Management
Global Technology Audit Guide (GTAG®) 2 Change and Patch Management Controls: Critical for Organizational Success
Because every IT risk creates some degree of business risk, it is important that CAEs thoroughly understand IT change and patch management issues.
IT change and patch management can be defined as the set of processes executed within the organization’s IT depart- ment designed to manage the enhancements, updates, incremental fixes, and patches to production systems, which include:
• Application code revisions.
• System upgrades (e.g., applications, operating systems, and databases).
• Infrastructure changes (e.g., servers, cabling, routers, and firewalls).
Stable and managed IT production environments require that implementation of changes be predictable and repeat- able, as well as follow a controlled process that is defined, monitored, and enforced. Segregation of duties (e.g., separa- tion of preparer, tester, implementer, and approver roles) and monitoring controls will reduce the risk of fraud and errors in the process.
Internal auditors should be familiar with key controls in the IT change management process, including:
• Only the minimal staff required to implement IT production changes should have access to the production environment (preventive).
• Authorization processes should involve stakeholders to assess and mitigate risks associated with proposed changes (preventive).
• Supervisory processes should encourage IT manage- ment and staff to undertake their duties responsibly (preventive) and be able to detect errant perfor- mance (detective).
This Global Audit Technology Guide (GTAG) was devel- oped to help internal auditors ask the right questions of the IT activity to assess its change management capability, to assess the overall level of process risk, and to determine whether a more detailed process review may be necessary.
After reading this guide, internal auditors will:
• Have a working knowledge of IT change manage- ment processes.
• Be able to quickly distinguish effective change management processes from ineffective ones.
• Be able to quickly recognize red flags and indica- tors that IT environments are having control issues related to change management.
• Understand that effective change management hinges on implementing preventive, detective, and corrective controls to enforce segregation of duties and ensure adequate management supervision.
• Be in a position to recommend the best known practices for addressing these issues, both for assur- ance of risks (including controls attestations), as well as increasing effectiveness and efficiency.
• Be able to sell recommendations more effectively to the chief information officer (CIO), chief executive officer (CEO), and/or chief financial officer (CFO).

No copy data
No other version available