Change Management

Reviews
Shared by: banter
Categories
Tags
Stats
views:
1559
rating:
not rated
reviews:
0
posted:
1/8/2008
language:
English
pages:
0
INTERNAL AUDIT WORKING PAPERS 2002 IT Change Management Policy RISKS RISK CLASSIFI CATION & REF 12 – Information Technology Risk RISK & RATIONALE CONTROL POINTS TESTS RESULTS (Refer to test lead) CONTROL RATING & CONCLUSIONS TEST REF Objective #1: To ensure a formally documented change management process exists and is maintained to reflect the current process. 1. Lack of formal change management policies and processes could result in the delivery of inconsistent and unreliable products. 2. Lack of awareness of change management policies and procedures may result in noncompliance. This may also lead to changes not being put through the corporate change management process. 1.1 High I= Extreme, P= Moderate 1.2 Change management policies are formally documented. The change management process is formally documented and kept updated. Management is responsible for promoting individual employee awareness of, and compliance with, corporate change management policies and procedures. 1.1 Determine if existing change management policies have been formally documented. Determine if change management processes have been formally documented. Determine if change management documentation has been kept up to date. Determine if a process is in place to ensure that all current and new employees are informed of change management policies and procedures. Determine if employees are aware of relevant change management policies and procedures. Interview a sample of employees to determine if they have a clear understanding of their role and responsibilities. 1.2 12 – Information Technology Risk High I= High, P= Likely 2.1 2.1 Created By: xxx Date Created: 11/05/2002 Date Printed: 04/14/03 7:35 PM INTERNAL AUDIT WORKING PAPERS 2002 IT Change Management Policy RISKS RISK CLASSIFI CATION & REF 12 – Information Technology Risk RISK & RATIONALE CONTROL POINTS TESTS RESULTS (Refer to test lead) CONTROL RATING & CONCLUSIONS TEST REF Objective #2: To ensure change requests are properly initiated and approved. 3. Unauthorized changes could result in unpredictable business solutions that would not meet the users’ requirements. They may also adversely affect the production environment and result in increased costs. 4. Lack of a priority assignment process for changes may result in the delay of critical change implementations. High I= High, P= Likely 3.1 A process is in place 3.1 to ensure that all changes are reviewed and approved by appropriate personnel before being introduced into the production environment. Determine if process is in place to ensure that all changes are reviewed and approved by appropriate personnel. Obtain documentation supporting the approval process for a sample of changes. 12 – Information Technology Risk High I= High, P= Likely 4.1 Change requests undergo a priority assignment process. 4.1 Determine if priorities are assigned to the change requests. Created By: xxx Date Created: 11/05/2002 Date Printed: 04/14/03 7:35 PM INTERNAL AUDIT WORKING PAPERS 2002 IT Change Management Policy RISKS RISK CLASSIFI CATION & REF RISK & RATIONALE CONTROL POINTS TESTS RESULTS (Refer to test lead) CONTROL RATING & CONCLUSIONS TEST REF Objective #3: To ensure changes made to applications/systems are adequately tested before being placed into a production environment. 5. Changes have not been tested before being implemented. 12 – Information Technology Risk Significant 5.1 I= High, P= Moderate All changes are tested 5.1 before being implemented in the production environment. Determine if there is a process in place to ensure that changes have been tested prior to implementation. The testing/QA region should be separate from development and production. Obtain documentation stating changes have been received and reviewed by a QA type function for the selected sample of changes. 6. The backout processes for changes have not been developed and tested prior to implementation. 7. Verification plans for implemented changes have not been developed and executed. Changes need to be verified to ensure they perform as expected. 12 – Information Technology Risk High I= High, P= Likely 6.1 A backout process is developed and tested before any change request is implemented. 6.1 Determine if there is a process in place to ensure that backout procedures for changes have been developed and tested prior to implementation. Obtain documentation supporting backout processes for the selected sample of changes. Determine if there is a process in place to ensure that verification plans for changes have been developed prior to implementation. Change verifiers need to execute the verification plan and document the results in the change requests. Obtain documentation supporting verification plans and results for the selected sample of changes. 12 – Information Technology Risk High I= High, P= Likely 7.1 All change requests 7.1 have a verification plan developed prior to implementation. Once implemented, change requests need to have documented verification results. Created By: xxx Date Created: 11/05/2002 Date Printed: 04/14/03 7:35 PM INTERNAL AUDIT WORKING PAPERS 2002 IT Change Management Policy RISKS RISK CLASSIFI CATION & REF 12 – Information Technology Risk RISK & RATIONALE CONTROL POINTS TESTS RESULTS (Refer to test lead) CONTROL RATING & CONCLUSIONS TEST REF Objective #4: To ensure all changes are being tracked adequately. 