Effective change management requires comprehensive testing procedures to ensure changes do not adversely affect system performance or security.
- Poor documentation
- With proper documentation, tracking the history and impact of changes becomes more accessible. This lack of documentation can hinder troubleshooting efforts and accountability. Maintaining detailed records of all changes, including their purpose, implementation details, and effects, is essential.
- Lack of communication
- If stakeholders, including IT staff and end-users, are informed about changes, it can lead to clarity, misuse of systems, and reduced productivity. Effective communication strategies ensure that all relevant parties know and understand the changes.
- Regulatory Non-Compliance
- Changes to IT systems must comply with relevant laws and industry standards. Failure to ensure compliance can lead to legal penalties, financial losses, and reputational damage. Organizations must integrate compliance checks into their change management processes.
- Inadequate training and support
- Inadequate training and support for users following changes can lead to underutilization or incorrect use of updated systems. Users need to be trained and supported to adapt to changes effectively. This training ensures that the full benefits of changes are realized and that users are comfortable and proficient with the updated systems.
- Lack of rollback plan
- If a change causes significant issues, the ability to revert to a previous state is crucial to minimize disruption. With a rollback plan, organizations may be able to restore normal operations quickly in case of problematic changes.
- Fragmented change management
-
- Inconsistent or siloed processes can lead to inefficiencies, errors, and oversight gaps. A unified and standardized approach to change management is vital to ensure consistency and control across al IT systems and departments.
- Resistance to change
- Change can be met with resistance from employees, which can hinder the successful implementation of new systems or updates. Addressing this risk involves effective change management strategies, including stakeholder engagement, addressing concerns, and emphasizing the benefits of changes.
Effectively managing these risks requires robust control processes, comprehensive testing and documentation, effective communication and training, compliance checks, and strategies to manage resistance. Addressing these risks is essential to ensure that changes to IT systems enhance functionality, security, and performance, align with business objectives, and comply with regulatory standards.
Relevant IT General Controls Objectives and Activities
In IS change management, a subset of IT General Controls (ITGC), several crucial controls ensure information systems’ effective ongoing updates, refreshes, and maintenance. These controls are vital in aligning existing IS with business objectives, managing risks, and ensuring successful outcomes. Let’s consider the primary ITGC objectives for this category.
Change Request Evaluation Control
The primary objective of this control is to ensure that all proposed changes to information systems undergo a rigorous evaluation process. It aims to assess the feasibility, impact, benefits, risks, and alignment with organizational objectives before approving changes for implementation. It involves a structured review of change requests submitted by stakeholders. A change advisory board (CAB) or designated team assesses the proposed changes to determine their significance, resource requirements, and potential effects on the organization’s systems and processes. This evaluation helps prioritize changes based on their value, urgency, and potential risks, ensuring that only changes with clear benefits and minimal disruptions are approved for further planning and implementation.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement a standardized system for categorizing and prioritizing change requests based on business impact, urgency, and alignment with strategic objectives.
- Conduct thorough impact assessments for proposed changes to understand potential risks, resource requirements, and dependencies on existing systems and processes.
- Ensure a defined process for allocating resources, including personnel, hardware, and software, to support approved changes.
Change Approval Control
The primary goal of this control is to establish a formalized process for approving proposed changes to information systems by ensuring that only authorized and well-vetted changes proceed to the implementation stage. Change Approval Control involves a structured decision-making process where the CAB or designated authority reviews the results of change request evaluations, considering factors such as compliance, business impact, resource availability, and alignment with strategic objectives. The approval process includes verifying that all prerequisites and documentation are in place before granting authorization for the change’s implementation. This control ensures that changes are aligned with the organization’s priorities and do not introduce unnecessary risks.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Establish a CAB or a designated authority responsible for reviewing and approving change requests, ensuring that only authorized individuals make decisions regarding changes.
- Define documentation requirements that must be met before a change is approved, including detailed change plans, risk assessments, and compliance checks.
- Implement a formalized workflow for obtaining approvals, including clear steps, responsible parties, and deadlines for decision-making.
Change Implementation Control
This control aims to ensure approved changes are implemented, controlled, and systematically by minimizing disruptions to existing systems and processes during the implementation phase. It encompasses the planning and executing changes by defining detailed implementation plans, scheduling changes during low-impact periods, and closely monitoring the execution process. This control ensures that changes are implemented according to the approved plan, minimizing the potential for service interruptions or adverse effects on end-users. It also includes validation to confirm that the implemented change functions as intended.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Develop comprehensive implementation plans that outline the step-by-step execution of changes, including scheduling, resource allocation, and contingency measures.
