Escolar Documentos
Profissional Documentos
Cultura Documentos
March 2012
GTAG Table of Contents
Executive Summary.....................................................................................................................................................2
Introduction................................................................................................................................................................3
Why Should Internal Auditors Care About The Way The Organization Is Managing Change?......................................7
What Questions Should Internal Auditors Ask About Change And Patch Management?.............................................17
1
GTAG Executive Summary
2
GTAG Introduction
3
GTAG Introduction
IT change management provides the accelerator, brake and release process, or is it ad hoc, informal, and
pedal, and steering wheel (and a reverse gear for returning to emergency-based?
previous configurations) to control the IT vehicle through:
Early and frequent involvement by management and Top Five Risk Indicators of Poor Change Management:
end users to align IT changes with business needs. Unauthorized changes (Above zero is
A defined, predictable, repeatable process with unacceptable.)
defined, predictable, repeatable results. Unplanned outages
Coordination and communication with constituents Low change success rate
affected by changes. High number of emergency changes
Delayed project implementations
How to Know Whether IT Change and
Patch Management Are Working Easily recognizable symptoms and indicators of control fail-
As a rough guide, management (including IT management) ures due to poorly controlled IT changes include:
can understand whether change and patch management
are working by asking simple questions and scrutinizing the Unavailability of critical services and functions
answers: even for short periods of time.
Unplanned system or network downtime that halts
Do we have an effective change management
execution of critical business processes, such as coor-
process? Is the answer a denial of the importance
dinating schedules with suppliers and responding to
of IT change management or an affirmation of its
customer orders.
importance and acknowledgement of improvements
underway? Downtime on critical applications, databases, or
Web servers that prevent users from performing their
What controls are in place in our change manage-
critical tasks.
ment process? Are controls in place and being
improved, or are they just being evaluated and Negative publicity and unwanted board attention.
deferred until firefighting subsides? At an organizational level, indicators that IT activities may
Have we seen benefits from the change management have systemic change management control issues include:
process? Are there measurable benefits, or is the
Majority of the IT organizations time is spent on
emphasis on the costs of the IT change management
operations and maintenance (>70 percent) instead of
process?
helping the business in deploying new capability.
Remember that site-wide outage we had last week
Failure to complete projects and planned work (due
because of a change? What happened? How much
to high amounts of firefighting and unplanned
does management know about what causes outages?
work).
How much control does management have over
recurrence of the problem? IT management is being awakened in the middle of
the night regarding problems.
What process was used to determine the cause of the
outage? Was it ad hoc or methodical? Did problem High IT staff turnover.
diagnosis quickly determine whether the outage was Adversarial relationships between IT support staff,
caused by a change? If so, which change caused the developers, and business customers (internal or
problem? external), usually over poor service quality or late
How does IT monitor the health of the process? delivery of functionality.
Are the indicators and measures objective and truly High amounts of time required for IT manage-
indicative or subjective and suspect? ment to prepare for IT audits and to remediate the
What is the goal of our change management resulting findings.
process? Is it focused on reliability, availability, and Organizations with better IT change and patch manage-
efficiency, or is it focused on other, less-crucial goals? ment processes require fewer system administrators. When
For that matter, is it focused at all? IT change and patch management work well, IT personnel
How disruptive is our patching process? Is patch are more effective and productive.
management part of a defined, repeatable change
4
GTAG Introduction
More rigorous, formal measures can and should be reported Use unplanned work as an indicator of effectiveness
to provide maximum visibility into the effectiveness of IT of IT management processes and controls. High-
change and patch management, such as: performing IT organizations typically spend less
than 5 percent of their time on unplanned work,
Changes authorized per week. while average organizations often spend 45 percent
Changes implemented per week. to 55 percent of their time on unplanned (and
Number of unauthorized changes that circumvent urgent) activities.
the change process.
What Internal Audit Should Do
Change success rate (percentage of actual changes This GTAG discusses managing risks that are a growing
made that did not cause an outage, service impair- concern to those involved in the governance process.
ment, or an episode of unplanned work). Like information security, management of IT changes is a
Number of emergency changes (including patches). fundamental process that, if not performed well, can cause
Percentage of patches deployed in planned software damage to the entire enterprise. This enterprise-wide impact
releases. makes it of interest to many boards and, as a result, to top
management.
Percentage of time spent on unplanned work.
Percentage of projects delivered later than planned. This guide provides tools to help internal auditors obtain
and evaluate evidence that IT managements assertions
How to Reduce IT Change Risks (e.g., performance, effectiveness, and efficiency) are accu-
This GTAG has framed the observed best known practices of rate. Mirroring the process of a financial audit,1 IT auditors
change management processes that reduce business risk and should obtain underlying authorization data (e.g., authorized
increase IT efficiency and effectiveness. In summary, there change reports) and corroborating information (e.g., report of
are five prescriptive steps that organizations can take imme- production changes from detective controls, reconciliations
diately to improve change management processes: of production changes to authorized changes, and system
outages). By doing this, auditors can competently express
Create tone at the top motivating the need for a an opinion on IT managements assertions of their change
culture of change management across the enter- management processes and its ability to mitigate risk to the
prise that is supported by a declaration from IT financial statements.
management that the only acceptable number
of unauthorized changes is zero. Preventive and Internal audit can assist management and the board by:
detective controls can then be put in place to help Understanding the organizations objectives
achieve and sustain this objective, ensuring that all regarding confidentiality, integrity, and availability
production changes can be reconciled with autho- of IT processing.
rized work orders.
Assisting in identifying risks that could arise from
Continually monitor the number of unplanned changes and determining whether such risks are
outages, which is an excellent indicator of unauthor- consistent with the organizations risk appetite and
ized change and failures in change control. tolerances.
Reduce the number of risky changes by specifying Assisting in deciding an appropriate portfolio of risk
well-defined and enforced change freeze and main- management responses.
tenance windows. This maximizes stability and
productivity during production hours. Unplanned Looking for and fostering a culture of disciplined
outages serve as effective indicators that the change change management, including promoting the bene-
process is being circumvented. fits of good change management.