8. Lack of a tracking process for changes being made to the production environment. Severe I= Severe, P= Likely 8.1 There is a tracking process in place to ensure that changes to the production environment are documented and tracked throughout their lifecycle. 8.1 Determine if there is a process and/or change management tool in place to track changes throughout their lifecycle. Determine if there is adequate documentation for a sample of changes that have been implemented. 9. Lack of monitoring of change requests may prevent changes that have not followed the change management process from being detected. 12 – Information Technology Risk High I= High, P= Likely 9.1 A monitoring process is in place to ensure the change management process is working as intended. 9.1 Determine if a monitoring process is in place. Monitoring should include periodically reviewing changes made to the production environment to determine if any did not follow the change management process. Objective #5: To ensure all changes are adequately reported to stakeholders. 10. Lack of reporting to stakeholders for all scheduled and completed changes may result in confusion and delays. This may adversely affect the production environment. 12 – Information Technology Risk High I= High, P= Likely 10.1 All stakeholders are informed of changes once they have been scheduled as well as after they have been completed. 10.1 Determine if there is a process, such as automatic status notifications, in place to inform all stakeholders of changes that been scheduled as well as changes that have been completed. Created By: xxx Date Created: 11/05/2002 Date Printed: 04/14/03 7:35 PM INTERNAL AUDIT WORKING PAPERS 2002 IT Change Management Policy RISKS RISK CLASSIFI CATION & REF 12 – Information Technology Risk RISK & RATIONALE CONTROL POINTS TESTS RESULTS (Refer to test lead) CONTROL RATING & CONCLUSIONS TEST REF Objective #6: To ensure all emergency changes are adequately managed and tracked. 11. Lack of a formal change management process for emergency changes could result in unauthorized changes that may adversely affect the production environment. 12. Lack of post-review sessions for emergency changes may lead to repeating the same mistakes that lead to those changes. Severe I= Extreme, P= Likely 11.1 The change management process for emergency situations is formally documented and kept updated. 11.1 Determine if change management processes for emergency changes have been formally documented. Determine if change management documentation has been kept up to date. 12 – Information Technology Risk Significant I= Medium, P= Likely 12.1 Determine if Change Management has 12.1 Post-reviews are documentation supporting a postconducted for all review process for a sample of emergency changes emergency changes. so that factors that lead to the emergency changes may be reviewed and an impact assessment may be performed. This helps prevent the repetition of similar mistakes. Created By: xxx Date Created: 11/05/2002 Date Printed: 04/14/03 7:35 PM

Related docs
Change Management
Views: 589  |  Downloads: 57
Change Management
Views: 326  |  Downloads: 69
change management
Views: 1  |  Downloads: 0
Change Management
Views: 29  |  Downloads: 16
Change Management
Views: 6  |  Downloads: 2
Change Management
Views: 340  |  Downloads: 0
Change- management
Views: 6  |  Downloads: 0
CHANGE MANAGEMENT
Views: 37  |  Downloads: 0
(Change Management)
Views: 22  |  Downloads: 0
Change - Management
Views: 2  |  Downloads: 1
Change-Management
Views: 1  |  Downloads: 0
IT Change Management
Views: 3  |  Downloads: 0
Change Management - Change and How to Deal with It
Views: 120  |  Downloads: 20
Change Management Plan
Views: 120  |  Downloads: 32
premium docs
Business Plan Presentation Template$4.95
Marketing Plan$29.95
Business Plan$25.00
Letter of Intent for Business Transactions$14.95
Employee Handbook for Company$39.95
Sample Business Case$19.95
Sample Project Closeout Report$14.95
Other docs by banter
Sample Business Associate Agreement
Views: 1554  |  Downloads: 199
Project Charter For Certification Template
Views: 1084  |  Downloads: 158
Network Security
Views: 1120  |  Downloads: 183
Auditp rogram fixed assets document
Views: 1043  |  Downloads: 107
Small Business Subcontracting Plan
Views: 2712  |  Downloads: 105
Project Business Case Template
Views: 2312  |  Downloads: 440
Pro Forma Contract Template
Views: 2103  |  Downloads: 28
Performance Measurement Business Case
Views: 773  |  Downloads: 41
Outline Business Case
Views: 910  |  Downloads: 83
Model Business Associate Contract
Views: 436  |  Downloads: 15
Confidentiality Agreement Template
Views: 1380  |  Downloads: 28
Affirmative Action Plan Template
Views: 2380  |  Downloads: 108
General Usability Scenarios Document
Views: 548  |  Downloads: 35
Email Client Comparison
Views: 1999  |  Downloads: 36
System Design Template
Views: 3684  |  Downloads: 424