- Conduct validation checks after implementing changes to verify that the shift functions as intended and has not introduced any unforeseen issues.
- Establish well-defined back-out procedures that allow for the quick reversal of changes in case of unexpected problems during implementation.
Testing and Validation Control
The primary objective of this control is to ensure that changes to information systems are thoroughly tested and validated before implementation. It aims to identify and rectify any issues or defects, reducing the risk of post-implementation problems. It involves the development of comprehensive test plans, test cases, and testing procedures. It includes various testing phases, such as unit testing, system integration testing, and user acceptance testing (UAT). This control ensures that changes are tested in a controlled environment and that the results are documented. Any identified issues or defects are addressed before implementation to guarantee that the change functions as expected and aligns with user requirements.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Create detailed test cases that cover various aspects of the change, including functional, performance, and security testing.
- Ensure testing is conducted in isolated environments to prevent accidental impact on production systems.
- Implement a defect tracking system to document and prioritize issues discovered during testing, with clear procedures for resolution and retesting.
Change Documentation Control
This control aims to maintain comprehensive and accurate documentation of all change-related activities by ensuring transparency, accountability, and a knowledge base for future reference. It involves creating and maintaining documentation throughout the change management process, including change requests, change plans, test results, implementation records, and post-implementation reports. Proper documentation enables effective communication, knowledge transfer, and compliance with audit and regulatory requirements. It ensures that all stakeholders have access to essential information related to the change.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Establish a standardized template for change request documentation, ensuring that all necessary information is captured consistently.
- Implement version control mechanisms to track changes in documentation and ensure that the most current information is readily available.
- Define retention policies for change-related documentation, specifying how long records should be retained for audit and compliance purposes.
Post-Implementation Review Control
The primary objective of this control is to conduct a thorough review of changes after implementation. It aims to evaluate the effectiveness of the change, identify lessons learned, and ensure that the intended benefits are realized. It systematically assesses the change’s impact on the organization by including feedback from end-users and stakeholders to gather insights into its performance and alignment with business objectives. Lessons learned from the implementation process are documented to improve future change management practices. It also helps in continuous improvement and optimization of change management processes.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Solicit feedback from end-users and stakeholders using surveys, interviews, or feedback forms to gather insights into their experiences with the implemented change.
- Establish key performance indicators (KPIs) to measure the impact of the change on operational efficiency, customer satisfaction, and other relevant metrics.
- Conduct lessons learned workshops with project teams to identify areas of improvement in the change management process and capture best practices for future changes.
User Training and Documentation Control
This control aims to ensure effective communication and training for stakeholders affected by the change by minimizing resistance to change, enhancing user adoption, and facilitating a smooth transition. It involves a well-planned communication strategy informing stakeholders about the change’s progress, timelines, and potential impacts. It also includes developing user training materials, such as user manuals, online courses, and training sessions. Training ensures end-users gain the necessary skills and knowledge to use the changed systems effectively. It fosters understanding, cooperation, and a positive user experience during and after the change implementation process.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Develop a communication plan that includes notifications to stakeholders about upcoming changes, their benefits, and any expected impacts.
- Create comprehensive training programs encompassing various learning styles, including hands-on exercises, simulations, and online resources.
- Establish user support channels, such as help desks or online portals, to provide ongoing assistance and address user inquiries and issues related to the change.
Summarized Audit Program
As discussed in Chapter 3, an audit program is a structured and comprehensive plan that outlines the procedures and activities to assess the effectiveness of an organization’s control environment. Based on the core concepts of IS change management ITGCs discussed above, presented below is a summarized audit program highlighting select relevant risks, corresponding ITGCs, and potential ways (audit procedures) to assess the operating effectiveness of such ITGCs. Please note that this is not an exhaustive audit program covering all applicable risks and controls and is provided for your reference only.