Use change success rate as a key IT management Understanding the controls that are crucial to a
performance indicator. Where changes are unman- solid IT change management approach:
aged, unmonitored, and uncontrolled, change Preventive.
success rates are typically less than 70 percent.
Each failed change creates potential downtime,
unplanned and emergency work, variance from
plans, and business risk. Increasing the change
success rate requires effective preventive, detective, 1
Vincent M. OReilly et al., Overview of Auditing,
and corrective controls.
in Montgomerys Auditing: 12th Edition (New Jersey:
John Wiley & Sons Inc., 1998).
5
GTAG Introduction
* Appropriate authorizations.
* Separation of duties.
* Supervision.
Detective.
* Detection of unauthorized changes.
* Monitoring of valid, objective change manage-
ment metrics.
Corrective.
* Post-implementation reviews.
* Change information fed into early problem
diagnosis steps.
Keeping up to date on leading IT change and patch
management processes and recommending that the
organization adopt them.
Demonstrating how management can reap the bene-
fits of better risk management, greater effectiveness,
and lower costs.
Assisting management in identifying practical, effec-
tive approaches to IT change management.
GTAG 1: IT Controls
GTAG 3: Continuous Auditing: Implications for
Assurance, Monitoring, and Risk Assessment
GTAG 9: Identity and Access Management
GTAG 17: IT Governance (pending publication)
Practice Guide, Auditing the Control Environment
Practice Guide, Assessing the Adequacy of Risk
Management
6
GTAG Why Should Internal Auditors Care About the
Way the Organization Is Managing Change?
Why Should Internal Auditors whom an organization does business are releasing patches
regularly to repair critical flaws? The volume of urgent
Care About the Way the patches to be applied to the operational infrastructure and
Organization Is Managing the absence of management process for handling these
Change? patches is a critical issue for most organizations.
Internal auditors and IT professionals have had ample guid- In low-performing organizations, patch deployment is often
ance on the disciplines of computer operational change characterized as ad hoc, chaotic, and urgent. The avail-
management and change control since the early days ability of a patch to address critical security vulnerability
of computers. The IIAs landmark publication, Systems can be disruptive and often results in significant amounts
Auditability and Control, updated in 1994, reflects the impor- of resources redirected from planned work to address the
tance of this topic to management and internal auditors: unplanned patch. Worse, even successful deployment of
the patch can cause unintended problems, such as servers
Change and problem management is critical to becoming nonfunctional and, therefore, unavailable to
achieving a stable, reliable, and well-controlled deliver critical services.
operation. It involves problem tracking, escala-
tion procedures, management review of problems High-performing organizations are more likely to treat a new
and changes, prioritization of resources, controlled patch as a predictable and planned change subject to the
movement of programs into production, and normal change management process. The patch is added to
systems software change control. the queue where it is evaluated, tested, and integrated into
an already-scheduled release deployment. Following a well-
However, only recently have serious efforts been made to defined process for integrating changes leads to a much higher
understand which IT practices and environmental condi- change success rate. Interestingly, many high performers
tions drive business results. These efforts show that one of apply patches much less frequently than the low performers
the key differences behind high- and low-performing IT and sometimes by as much as one or two orders of magnitude.
security organizations is the presence of an effective culture The high performers view the risk of the vulnerability expo-
of change management. In other words, change management sure as less than the risk to availability due to unanticipated
is not only a key foundational control but it also offers poten- impacts of a bad or out-of-cycle change. High-performing
tial benefits to the business. organizations that opt to deploy a patch as a high-priority
change are able to do so in a predictable, repeatable manner
through the use of an effective change management process.
Change Creates Risk: Why Patches Must
Be Treated as Just Another Change For the duration of this GTAG, patches are treated as a cate-
Auditors are aware of the close relationship between change gory or class of change that is subject to the normal change
and risk. IT assets seem to be in a state of constant change. management process. Two key implications emerge: patch
For example, IT management must deal with: management is a subordinate function to change manage-
ment, and often, an effective change management process
Regular changes (typically application, middleware, can help ensure that the technologies used to address the
operating system, or network software and hardware patch-and-pray problem do not create additional problems.
upgrades scheduled for implementation).
Patches (changes to repair defective code or other
vulnerabilities discovered in production). We Already Have a Change Management
Process What Is Different Here?
Emergency changes needed to fix immediate issues
causing service disruption. One key aspect of effective management is that the organiza-
tion has comprehensive, well-defined preventive, detective,
Effective IT change management enables the organization to and corrective controls in place, as well as clear definition
move safely from one known and defined state to another and separation of roles. Change management controls enable
regardless of the reason for making a change. management to address new requirements (e.g., new develop-
IT assets are easiest to manage and control when there is ment projects and government regulations) without having
no pressure to implement or deliver change. For example, to increase resources. Generally, effective change manage-
consider the virtuous characteristics associated with having ment mitigates risk, lowers cost, and provides resources for
change freeze periods: service levels and availability are additional services.
highest, and the IT department is spending the majority of Conversely, ineffective change management is a high risk. In
its time on planned work. However, what happens when crit- most organizations, it is not a question of whether a change
ical vulnerabilities are discovered and the level of urgency for management process exists it is whether the process is
change rises? What happens when numerous vendors with
7
GTAG Why Should Internal Auditors Care About the
Way the Organization Is Managing Change?
as effective and efficient as possible and is used for all IT organizational operations. This is accomplished by ensuring
changes. In deploying emergency changes, it is extremely that standardized methods and procedures are used for effec-
difficult to prevent errors, irregularities, and unintended tive and efficient handling of all changes and minimizing
disruptions. Disruptions to IT availability (resulting in low- the impact of change-related incidents on service quality and
service quality and customer dissatisfaction) often drive availability.
organizations to consider and implement change manage-
ment processes and controls. Research indicates that To protect the production environment, changes must be
high-performing IT departments continually look for ways managed in a repeatable, defined, and predictable manner.
to improve their operational processes, including change Care must be taken to ensure changes made to correct one
management. By improving control and predictability for application, server, or network device do not introduce unin-
changes to systems and networks, an IT department can be tended problems on other devices or applications. This is
on its way to becoming a best-in-class organization. Internal especially important for IT assets (e.g., software, hardware,
auditors are in the perfect position to help management and information) supporting the organizations critical busi-
improve these processes and controls. ness processes and data repositories.
