5 Key Factors I Focus on During Change Management Audits
Chinmay Kulkarni
Technology Risk Auditor at EY US | Making You The Next Generation IT Auditor | CISA* | CRISC* | CCSK | ISO 27001 LA | ISO 27701 LI
Issue #22
My weekly newsletter where I share insights and valuable knowledge on IT auditing, general controls testing, and risk management.
Stay ahead of the curve!
You can view all previous newsletters here.
What is Change Management and Why Does it Matter for Businesses?
Change management is all about how a company updates and improves its software and systems in a safe and organized way.
It involves everything from securing access to the code during development to tracking who deploys it in the end.
As someone who's recently started in the auditing field, I've conducted many tests related to change management.
Here are the five main things I focus on during these tests. Keep in mind, these are the important aspects that come to mind based on my experience.
There's more to consider, but these are a good starting point.
1. Segregation of Duties
Firstly, I look at the "segregation of duties" principle. It's crucial that the person requesting a change isn't the same person implementing or approving it. Mixing these roles can cause problems and conflicts of interest.
Always make sure the requester is different from the implementer and approver.
Imagine you work at a tech company, and you're a developer. You have an idea to improve a feature on the company's website. If you request, implement, and approve this change all by yourself, it can lead to a conflict of interest. The segregation of duties principle would require that someone else, like a project manager or a senior developer, approves and oversees the implementation.
2. Prior Approval for Changes
Next, every change needs prior approval before being implemented. This step is vital to avoid untested changes causing issues in the system.
Always ensure changes are approved before the actual implementation date.
Let's say you want to update the mobile app to include a new feature. Before making the changes, you need to create a proposal outlining the details of the update and its expected benefits. This proposal is then reviewed and approved by a project manager or a designated authority.
领英推荐
3. Testing Changes Before Implementation
Thirdly, changes should be tested before going live in the organization. Testing is a common practice in change management. It ensures that any new features or updates work properly and won't cause problems for customers or clients.
Suppose you're updating the interface of an e-commerce website to improve the checkout process. Before making this change live, you set up a test environment where you can try out the new interface, simulate purchases, and ensure everything functions as intended without causing any disruptions.
4. Valid Description of Changes
The fourth point is about providing a clear description of the change.
Even if you're not a technical expert, the change description should give a brief explanation of why the change is needed and what it will impact.
It's crucial for auditors to understand the reasoning behind each change.
You want to modify the login process for an application. The change description should include information like why this change is needed (e.g., to enhance security), what part of the system is being affected (e.g., login module), and who is making the change (e.g., development team lead).
5. Authorized Approval of Changes
Lastly, the person approving the change should have the proper authorization. It's essential to confirm that the individual approving the change has the authority to do so.
Unauthorized approvals can create confusion and potential issues down the line.
If you're working in a financial organization and need to make a change to the payment processing system, the approval should come from a designated authority, like the head of the finance department. Unauthorized employees shouldn't have the authority to approve critical changes like this.
I hope this overview helps you understand change management a bit better. Remember, these are just starting points, and there's more to explore in this field. Thank you for reading, and stay tuned for the next newsletter!
Signing off,
Chinmay Kulkarni
Thank you for being a part of our IT auditing community! Elevate your Governance, Risk and Compliance game by following me on LinkedIn.
Let's continue this journey together.
Auditor
1 年thank you so much