Detailed Description of the Risk and Its Impact |
Relevant IT General Control Activity |
Detailed Test of Controls Audit Procedure |
---|---|---|
Unauthorized changes to IT systems can lead to security vulnerabilities, system failures, and data integrity issues. | The control activity involves a formal change management process where all changes to IT systems are logged, evaluated, and approved before implementation. This process is conducted for every change request. Key responsibilities include reviewing change requests, assessing their impact, obtaining necessary approvals, and documenting all changes. | The audit inspects 40 change management logs and reviews the corresponding approval documentation. The auditor will use the inspection technique to verify that all changes were logged correctly, evaluated, and approved according to the established change management procedures. |
Inadequate testing of IT system changes can result in operational disruptions and unanticipated system errors. | The control activity mandates thorough testing of all changes to IT systems before they are deployed. This includes developing test plans, executing test cases, and documenting the test results. Testing is performed for each significant change. | The audit involves examining 40 sets of test documentation for recent significant changes, using the inspection technique to ensure that comprehensive testing was conducted and that test results confirm the changes function as intended. |
Lack of documentation for IT system changes can lead to a loss of knowledge and difficulty troubleshooting future issues. | This control activity requires detailed documentation of all changes to IT systems, including the rationale for the change, the change process, and any testing conducted. Documentation is needed for each shift. | The audit involves reviewing documentation for 40 recent system changes, using the inspection technique to verify that comprehensive documentation is maintained for each change, and documenting the rationale, process, and testing outcomes. |
Ineffective communication of IT system changes can result in user confusion and errors. | The control activity includes a communication plan for all significant IT system changes, ensuring that relevant stakeholders are informed about the changes, their impact, and any required actions. This is done for each significant change. | The audit involves reviewing communication records for 40 recent significant changes, using the inspection technique to confirm that effective communication was conducted according to the communication plan and that stakeholders were appropriately informed. |
Failure to monitor and review the effectiveness of IT system changes can lead to persistent issues and missed improvement opportunities. | The control activity involves post-implementation reviews for significant changes to assess their effectiveness and identify any issues or improvement areas. These reviews are conducted after each significant change. | The audit includes examining 40 post-implementation review reports, using the inspection technique to ensure that reviews were conducted and any identified issues or improvements were documented and addressed. |
Inadequate management of emergency changes can result in rushed and uncontrolled modifications to IT systems. | The control activity requires a specific process for managing emergency changes, including expedited evaluation, approval, and post-implementation review. This process is activated for each emergency change. | The audit involves reviewing the documentation for 25 recent emergency changes, using the inspection technique to verify that the emergency change was managed according to the specific process and that necessary controls were maintained. |
Insufficient tracking of changes over time can obscure the history of system modifications and impact system stability. | The control activity involves maintaining a comprehensive change log that records all changes made over time, including dates, descriptions, and responsible parties. This log is updated with every change. | The audit procedure includes examining the change log for the past two quarters, using the inspection technique to confirm that it accurately records all changes, including their dates, descriptions, and responsible parties. |
In the Spotlight
For additional context on auditing IS change management, please read the article titled “IT Change Management for Service Organizations: Process, Risks, Controls, Audits” [opens a new tab].
McCarty, B. (2021). It change management for service organizations: Process, risks, controls, audits. LinfordCo Blog. https://linfordco.com/blog/change-control-management/
Knowledge Check
Review Questions
- What is the primary objective of Change Request Evaluation Control in IS change management ITGCs?
- How can organizations mitigate the risk of unauthorized changes to IT systems?
- Why is thorough testing and validation essential in IS change management?
- What is the significance of documentation in the change management process?
- How can organizations effectively communicate IT system changes to stakeholders during the change management process?
Mini Case Study
Imagine you are an IT auditor tasked with evaluating the change management process of a medium-sized financial institution planning a significant upgrade to its core banking system. The organization is firmly committed to ensuring the security and reliability of its IT systems. They have requested your expertise in identifying and assessing IT General Controls (ITGCs) most appropriate for this critical project.
Required: Please provide the three most appropriate change management IT General Controls that should be in place to ensure the success of the core banking system upgrade. Additionally, propose an appropriately robust audit procedure to evaluate the effectiveness of these controls in the context of this upgrade.
Ensures proposed changes to information systems undergo a rigorous evaluation process assessing feasibility, impact, and alignment with organizational objectives.
Establishes a formalized process for approving proposed changes to information systems, ensuring only authorized changes proceed to implementation.
Ensures approved changes are implemented in a controlled and systematic manner, minimizing disruptions.
Conducts thorough reviews of changes after implementation to evaluate effectiveness and identify lessons learned.