8
GTAG Why Should Internal Auditors Care About the
Way the Organization Is Managing Change?
2
BDO Seidman LLP, et al. A Framework for Evaluating Control
Exceptions and Deficiencies, version 3 (2004). [Developed by
the following nine firms: BDO Seidman LLP, Crowe Chizek and
Company LLC, Deloitte & Touche LLP, Ernst & Young LLP,
Grant Thornton LLP, Harbinger PLC, KPMG LLP, McGladrey
& Pullen LLP, PricewaterhouseCoopers LLP.]
9
GTAG Defining IT Change Management
In most organizations, the IT department has two primary An effective change management process encompasses
roles: operating and maintaining existing services and within its scope any and all alterations to any and all IT-based
commitments and delivering new products and/or services assets on which business services depend. Assets subject to
to help the organization achieve its objectives. This section change management include:
describes the scope of change management in support of Hardware: mainframes, servers, workstations,
these two roles, the characteristics of effective and ineffective routers, switches, and mobile devices.
change management, audits role in change management,
and metrics that can assist in managing change effectively. Software: operating systems and applications.
Information, data, and data structures: files and
What Is the Scope of Change Management? databases.
This GTAG focuses on IT operational change management Security controls: antivirus software, firewalls, and
beginning when upgrades or updates to IT assets (e.g., infra- intrusion protection/detection systems.
structure and applications) are identified for movement to Processes, policies, and procedures.
production (e.g., from either an application development or
research and development [R&D] team) and ending when Roles/responsibilities: authorization, authority to
such assets are retired from the production environment. act, and access controls.
This includes application maintenance and emergency
Change Management Process
change controls. Specifically excluded are the changes that
occur during software design and development. A change management process typically includes:
The term change management, as used in this guide, excludes Identifying the need for the change.
the process of configuration management. As defined by Preparing for the change.
the Information Technology Infrastructure Library (ITIL),
Documenting the change request in detail.
configuration management is concerned with identi-
fying, controlling, maintaining, and verifying the versions Documenting the change test plan.
of all IT components (e.g., hardware, software, and associ- Documenting a change rollback plan in the
ated documentation). However, the change management event of change failure.
process must interact with the configuration management
Writing a step-by-step procedure that incorpo-
process (and companion controls) when changes are made
rates the change, test plan, and rollback plan.
to configurations.
Submitting the change procedure in the form of
Sources of Change a change request.
Virtually every business decision requires change in IT. Developing the business justification and obtaining
Factors serving as sources of change that must be addressed approvals.
and managed effectively in the IT environment include: Assessing the impact, cost, and benefits associ-
ated with the change request.
External environment (e.g., competitive market,
stakeholders/shareholders, changing risks). Reviewing and assessing the risks and impacts of
the change request, including regulatory impacts.
Regulatory environment.
Authorizing the change request.
Business objectives, goals, strategies, requirements,
processes, and shifts in priorities. Authorizing, rejecting, or requesting additional
information about the change request.
Vendors (e.g., new products, upgrades, patches, and
vulnerabilities). Prioritizing the change request with respect to
others that are pending.
Partners and suppliers.
Scheduling, coordinating, and implementing the
Results of an audit, risk assessment, and other type change.
of evaluation or assessment.
Scheduling and assigning a change implementer.
Operational problems.
Scheduling and assigning a change tester.
Changes in performance or capacity requirements.
Testing the change in a preproduction
environment.
10
GTAG Defining IT Change Management
Communicating the change to stakeholders who of unmanaged changes. Unplanned work can be
likely will be affected. manifest as lost/unbudgeted time, lost/unbudgeted
Approving the change for implementation. resources (e.g., people and capital), and unbudgeted
work.
Implementing the change as requested.
Development projects are late and often over budget,
Verifying and reviewing the implemented change. which results in late and more costly products and
(This is an often-overlooked critical step.) services when compared to competitors.
Was the change successful? At the client/customer/stakeholder level:
Was the change process followed?
Products and services do not perform as advertised
What was the variance between the planned and or as intended or operate with flaws. This leads
implemented change? to low, unreliable product or service quality. If
Were internal control, operations, and regulatory customers can switch easily to another provider, they
compliance requirements maintained? will.
What were the lessons learned that can be used At the organizational level:
to improve the process?
Unauthorized, untracked changes create potential
Backing out the change (if unsuccessful). exposure for fraud.
Closing the change request and communicating Business requirements can be misinterpreted with
with the affected parties. respect to required IT changes and, therefore, are
Making agreed-to changes to the change manage- implemented poorly or inadequately.
ment process. There is little to no ability to forecast the impact of
Publishing the change schedule. a change on existing business processes.
Auditors immediately will recognize that effective change Given that changes are not likely to be evaluated
management requires preventive, detective, and correc- with respect to one another, there is a lack of change
tive controls and that the need for independent controls prioritization, which results in either working on
increases as the IT production environment becomes more the wrong things or working on something that is
dynamic and complex. Necessary preventive controls include less important. The work may be done out of the
separation of roles and change authorization, as well as super- intended sequence resulting in rework and dupli-
vision and enforcement. However, to effectively monitor and cation of effort.
enforce the process, detective controls must be in place to Several unauthorized, failed, or emergency patching
monitor the production environment for changes, reconcile changes occur.
these changes to approved changes, and report any unau-
thorized variance. Effective change management also serves Patching systems causes large disruptions due
a corrective role for IT management during outages and to failed changes that result in outages, service
service impairments, allowing change to be ruled out first in impairment, rework, or unplanned work. This
the repair cycle and thereby reducing repair time. often exacerbates a poor or adversarial working
relationship between information security and IT
operations.
