Transcription of Institute of Internal Auditors Global Technology …
1 IIA Change Management gtag i V 03/11/05 Institute of Internal Auditors Global Technology Audit Guides Change and Patch Management Controls: Critical for Organizational Success Authors: Jay R. Taylor, General Motors Corporation Julia H. Allen, Carnegie Mellon University, Software Engineering Institute Glenn L. Hyatt, General Motors Acceptance Corporation Gene H. Kim, Tripwire, Inc. Date of Review Draft Publication : November 09, 2004 Date of Review Draft Publication : January 14, 2005 Date of Review Draft Publication : March 11, 2005 IIA Change Management gtag ii V 03/11/05 Table of Contents Summary for the Chief Audit Executive.
2 1 Why the CAE Must Be Involved in Controlling Change and Patch Management 1 Poor Change Management Can be Quickly 2 Understanding How IT Change Is Effectively Managed .. 3 The Top Five Steps To Reduce IT Change Risks .. 4 The Internal Auditor s Role .. 5 2 Introduction .. 6 An Illuminating Dialogue Between a Chief Information Officer (CIO) and a Chief Audit Executive (CAE) .. 10 3 Why Should I Care About The Way My Organization Is Managing Change? .. 15 Change Creates Risk: Why Patches Must Be Treated As Just Another Change 16 We Already Have a Change Management Process What is Different Here?
3 17 How a Robust Change Management Process Can Help .. 19 4 Defining IT Change 23 What Is the Scope of Change Management? .. 23 What Does Ineffective Change Management Look Like? .. 25 What Does Effective Change Management Look Like?.. 26 Change Management Metrics and 29 Integrating Patch Management Into Change Management .. 33 Guiding Principles: How To Decide If, When, And How To Implement Changes .. 34 5 What Questions Should I Ask About Change and Patch Management?
4 36 Evolving A Change Management Capability .. 39 6 Three Months Later: Sydney s Story Concludes .. 41 7 Where Should Internal Auditors Begin? .. 45 Audit s Role in the Change Management Process .. 47 8 Where Can I Learn More?.. 50 Appendix 1: IT Change Management Audit Program .. 51 Appendix 2: The Visible Ops Methodology .. 61 IIA Change Management gtag iii V 03/11/05 Appendix 3: Example Business Case for Change Management .. 63 Appendix 4: Change Management Tools and Vendors .. 66 References.
5 67 About the Authors .. 70 Project Review Team 72 IIA Change Management gtag iv V 03/11/05 List of Figures Figure 1: COSO ERM Model for Change Figure 2: Unplanned Work as Indicator of Effective Change Management Processes .. 32 Figure 3: Key Variables that Influence Change Management 32 Figure 4: Change Management Capability Levels .. 40 IIA Change Management gtag v V 03/11/05 List of Tables Table 1: Change Management Metrics .. 29 Table 2: Questions to Ask About Change Management by Archetype.
6 36 Table 3: IT Change Management Audit Program .. 53 Table 4: Typical Roles .. 59 Table 5: Segregation of 59 Table 6: Issues and Indicators of Ineffective Change Management .. 63 Table 7: Benefits from Effective Transformation .. 64 IIA Change Management gtag vi V 03/11/05 IIA Change Management gtag 1 V 03/11/05 Summary for the Chief Audit Executive Why the CAE Must Be Involved in Controlling Change and Patch Management You may be wondering why you should read a guide on the subject of IT (information Technology ) change and patch management.
7 After all, isnt this something you can completely delegate to your technical IT audit staff? And isnt there sufficiently thorough guidance on this topic that goes back to managing the mainframe environment? The short answer to both of these questions is no. While the primary role of CAEs does not include being subject matter experts on Technology , significant risks exist around virtually all business uses of Technology . It is important to understand that you do not need to be an expert to help people manage Technology and its associated risks. The goal of this Guide is to help CAEs, their executive peers, and staff enhance their knowledge associated with Technology management, and help them counsel management on effectively governing these processes.
8 For the intended audience of this Guide, issues related to IT change control have rarely been as important as they are now. CAEs are being held accountable by Audit Committees and are expected to comply with regulations such as the Sarbanes-Oxley Act Section 404. The knowledge to effectively challenge IT management is not only useful but essential. After reading this Guide, you will have a working knowledge of IT change management processes be able to quickly distinguish great change management processes from ineffective ones be able to quickly recognize red flags and indicators that IT environments are having control issues related to change management understand that effective change management hinges on implementing preventive.
9 Detective and corrective controls to enforce segregation of duties and ensure adequate management supervision be in a position to recommend the best known practices for addressing these issues, both for controls attestations, as well as increasing effectiveness and efficiency be able to more effectively sell your recommendations to your CIO, CEO and/or CFO. IIA Change Management gtag 2 V 03/11/05 Because every IT risk creates some degree of business risk, change management issues are important for CAEs to thoroughly understand.
10 Change and patch management is defined here as the set of processes executed within the organizations IT organization designed to manage the enhancements, updates, incremental fixes and patches to production systems, which include: Application code revisions System upgrades (applications, operating systems, databases) Infrastructure changes (servers, routers, firewalls, etc.) Collectively we refer to these as IT changes. All organizations have to deal effectively with IT changes since virtually every business decision requires one or more changes to assets.
