Information technology is critical to the long-term success of most organizations. It is a key reason for the cost of operations, and cost of operations tends to be a vital component of overall profitability. It facilitates the introduction of new business initiatives, as well as the ongoing improvement of current processes, and allows the management team to monitor and report on performance. IT enables business operations through connectivity, information processing, business intelligence, and the like.
Lastly, and especially important to this audience, IT can contribute greatly to a company’s system of internal control.
With the organizational importance of IT continuing to grow each year, the importance of “change management” in IT systems continues to grow along with it. There is a substantial body of evidence that change management contributes critically to the implementation of efficient, effective, and secure IT operations. Because every change in an IT system creates a potential consequence on the company’s operations, executives must understand change management thoroughly: how to impose it, how to enforce it, and how to monitor and improve its effectiveness. Research from the IT Process Institute has shown that organizations that manage their technology well perform substantially better than organizations that don’t.
Simply stated, all IT changes need to be authorized and tested, and unauthorized or untested changes prohibited. Put another way: changes to a company’s IT infrastructure are a significant source of risk for every business; to protect the corporate crown jewels, robust change management practices are absolutely critical. The need for a positive “control environment” within IT and an unforgiving attitude regarding unauthorized IT changes cannot be overstated.
Strong change management means planned system implementations, proven (read: tested) solutions, scheduled upgrade windows where recovery is facilitated if needed, and much more. To manage technology changes well, a change management program needs to be formally introduced into the organization. Implementing a change management program means assigning responsibility for the various change activities involved in implementing new technology solutions.
Auditing Technology Change Processes
An audit of change management should review IT results to identify key improvement opportunities. During the audit of change management programs, auditors need to:
Understand the change management processes and procedures.
Identify and assess key controls within the change management processes that ensure all changes are properly authorized and tested prior to implementation.
Determine the quality of the information generated by the change management program, and assess whether it is sufficient to manage the change management process.
Assess change management performance metrics for their existence, effectiveness, monitoring activities, and responses to any program deviations.
Evaluate whether risk-management controls are preventive, detective, or corrective, and if a good balance has been implemented.
Define tests to confirm the operational effectiveness of change management activities, including management and staff interviews, documentation and report reviews, and data analyses.
Recommend opportunities for improvement of change management activities.
Indicators of Poor Change Management
Unauthorized changes. Anything above zero is unacceptable. Establishing a tone at the top that clearly communicates the company’s intolerance of unauthorized changes is fundamental to the long-term success of change management programs.
Unplanned outages. System outages should be scheduled (planned) to reduce the impact on the organization’s operations. Predetermined “change windows” are where production systems should be updated. Unplanned outages are caused by system problems and encourage a reactionary environment (that is, firefighting), which is not how you stay on top of internal control systems.
Low change success rate. Good change management involves good testing; if changes have to be “backed out,” it is an indicator of poor testing that failed to catch problems in the early stages.
High number of emergency changes. Again, emergencies should be emergencies, and happen infrequently. Poor planning of changes result in a high number of emergencies.
Delayed project implementations. Delays in project implementation are a sign of unrealistic plans or poor resourcing decisions. Good change management practices encourage good planning and over time more achievable plans, resulting in fewer delays and cancellation of implementations.
An audit of change management should review the above risk indicators as a good measure of the likelihood that controls are or are not effective.
Auditing IT processes can be very productive; good business results happen due to the quality of the processes used to produce them. Reviewing the policies and procedures and related processes that have been implemented will help determine if your IT investments will be productive and worthwhile. Also, discussing with IT management how they do their jobs—in particular their IT change efforts—will be extremely productive, and help answer the fundamental question: Are changes being implemented in a controlled or haphazard manner?
When I look at the work IT managers have done to test (that is, prove) that a change is working, I want to see four fundamental testing techniques: functional testing, stress testing, logical testing, and path testing. It has been my experience that if the above system testing isn’t done, verified, and approved by some independent validation unit (quality control, internal audit, outside consultants, whatever), then we have a problem in 60 percent of the implementations.
Finally, a robust “release management” process, in addition to strong change management practices, should be the ultimate goal. Rigorous practices for building, testing, and issuing IT changes have a broad impact on individual IT results and overall performance of an organization. Therefore, while implementing a comprehensive change management program is important, establishing a strong release management process as well is strongly recommended.
IT Audit Guidance
The IT Compliance Institute has published a new IT audit checklist covering change management. This paper, “IT Audit Checklist: Change Management,” supports an internal audit of the organization’s change management policies to verify compliance and look for opportunities to improve efficiency, effectiveness, and economy. The paper includes advice on assessing the existence and effectiveness of change management in project oversight, development, procurement, IT service testing, and IT operations; guidance for management and auditors on supporting change management; and information on ensuring continual improvement of change management efforts.
Are your technology changes well managed? I believe it’s time to find out.
Websites
We are not responsible for the content of external siteshttp://www.complianceweek.com/index.cfm?fuseaction=article.SavedSearchResults&search_ID=95
http://www.theiia.org/guidance/technology/gtag/gtag2/
http://www.itcinstitute.com/display.aspx?id=2499
http://www.itpi.org/home/white_papers.php
http://www.auditnet.org/articles/DSIA200708.htm
http://www.tripwire.com/
http://www.itpi.org/home/visibleops2.php
No comments yet