1.1 Why the CAE Must Be Involved in Controlling Change and Patch Management You may be wondering why you should read a guide on the subject of information technology (IT) change and patch management. After all, isn’t this something you can completely delegate to your technical IT audit staff? And isn’t there sufficiently thorough guidance on this topic that goes back to managing the mainframe environment? The short answer to both of these questions is “no.”
While the primary role of chief audit executives (CAEs) does not include being experts on technology, significant risks
exist around virtually all business uses of technology. It is important to understand that you do not need to be an expert
to help people manage technology and its associated risks.
The goal of this guide is to help CAEs, their executive peers, and staff enhance their knowledge associated with technology management, and help them counsel management on governing these processes effectively.
For the intended audience of this guide, issues related to IT change control rarely have been as important as they are
now. CAEs are being held accountable by audit committees and are expected to comply with regulations such as the U.S.
Sarbanes-Oxley Act of 2002 Section 404. Having the knowledge to effectively challenge IT management is not only useful, but essential.
After reading this guide, you will:
• Have a working knowledge of IT change management processes.
• Be able to distinguish quickly great change management processes from ineffective ones.
• Be able to recognize quickly red flags and indicators that IT environments are having control issues related to change management.
• Understand that effective change management hinges on implementing preventive, detective, and corrective controls to enforce segregation of duties and ensuring adequate management supervision.
• Be in a position to recommend the best known practices for addressing these issues, both for assurance on risks (including controls attestations), as well as increasing effectiveness and efficiency.
• Be able to sell your recommendations more effectively to your chief information officer (CIO), chief executive officer (CFO), and/or chief financial officer (CFO).
Because every “IT risk” creates some degree of business risk, it is important that CAEs thoroughly understand change
management issues.
Change and patch management is defined here as the set of processes executed within the organization’s IT department
designed to manage the enhancements, updates, incremental fixes and patches to production systems, which include:
• Application code revisions.
• System upgrades (applications, operating systems, databases).
• Infrastructure changes (servers, cabling, routers, firewalls, etc.).
Collectively, we refer to these as “IT changes.” All organizations have to deal with IT changes effectively, because virtually every business decision requires one or more changes to assets. When changes fail or are poorly controlled, the impact on the business can range from minor inconvenience to events that hinder the achievement of business objectives, including the ability to comply with the growing body of regulation.
1.2 Poor Change Management Can Be Identified Quickly
This guide was developed to help CAEs ask the right questions of the IT organization to assess its change management
capability. To help you quickly assess the overall level of process risk and determine whether a more detailed process
review may be necessary, this guide also provides expected answers to these questions.
Top Five Risk Indicators of Poor Change Management:
• Unauthorized changes (above zero is unacceptable).
• Unplanned outages.
• Low change success rate.
• High number of emergency changes.
• Delayed project implementations.
This guide includes field-tested metrics to help you assess the health of the change management process quantitatively, as well as suggested management metrics to guide your organization to achieve and sustain higher levels of control and
performance. In this way, internal auditors can assist management by identifying the sources of risk to the organization
and assessing the effectiveness of risk management, governance, and control processes.
Easily recognizable symptoms and indicators of control failures due to poorly controlled IT changes include:
• Unavailability of critical services and functions, even for short periods of time.
• Unplanned system or network downtime, halting execution of critical business processes such as coordinating schedules with suppliers and responding to customer orders.
• Downtime on critical application, database, or Web servers, preventing users from performing their critical tasks.
• Negative publicity and unwanted board attention.
At an organizational level, indicators that IT organizations may have systemic change management control issues include:
• Majority of the IT organization’s time is spent on operations and maintenance (>70 percent) instead of helping the business in deploying new capability.
• Failure to complete projects and planned work (due to high amounts of firefighting and unplanned work).

• IT management is being awakened in the middle of the night regarding problems.
• High IT staff turnover.
• Adversarial relationships between IT support staff, developers, and business customers (internal or external), usually over poor service quality or late delivery of functionality.
• High amounts of time required for IT management to prepare for IT audits and to remediate the resulting findings.
Many organizations are just one change away from being a poor performer.

1.3 Understanding How IT Change Is Managed
Effectively Change management is sometimes difficult for organizations to master because so many stakeholders are involved (e.g., business managers, application system developers, IT operations staff, auditors). However, this is not a reason for organizations to be complacent about inadequate controls or low performance.
Stable and managed production environments require that implementation of changes be predictable and repeatable,
following a controlled process that is defined, monitored, and enforced. The necessary IT controls to achieve this are analogous to the controls used in financial processes to reduce the risk of fraud and errors: segregation of duty controls (which are preventive in nature) and supervisory controls (which are preventive and detective in nature).