What Does Ineffective Change Large numbers of cycles (e.g., time, resources, and
Management Look Like? capital) are spent on correcting unauthorized project
How does one know if an organization has an effective or activities or infrastructure, which takes cycles away
ineffective change management process? What behaviors from planned and authorized activities.
and other signs serve as useful indicators of the organizations
capability or lack thereof? Resources regularly are diverted to rework as a result
of having to address the unintended consequences of
Indicators of ineffective or absent change management appear unmanaged changes.
as dysfunction in a range of organizational dimensions. There is high turnover in technical staff and
At the market level: evidence of burnout among key staff.
At the IT infrastructure level:
Lost opportunities. The organization is unable
to consistently deploy planned new products and Ad hoc, chaotic, urgent behavior requires regular
services. This occurs when having to commit intervention of technical experts/heroes; a high
resources to unplanned work as a consequence
11
GTAG Defining IT Change Management
percentage of time is spent in firefighting mode on and service quality. Customer issues and complaints
reactive tasks. are dealt with in a timely manner. Customers gener-
There is an inability to track changes, report on ally are satisfied and loyal to the organization.
change status and costs, and there are unauthorized There is a decreasing demand for customer support
changes. center/help desk resources.
Increasingly resources are spent tackling unplanned Appropriate stakeholders are involved in assessing
work at the expense of planned work. This can risks associated with proposed changes and priori-
be described as a low change success rate. Change tizing their implementation.
success rate is a measure of the amount of new Participants in the change process understand the
work introduced when a change is implemented. relevant categories and priorities of changes and the
A high change success rate means the change is levels of formality and rigor required to implement
implemented as planned and no additional work is each change.
introduced as a result of the change. Conversely,
a low change success rate means a change unex- Because of the foundational nature of change
pectedly introduces additional unplanned work management, ensuring compliance with new regula-
sometimes in excess of the work required to tions requires less effort. Virtually every regulation
implement the original change. A low change has IT requirements. When controls are well docu-
success rate can produce a downward spiral that mented, complying with a new regulation is not a
continues to consume excessive resources. new project; rather, it merely becomes a mapping
activity.
Ineffective IT interfaces with peers (e.g., R&D,
application developers, auditing, security, and opera- At the enterprise level:
tions) create barriers and introduce unnecessary A culture of change management is evidenced by
delays. understanding, awareness, visible sponsorship, and
Numerous undocumented changes happening action.
over time increase configuration production vari- Effective tradeoffs are performed regularly, balancing
ance, which causes lower change success rates and the risk and cost of change with the opportunity.
increases the difficulty of deploying patches without Changes are scheduled and prioritized accordingly.
failed changes and unplanned work. There is an ability to forecast the impact of the
change on the business.
What Does Effective Change Resources (e.g., time, effort, dollars, and capital) are
Management Look Like? applied to implement selected changes with little
How does one recognize effective change management? Is it or no wasted effort (i.e., high change success rate);
possible to walk into an organization and determine whether resources rarely are diverted to unplanned work.
it has an effective change management process? The organization can confidently answer:
Indicators of effective change management appear as mature Am I doing the right things? (an ability to
capability (e.g., predictable, repeatable, managed, measur- select and prioritize)
able, and measured) in a range of organizational dimensions. Am I doing things right? (with acceptable
At the market level: quality and performance)
An effective change management process is demon-
The organization is positioned to act on new strated by rigorous process discipline and adherence/
business opportunities that require additional or enforcement; centralized decision-making authority;
upgraded IT capability. Each opportunity is planned and cross-departmental communication and
and managed in a predictable manner. Adequate collaboration.
resources can be committed with the confidence
that they are sufficient and based on tracked, histor- Authorized projects are mapped to work orders and
ical performance. vice versa.
IT-supported products and services are released to Compliance and security investments are sustained
the market as planned and expected. because production configurations do not drift into
noncompliant or insecure states. Consequently, the
At the client/customer/stakeholder level: cost of security and compliance are much lower.
Products and services perform as advertised and
demonstrate a consistent, reliable level of product
12
GTAG Defining IT Change Management
Increasingly, more time and resources are devoted Organizations with effective change management
to strategic IT issues due to the organization having processes and controls tackle patches in a planned,
mastered tactical (day-to-day operational) concerns. predictable manner, subject to the same analysis and
Effective change management serves as an essential process as any other changes. Critical patches are
control for IT governance. added to the release engineering candidate queue
where they are evaluated, tested, and integrated into
At the IT infrastructure level: an already-scheduled release deployment.
Change management controls (embedded in well- Preventive and detective controls are automated,
defined IT operational processes) are used to help which allows for easier and more accurate reporting
ensure the consistency and predictability neces- to auditors and requires fewer manual inspections
sary to achieve business goals that rely on these and substantive sampling resembling archaeology.
processes. In other words, IT staff understands how Most effective organizations apply patches less
effective change management supports meeting frequently than the norm perhaps by one order
business objectives. of magnitude accepting the risk of the vulner-
A culture of change management is perpetuated by ability exposure as less than the risk to availability
a combination of tone at the top and preventive, due to unanticipated impacts of a bad or out-of-cycle
detective, and corrective controls, which serve to change. However, in the event of a critical update,
deter future unauthorized changes. Management capable organizations are able to implement an out-
explicitly states that the only acceptable number of of-cycle patch with minimal risk.
unauthorized change is zero. To have an effective process, stakeholders are not just
A high change success rate is present, resulting in involved in assessing risks associated with proposed changes
the absence of, or at least minimal, unplanned work. and prioritizing change implementation. One of the barriers
The absence of urgency and a well-defined process that IT departments often face when trying to roll out a
for integrating changes lead to a much higher robust change management process is the lack of interest,
change success rate. involvement, and sponsorship from their business counter-
Effective change controls are in place, regularly parts. Business unit managers should be actively involved in
reported, and easily audited. Preventive controls are the entire process from initial identification of their needs
well documented and consistently executed, and through conducting the majority of user acceptance testing
detective controls are used to supervise, monitor, and approving the changes being moved into production.
and reconcile changes to authorized change orders. These critical touch points are more likely to occur when
Controls are conducive to substantive sampling by the business managers role is included in relevant policies
auditors and require little to no additional informa- and procedures and senior managers place the appropriate
tion from IT management. emphasis on being co-owners in the process rather than
observers. Communication and collaboration between IT
Variances in production configurations are detected and the business units is critical for an effective process.
early to incur the lowest cost and least impact.
