Apr 15. 2020

Auditing the IT change management process

Auditing the IT change management process

Auditing the change management process is a hot topic not only in the IT domain but also in project management. There are a number of potential pitfalls when it comes to auditing the IT change management process.

The IT auditor has to be accustomed to verifying the change management controls within IT operations as well in an IT project (infrastructure, SDLC etc.) environments. As a result, a clear IT change management audit scope is critical to ensure that stakeholders are aware what was and what wasn’t included in the audit.

IT change management process within IT operations

On a high-level, the IT auditor has to assure the existence and relevance of the current IT change management policies and procedure. In addition, he/she has to gain an in-depth understanding of the IT change management procedures prior to mapping the generic change management risks to the existing control design.

It is imperative that any unique: i.e. firm specific, IT change management risk is identified during the process reviews with the auditees. This step ensures completeness since the IT auditor goes beyond the generic risk mapping exercise.

What IT change management audit questions would facilitate identification of firm specific risks?

I am sure you have come up with a bunch of targeted questions.

Let me give you a couple of my go to questions as an example:

  • Are there any business units, departments etc. who do not follow your change management procedure: i.e. they have their own IT change management practices?
  • Is there a technical possibility to make changes without going through IT change management process?
  • Are there any exception reports reviewed by IT operations’ supervisors that are either not documented in the change management procedure or do not map to any identified risks…

IT change management within projects

The challenge for the auditor to verify IT change management in a project environment is two folds:

  • The auditor has to be familiar with the project management lingo, practices and procedures
  • The project life cycle makes the value of the audit more sensitive to timing and prompt execution

Finally, there is an added layer of complexity due to: temporary nature of project staff, potentially unique/project specific change management procedures, potential scope creep etc.

Consequently, the IT auditor has to assess how project controls and IT change controls interact in this dynamic, rapidly changing environment.

If you want to learn more about the change management process according to the latest ITIL V4, you might want to follow the link below:


Would you consider auditing IT change management in a project environment more challenging, if Yes, why?

If you like my post, Do not forget to give Thumbs Up and post your Comments.

#ITaudit #internalaudit #governance #changementement #ITrisk riskmanagement #itchangemanagement

1 0

Leave a Reply

Your email address will not be published. Required fields are marked *