CAEs will be very familiar with these controls: Only the minimal staff required to implement IT production changes should have access to the production environment (preventive).
Authorization processes should involve stakeholders to assess and mitigate risks associated with proposed changes (preventive). Supervisory processes should encourage IT management and staff to undertake their duties responsibly
(preventive), and be able to detect errant performance (detective).
Donna Scott, vice president and research director, Gartner, notes that “80 percent of unplanned [IT] downtime is caused by people and process issues, including change management practices.” These issues arise in the absence of automated preventive, detective, and corrective controls that enable good risk-based decisions around change and effective monitoring and enforcement of the change management process.
High-performing IT organizations also have reached this conclusion, which is supported by extensive work performed by the Software Engineering Institute (SEI) and the IT Process Institute (ITPI).
What do all high-performing IT organizations have in common? They have a culture of change management that prevents and deters unauthorized change. They also “trust but verify” by using independent detective controls to reconcile production changes with authorized changes, and by ruling out change first in the repair cycle during outages. Finally, they also have the lowest mean time to repair (MTTR).
Auditors will appreciate that in these high-performing IT organizations, change management is not viewed as bureaucratic, but is instead the only safety net preventing them from becoming a low-performer. In other words, IT management owns the controls to achieve its own business objectives, efficiently and effectively.
Achieving a change success rate over 70 percent is possible only with preventive and detective controls.
Internal auditors, together with management, want to ensure change management-related risks have been identified and are being measured and managed properly. The key point to remember is that change management requires focusing on process with a managerial and human focus, and is supported with technical and automated controls.

1.3.1 Regulatory Considerations
Effective change management processes can assist the organization in maintaining ongoing compliance with new and expanding regulations. Particular care must be exercised when implementing changes to technology that supports the financial reporting process. Such changes can impact organizational compliance with Sarbanes-Oxley, the European Union privacy directives, and State of California Senate Bill (SB) 1386 requirements. Uncontrolled changes in production can lead to errors that, if pervasive or critical, could be considered significant deficiencies. Where key financial controls are impacted or the organization has failed to correct significant IT general control deficiencies identified in the prior year (such as in change management), management may face the possibility of having to deal with material weaknesses.
When Failure Is Not an Option By managing changes, you manage much of the potential risk that changes can introduce.
1.4 The Top Five Steps to Reduce IT Change Risks In this guide, we have framed the observed best known practices of change management processes that reduce business risk and increase IT efficiency and effectiveness. In summary, five prescriptive steps that can be taken immediately by most organizations to improve their change management processes are:
• Create tone at the top motivating the need for a culture of change management across the enterprise, supported by a declaration from IT management that the only acceptable number of unauthorized changes is zero. Preventive and detective controls can then be put in place to help achieve and sustain this objective, ensuring that all production changes can be reconciled with authorized work orders.
• Continually monitor the number of unplanned outages, which is an excellent indicator of unauthorized change and failures in change control.
• Reduce the number of risky changes by specifying well-defined and enforced change freeze and maintenance windows. This maximizes stability and productivity during production hours. Unplanned outages serve as effective indicators that this change process is being circumvented.
• Use change success rate as a key IT management performance indicator. Where changes are unmanaged, unmonitored, and uncontrolled, change success rates are typically less than 70 percent. Each failed change creates potential downtime, unplanned and emergency work, variance from plans, and business risk.
Increasing the change success rate requires effective preventive, detective, and corrective controls.
• Use unplanned work as an indicator of effectiveness of IT management processes and controls. High performing IT organizations spend less than 5 percent of their time on unplanned work, while average organizations often spend 45 percent to 55 percent of their time on unplanned (and urgent) activities.

1.5 The Internal Auditor’s Role
The audit committee wants to ensure that management has identified and assessed risks that could impede achievement
of business objectives. Robust processes must be in place to mitigate, manage, accept, or transfer the risks effectively.
Internal auditors serve as the eyes and ears of management and the audit committee, seeking out areas that require strengthening. To this end, the importance of an effective change management process cannot be underestimated, and
internal auditors should consider conducting reviews of it on a regular basis.

For more details and to join, visit www.theiia.org

Recent Entries

• IT Expertise Serving to In Haitian Revival
• Automating Audit Tests
• IT Controls in my live and their bearing on firm
• Complying With Government Regulations With Data Entry Software
• Data migration services
• BS7799 and ISMS
• BS7799 Accreditation for Certifying ISMS
• GTAG 3 - Implications for Assurance, Monitoring and Risk Assessment
• Certified Internal Auditor® (CIA®) Overview
• Certified in the Governance of Enterprise IT® (CGEIT®) Overview

This entry was posted on Wednesday, May 27th, 2009 at 10:59 am and is filed under GTAG. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.