The enterprise regularly demonstrates operational
excellence with respect to change management. Change Management Metrics and Indicators
Higher service levels (e.g., high availability/uptime/ Internal auditors should determine whether these key change
mean time between failures; low mean time to detect management metrics are being used to monitor process effec-
problems/incidents; and low mean time to repair) tiveness and drive business value. The metrics listed in Table
occur in the presence of well-defined processes that 1 are useful indicators of an effective change management
introduce planned, predictable change. process.
IT is able to quickly return to a known, reliable,
trusted operational state when problems arise with a
new change or configuration.
IT demonstrates unusually efficient cost structures
(e.g., server-to-system administrator ratios of 100:1 or
greater compared with at least one order of magni-
tude less in low-performing organizations).
IT is able to identify and resolve operational prob-
lems timely, including security incidents.
13
GTAG Defining IT Change Management
Number of actual changes made per week as measured by The number of changes actually implemented for the
detective controls, such as monitoring software. week should not exceed the number of authorized
changes.
Number of unauthorized changes. Lower is better, but typically the only acceptable number
of unauthorized change is zero; one rogue change can kill
These are changes that circumvented the change process. an entire operation or create material risk.
This is measured by taking the number of actual changes
made and subtracting the number of authorized changes. Large numbers of unauthorized changes indicate that the
real way to make changes is to circumvent the change
Where detective controls are not present, no reliable mea- management process.
surement of actual changes can be made. In this case, the
number of unplanned outages can be used as a substitute
measure.
Number of emergency changes (including patches) is de- Lower is typically better. Many emergency changes
termined by counting the number of changes that required indicate that the real way to make changes is to use
an urgent approval during the week using the change the emergency change process either for convenience or
review board or emergency change process. speed.
Emergency changes typically have a higher failure rate and
generate unplanned work or rework. An increase in emer-
gency changes may indicate that there are other change
management problems causing this increase.
Percentage of time spent on unplanned work. Planned Lower is better (e.g., 5 percent or less).
work is time spent on authorized projects and tasks.
Unplanned work includes break/fix cycles, rework, and
emergency changes.
Percentage of projects delivered later than planned even Lower is typically better. When organizations are spend-
though poor project management also may impact this ing all their time on unplanned work, there often is not
metric. enough time to spend on planned work, such as new
projects and services, thereby causing project results to be
delivered late.
14
GTAG Defining IT Change Management
High Performer > 1000 Chg/Wk < 1% Minutes < 5% of the Time
BEHAVIORS THAT INCREASE CHANGE SUCCESS RATE: BEHAVIORS THAT DECREASE MTTR:
Effective change testing. Culture of casualty: desire to rule out
change first in problem repair cycle.
Effective risk review when approving changes.
Effective change management process
Effective identification of change stakeholders.
that can report on authorized and
Effective change scheduling. scheduled changes.
BEHAVIORS THAT REDUCE UNAUTHORIZED CHANGES: Ability to distinguish planned and
Culture of change management. unplanned outage events.
Management ownership of change process. Effective communications around
scheduled changes.
Effective monitoring of infrastructure with detective
controls to enforce change process. Effective monitoring of infrastructure
for production changes.
Management use of corrective action when change
processes are not followed.
Effective separation of duties unforced by restrictions on
who can implement changes.
Figures 1 and 2 show the key indicators of effective change When these three variables are multiplied, the result is
management and the dominant controls that raise and lower unplanned work.
them. The key indicators3 are:
This is an extremely simple model and is not intended to be
Number of production changes. mathematically correct. Rather, it is intended to show the
Percentage of those changes that fail or are dominant variables and leading indicators for effective IT
unauthorized. change management and, consequently, effective IT.
The amount of time required to recover the failed When an IT organization makes no changes or is in
change. a change freeze period, availability is at its highest,
and unplanned work is at its lowest.
When an IT organization is not enforcing change
management policies (e.g., inadequate preventive
and detective controls), unauthorized and failed
3
Based on ITPI benchmarking that studied 11 high performing changes cause protracted outages, which increase
IT organizations and surveyed hundreds of others. unplanned work.
15
GTAG Defining IT Change Management
When IT organizations have a high ratio of Additional preventive controls to reduce the likeli-
unplanned to planned work, they have less time hood of unauthorized changes.
available to do the work they were tasked to do, such Independent detective controls to simplify the moni-
as delivering new products and services. toring, reconciliation, and reporting functions.
High-performing IT organizations will do even better than
this model suggests. When changes are managed properly,
even failed planned changes rarely cause an outage and
Guiding Principles: How to Decide If,
consequently have a zero mean time to repair. On the other
When, and How to Implement Changes
hand, low-performing organizations often cannot measure The guiding principles of how to make good change manage-
anything except the obvious outages and unplanned work. ment decisions involve asking:
16
GTAG What Questions Should Internal Auditors
Ask About Change and Patch Management?
IT Manager With
Question to IT Manager in IT Manager in
Effective Change
IT Manager Problem-solving Mode Potential Denial
Management
Change management is very Ours is world class. Were Funny you should ask We have a process that
important. Do you think we even ready for Sarbanes- were working on this, but seems to work. I havent
have an effective change Oxley Section 404 require- so is everyone else that is heard anything negative
management process? ments, because all of the subject to Sarbanes-Oxley about our change manage-
controls are already in place. Section 404. Well know ment process especially
We have had to generate a more once we are further not from internal audit. We
few more reports to show along. cant afford the overhead of
the control mappings, but a burdensome process to
were in good shape. fix something thats already
working.
What are your acceptable The only acceptable number Well, when you ask it that Look, we dont get paid to
numbers of unauthorized of unauthorized changes way, of course the only ac- not make changes. Some-
changes? is zero. One rogue change ceptable number of unau- times we need to break the
can kill our entire operation, thorized changes is zero. But rules. Thats how we really
and thats why we reconcile would we bet our quarterly get work done here. Change
changes daily. We trust, but bonuses on it? No way. Es- management is bureaucratic,
verify. pecially after last quarter. and they just want to slow
things down.
Describe what controls you We require the preven- We have an entire team Were still in the analysis
need in your change man- tive, detective, and correc- of internal auditors and phase. Were just so busy
agement process. tive controls necessary to consultants working on a with urgent business, and
provide management with Sarbanes-Oxley-related all weve had time for are
an accurate view of the project. They are defining the Sarbanes-Oxley-related
work being done. We have and creating a plan to test controls. But we know its
defined some new change specific controls. This whole important, and we will get
metrics and have identified a Sarbanes-Oxley project re- to it as soon as we can.
few more stakeholders that vealed a need for integrated Besides, currently, we dont
we need to involve in our oversight and an enterprise have any budget for this
change management com- view of change. We also work. My experience tells me
mittee. We had no idea that uncovered some business that what we have is prob-
the bean counters actually processes that need to have ably good enough, because
cared about change man- better change control, and no one has told me specifi-
agement, so they will now were working on that, too. cally that the current process
be attending the meetings. is inadequate.
17
GTAG What Questions Should Internal Auditors
Ask About Change and Patch Management?
IT Manager With
Question to IT Manager in IT Manager in
Effective Change
IT Manager Problem-solving Mode Potential Denial
Management
Have we seen benefits from Absolutely. In fact, the Yes, but we still are not The pace of business is
the change management benefits have been so where we want to be. We so high right now that we
process? obvious that we have cre- have reduced the amount just dont have time to go
ated an internal culture of of outages, and we have through a cumbersome
change management. We increased our change change management process
no longer feel like profes- success rate significantly. that slows things down, low-
sional firefighters. We have Now, changes are happen- ers productivity, and creates
substantially improved ing inside the maintenance a bureaucratic atmosphere.
our performance, uptime, windows, although we still I dont always hold people
and satisfaction from our have the occasional cowboy accountable for following
business customers to our who forgets to go through the change process, because
internal staff and all the way the process. they already are stretched
up to the executives. so thin keeping the place
running. But outages due to
change do happen occasion-
ally, and we know that we
cant keep crashing the order
management system.
You remember that site- We determined the par- We found that a developer We found that one of our
wide outage we had last ticular change that caused migrated a change outside vendors was doing some
week because of a change? that 10-minute outage of our agreed-upon process. maintenance and updated
What happened? was authorized. However, He never should have been some software. The trouble
we failed to anticipate the given approval authority for is they overwrote a library
downstream effect on an changes to that particular that we had customized.
unrelated system. But, this system. We fixed this in a They are supposed to keep
wont happen again. hurry, and this developer can track of our customizations,
no longer even log on to the so this was a violation of our
production servers. maintenance contract.
When you were working on The first thing we always We had a gut feeling that Because we dont have a
the outage, what was the do is rule out authorized the problem was not coming centralized process, several
process you used to figure changes as early as possible from an authorized change. separate teams mobilized to
out what went wrong? in the repair cycle. We knew We test and deploy our try to figure out what was
immediately that the outage changes only inside of speci- going wrong. We finally set
wasnt due to a scheduled fied release windows. So we up a SWAT team. They quick-
change. Next, we checked started investigating, looking ly figured out the outage was
for any emergency produc- at logs, working backward due to the vendor upgrade,
tion changes. We found four from the outage looking but we had to conference
changes that were made for anything outside of the them in to pinpoint that the
two minutes before the release window. We eventu- cause was our library. They
outage and then found out ally found out who made had no way to change the
who made them. They did the change but not why the library back to the old ver-
a change rollback, and we change was made. I think sion, so we had to restore
were up and running within that administrator learned a the whole software directory
minutes. valuable lesson that day. from tape.
18
GTAG What Questions Should Internal Auditors
Ask About Change and Patch Management?
IT Manager With
Question to IT Manager in IT Manager in
Effective Change
IT Manager Problem-solving Mode Potential Denial
Management
How do you keep overall Change rate, change suc- We measure how quickly We dont use fancy metrics,
watch on the health of the cess rate, mean time to we can implement a change. although we do insist on
process? repair (MTTR), mean time We measure mean time from process excellence. I know
between failures (MTBF), change request to change we have lots of fires to fight,
a count of unauthorized closure. Were gearing up but you would, too, if you
changes that circumvent to measure change success had to work with some of
process. We also have a rate as well as emergency these people.
coverage metric to show and unplanned changes.
which parts of the enterprise
are not participating in the
process. Unplanned work is
a great indicator. We always
look for variance and try to
figure out how to reduce it
at the source.
What is the goal of your Reliability, availability, and We want to make as many Our goal is to get at-
change management pro- the reduction of cost. Two changes as the business re- tendance of all the key
cess? measures must go up while quires. We want to do them stakeholders in our change
the third must go down. Try- quickly and accurately. management meetings and
ing to optimize just one of be sure everyone is aware of
the three will put us out of what is going on and why.
business. We figure as long as our
audits are favorable, were
doing fine.
How disruptive is your Not disruptive at all. We Patching used to be very Because of the poor qual-
patching process? understand that business disruptive, but after the big ity of the software being
availability is paramount. outage six months ago, we released by vendors, we
We have to figure out how revisited every assump- continue to spend too much
to mitigate the security risks tion we were making about time patching. Its a no-win
without all the dangers which patches to deploy and situation. If we dont patch,
associated with changes. when to roll them out. We our systems will be hacked.
We average one big patch have reduced the amount of If we patch them, we risk
bundle per year. time spent on patching from crashing production sys-
weekly to monthly and are tems.
working on quarterly.
Evolving a Change Management Capability 4. Authorizing change: Hey, I need to reboot the switch.
The management of change is an evolutionary process. Who needs to authorize this?
Groups should not become discouraged as they start devel-
oping their change management processes. The solutions 5. Scheduling change: When is the next maintenance
may require changing people, processes, and technology. The window? Id like to reboot the switch then.
typical stages of change management include:
6. Verifying change: Looking at the fault manager logs, I
1. Oblivious to change: Hey, did the switch just reboot? can see that the switch rebooted as scheduled.
2. Aware of change: Hey, who just rebooted the switch? 7. Managing change: Lets schedule the switch reboot
to week 45 so we can do the maintenance upgrade and
3. Announcing change: Hey, Im rebooting the switch. reboot at the same time.
Let me know if that will cause a problem.
19
GTAG Where Should Internal Auditors Begin?
Where Should Internal Auditors the responsibility for ensuring that appropriate risk manage-
ment processes are in place, including within IT. To this end,
Begin? the importance of an effective change management process
According to COSOs Enterprise Risk Management cannot be underestimated, and internal auditors should
Integrated Framework, management establishes strategic consider conducting reviews of it on a regular basis.
objectives, selects strategies, and causes aligned objectives
to cascade throughout the enterprise. The enterprise risk
management framework is geared to achieving an organi- Audits Role in the Change
zations objectives in four categories: strategic, operations, Management Process
reporting, and compliance. Preventive, detective, and Since internal auditors typically do not have time to review
corrective controls should be designed and implemented to every facet of the organizations within which they work,
help ensure that risk responses are carried out effectively. they should develop their audit plans based on a risk assess-
Internal Audit can help ensure IT management has an effec- ment. To assist in assessing business risk within IT, auditors
tive process to manage the risks associated with achieving should gather preliminary information. To determine the
objectives. Examples of the types of change management relative level of business risk associated with their organiza-
objectives that IT management needs to define include those tions change management practices and whether to perform
for the review and approval of change requests, ensuring a high-level or in-depth review of change management, audi-
changes are made correctly and efficiently, and helping to tors should:
ensure IT can recover quickly when changes fail.
Understand the basic components of change
Preventive, detective, and corrective controls should be management. The term change management,
derived from managements objectives for managing IT as used here, does not include the entire systems
changes. development lifecycle process, such as applica-
tion development or configuration management.
To be successful, management must be aligned with the However, change management must reflect and
shareholders concerns as represented by the board of direc- integrate with the systems development lifecycle
tors. Enterprise objectives typically in the form of income/ process (and companion controls). Understanding
market share targets, business/stock price growth goals, or the contents of this GTAG provides auditors with
containment of people and operations costs should be sufficient background to ask the tough questions of
achieved. Plans to get to the targets should be formulated and the IT activity to understand the level of improve-
rolled out effectively across the entire organization to have a ment that may be needed in its change management
chance for success. The board wants to ensure that manage- process and controls. (Table 2 presents useful ques-
ment has identified and assessed the risks that could impede tions to ask IT management.)
achievement of the objectives. Robust processes should be in
place to mitigate, manage, accept, or transfer the risks effec- Use the indicators of effective and ineffective
tively. Variation from the plan is also a risk that should be change management processes to assess the relative
managed actively. Internal auditors serve as the eyes and ears effectiveness of the organizations change manage-
of management, seeking out areas in the risk management ment processes. Perform a walk-through of the
environment that require strengthening. change management process, and look for the key
elements outlined in this guide. Understand how IT
For most organizations, unavailability of critical services management is measuring the process and whether
and functions, even for short periods of time, is one of the it meets the needs of the business.
quickest ways to disrupt progress toward achieving business Obtain IT managements scorecard for measuring
objectives. Unexpected network downtime can halt the process results and effectiveness. Determine whether
execution of critical business processes, such as coordinating appropriate metrics are being used to monitor the
materials schedules with suppliers and responding quickly to process and drive continuous improvement. (Refer
customer orders. Downtime on critical application, database, to Table 1.)
or Web servers can be equally destructive. Internal auditors,
together with management, want to ensure that these and Determine whether IT management has assigned
related risks have been identified and are being measured responsibility for change management to someone
and managed properly. But how can risks be managed if their other than software developers or others who
causes have not been identified and analyzed? prepare changes. Has management secured the
production environment so that only those
Protecting the production environment and supporting responsible for implementing changes can in fact
the organization as it pursues its business objectives are key implement changes?
responsibilities of the IT department. Internal auditors have
20
GTAG Where Should Internal Auditors Begin?
Perform a brief review to determine whether When discussing and writing audit observations,
there are audit trails of changes to the production present the business value of effective change
environment and that the audit trails cannot be management processes as well as the risks of inef-
manipulated or destroyed. fective ones. Clearly articulate the operations,
When performing change control audits, look for financial, and regulatory risks that are not being
indicators of effective change management. Focus managed appropriately, and tie the findings to the
on the risks to the business resulting from the failure risk tolerances management has established in
to achieve the control objectives. support of its business goals and objectives. Avoid
focusing on the technology except where certain
Assist management in identifying models with change management process controls have been
which to improve their approach to change automated. Instead, remind management that
management. change management is process-based, with a mana-
When the organization is considering outsourcing gerial and human focus supported with technical
IT activities to a service provider, verify that the and automated controls.
organizations expectations are identified clearly
in service level agreements (SLAs) and contracts.
Regarding the change management process, it is
important to consider:
Who is responsible internally for managing day-
to-day changes arising from requests to make
changes.
How the organization knows when the service
provider makes changes outside the agreed-upon
change management process.
What control the organization has over the
service provider to ensure it is not charged for
unauthorized or unreasonable changes. How does
the organization know if such changes occur?
What prevents the provider from implementing
changes outside the required change window
time periods, with a consequent impact on
service (e.g., applications not available when
needed) and cost (or loss of revenue)?
Who is responsible for ensuring that major busi-
ness changes affecting IT are properly calculated,
approved, planned, controlled, implemented, and
periodically reviewed.
Whether the provider has considered the impacts
on infrastructure (system and network) and
information security as part of evaluating each
change.
Whether the organization identified whom in the
organization sits on the providers change control
committees.
Who monitors compliance with the SLAs.
For systems within the scope of Sarbanes-Oxley
Section 404 or other regulations, the SLA
also needs to incorporate required practices,
validation procedures, timing of the testing
required, remediation work, retesting, and other
considerations.
21
GTAG Authors and Reviewers
Authors:
Sajay Rai, CPA, CISSP, CISM
Duy Nguyen
Reviewers:
Steve Hunt, CIA
22
GTAG Appendix A
Appendix A: Example Business building a business case for improving change controls as
opposed to doing it just to make internal audit happy. As
Case for Change Management described in previous sections, the key operational metrics
High-performing organizations use their IT change are change failure rate, recovery time in the case of failed
management processes to reduce risk, increase operational changes, and the resulting unplanned work. Table 3 summa-
effectiveness, and increase operational efficiency. Thus, rizes indicators of ineffective change management. Table 4
the benefits of effective change controls are significant and describes ways in which to address these based on actual field
measurable. Being able to demonstrate this eases the task of experience.
In outage scenarios for the fixed incoming trading systems, When changes fail, investigating causes and problem man-
the help desk was the first to know. These would get escalat- agement consumed more than 25 percent of the workload.
ed to the IT management group, who would form a response
team and do the archaeology to find out what happened. Inaccurate diagnosis leads to poor first-fix rate (less than 50
percent).
It was like the Wild West. People were not documenting their Absence of detective controls around change management
changes let alone getting approval. You could tell from our processes leads to poor performance.
availability statistics!
Absence of change controls prevents proof of preventive
and detective controls for auditors to attest that controls are
effective.
We started to create real accountability for everyone to (This particular business calculates downtime cost at US
follow the change management process. We chose our $7,000 per minute.)
daily availability management meetings (DAMM meetings),
chaired by Kenny, our vice president of operations. Kenny Number of unauthorized changes declined from several per
reviews all failed changes with the change implementers day to several per year. Because each outage required two
and has a special session for anyone who went around the work hours to restore service (a conservative estimate), on an
change management process. Lets just say that unauthor- annualized basis, 5,000 work hours were averted.
ized changes and rogue changes happen much less often! All changes are fully documented, allowing changes to be
ruled out first in the problem repair cycle and restoration time
to go from hours to minutes. For the 11 outages in Q3, this
saved about 13 hours of system downtime.
23
GTAG Appendix A
In addition to all of us not having to wear pagers at home, Unplanned work reduced from more than 40 percent to 15
were finding that we have much more time to work on percent.
planned projects, as opposed to firefighting all the time.
On-time project deliveries went from 0 to 60 percent.
The CIO has tasked the IT management group with the key
strategic projects for the following year.
24
GTAG Appendix B
Segregation of Duties
To delegate responsibili- Unexpected or adverse At a minimum, separate Validate that changes are
ties such that unintentional results. people perform the respon- reviewed and approved by
or intentional errors will be sibilities for change approval an appropriate level of man-
detected. and implementation. Ideally, agement.
separate people also will
perform design and testing Validate that those who ap-
of changes. prove changes do not have
access to implement them in
the production environment.
Determine how changes are
tested to ensure they func-
tion as intended and do not
impair the integrity, availabil-
ity, or confidentiality of data.
25
GTAG Appendix B
Emergency Changes
To ensure business needs Inability to respond effec- Procedures exist to identify, Select a sample of emer-
are met. tively to emergency change assess, and approve genuine gency changes and validate
needs. emergency changes. they meet the definition of a
genuine emergency change
and the proper controls were
To ensure a change will not Unexpected or adverse A post-implementation re-
performed from initiation
negatively impact availability, results. view is conducted to validate
through implementation for
integrity, and confidentiality that emergency procedures
each.
of systems and data. were properly followed and
to determine the impact of
the change.
26
GTAG Appendix B
27
28
About IPPF
The International Professional Practices Framework (IPPF) is the conceptual framework that organizes authoritative guidance
promulgated by The Institute of Internal Auditors. IPPF guidance includes:
Mandatory Guidance
Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal
auditing. Mandatory guidance is developed following an established due diligence process, which includes a period of public expo-
sure for stakeholder input. The three mandatory elements of the IPPF are the Definition of Internal Auditing, the Code of Ethics,
and the International Standards for the Professional Practice of Internal Auditing (Standards).
Element Definition
Definition The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal
auditing.
Code of Ethics The Code of Ethics states the principles and expectations governing behavior of individuals and
organizations in the conduct of internal auditing. It describes the minimum requirements for
conduct, and behavioral expectations rather than specific activities.
International Standards Standards are principle-focused and provide a framework for performing and promoting internal
auditing. The Standards are mandatory requirements consisting of:
S
tatements of basic requirements for the professional practice of internal auditing and for
evaluating the effectiveness of its performance. The requirements are internationally appli-
cable at organizational and individual levels.
Interpretations, which clarify terms or concepts within the statements.
It is necessary to consider both the statements and their interpretations to understand and apply
the Standards correctly. The Standards employ terms that have been given specific meanings that
are included in the Glossary.
Element Definition
Position Papers Position Papers assist a wide range of interested parties, including those not in the internal audit
profession, in understanding significant governance, risk, or control issues and delineating related
roles and responsibilities of internal auditing.
Practice Advisories Practice Advisories assist internal auditors in applying the Definition of Internal Auditing, the
Code of Ethics, and the Standards and promoting good practices. Practice Advisories address
internal auditings approach, methodologies, and consideration, but not detail processes or proce-
dures. They include practices relating to: international, country, or industry-specific issues; specific
types of engagements; and legal or regulatory issues.
Practice Guides Practice Guides provide detailed guidance for conducting internal audit activities. They include
detailed processes and procedures, such as tools and techniques, programs, and step-by-step
approaches, as well as examples of deliverables.
A Global Technologies Audit Guide (GTAG) is a type of Practice Guide that is written in straightforward
business language to address a timely issue related to information technology management, control, or security.
For other authoritative guidance materials provided by The IIA, please visit our website at www.globaliia.org/
standards-guidance.
Disclaimer
The IIA publishes this document for informational and educational purposes. This guidance material is not
intended to provide definitive answers to specific individual circumstances and as such is only intended to be
used as a guide. The IIA recommends that you always seek independent expert advice relating directly to any
specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance.
Copyright
Copyright 2012 The Institute of Internal Auditors.
For permission to reproduce, please contact The IIA at guidance@theiia.org.
www.globaliia.org