EY – Change Management

✦Data loss
✦Unauthorized changes
✦Resistance to changes
✦Not testing a change sufficiently or correctly

❑ Perform an Audit
✦Walkthrough
✦Asses risk
✦Test controls

❑ Company-Level Controls
❑ Application Controls
❑ General Controls

❑ Enterprise Management
✦High-level activities
✦Oversight
✦Policies and procedures
✦Internal audit function

❑ Business Process
✦Preventative controls
✦Monitoring activities
✦Access controls
✦Segregation of duties

❑ Shared Services
✦Support-process controls

❑ Process that provides for the analysis, implementation, and follow-up of all changes required and made to the existing IT environment
✦Plan the change, do the change, know the change occurred correctly

❑ Process of safeguarding IT systems and resources against unauthorized use, modification, disclosure, or loss
✦Using passwords

❑ Process for determining that IT resources and applications continue to function as intended over time
✦Backups

❑ Support Application Controls and IT-Dependent Manual Controls
✦Gives assurance of those controls

✦Signing off on an automated process

❑ Plan and Organize
❑ Acquire and Implement
❑ Deliver and Support
❑ Monitor and Evaluate

Covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of the business objectives

❑ Covers the identification, development, and/or acquisition of IT solutions and the implementation and integration of those solutions into the business process
✦ Also covers changes in and maintenance of existing systems

❑ Covers the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities
✦ Daily business

❑ Covers performance management, monitoring of internal control, regulatory compliance and governance
✦ This is present all of the time

✦Part of Acquire and Implement
✦Manage Changes

❑ To minimize security risks and maximize performance and availability of systems, enterprises need to reliably and efficiently manage changes
✦Efficient – if change takes a long time, could cause you to lose profit
✦Reliable – know the changes that are occurring

Enables an enterprise to promptly handle the need to modify any part of its IT and communications environment, and supports the acceptance, approval and implementation of the modification

❑ Ensure that there is a formal, well-controlled process for changing any piece of the infrastructure, including:
✦Development of new systems
✦Customization of purchased systems
✦Maintenance of existing systems

❑ Reduce risk to the organization by:
✦Increasing reliability
✦Increasing availability
✦Decreasing cost

❑ Increased regulatory requirements around IT controls (SOX)
❑ Provide assurance that financial statements were operating consistently throughout audit period
❑ Technology is everywhere – The majority of an organization’s intellectual property is in electronic form
❑ Provides a way for us to understand how our client’s organization is changing/evolving

❑ Authorization
❑ Testing
❑ Review and Approval
❑ Segregation of Duties
❑ Monitoring

Change is from someone appropriate to make/ask for change

❑ Make sure the change is working
✦Development stage
✦User acceptance stage

Sign of by management of the change

Separation of writing code, approving code, implementing the change into the system, and monitoring the change

✦Last step for change
✦Continuous function throughout the change stages and after change is complete

To provide reasonable assurance that only appropriately authorized, tested, and approved changes (both routine and emergency) are made to the applications, interfaces, and underlying infrastructure that support key application and IT dependent manual controls within significant processes

❑ Applications – ERP (SAP, Oracle)
❑ Interfaces (IT controlled)
❑ Database – off in the background, where the transactions sit
❑ Operating Systems/Networks – end user

❑ ERPs – SAP or Oracle
✦Application for recording transactions

Browser user is interacting with

❑ Development (DEV) – programmers
❑ Test (QA) – quality assurance
❑ Production (PROD) – end users

1. Program development/acquisition – new system
2. Program change – to existing application
3. Maintenance – patch by vendor, from database
4. Emergency changes – last minute
5. Configuration/parameter changes – modifying thresholds

❑ Purchased, not customized (off the shelf) – lowest risk for auditors
❑ Purchased customized
❑ In-house developed (highest risk for auditors)

✦Company installs application “as is”
✦Once placed in production, very few, if any, changes
✦Applications tend to be fully supported by vendor
✦Relatively simple Change Management process (vendor releases new version and company installs it)
✦Limited testing required

✦Unique for company
✦Created in development
✦Tested in QA
✦Deployed to production

✦Create by company itself
✦Cost-saving
✦Use if it doesn’t exist in market

✦Segregation of duties
✦Need to mitigate risks – track what users are doing
✦Internal audit function within the entity

✦More changes needed for larger systems
✦Can’t look at every change – take samples
✦Hard to monitor so many changes

✦Identify types of changes
✦Identify components of IT Environment in scope
✦Identify population – best source is the system itself (completeness of the population)
✦Determine that changes are authorized, tested, approved and monitored
✦Determine that individuals do not have conflicting duties

❑ Random selection is best
❑ Document if random selection was not used – judgmentally or haphazardly
❑ Sample sizes will vary depending on the methodology being used
✦EY = 10% of population up to max of 25

❑ Culture
❑ Controls
❑ Credibility

✦”Tone at the Top”
✦Vibe you get from management
✦How they assess and deal with risk

✦5 Change Management controls
✦Controls and the framework

✦Goes hand in hand with culture
✦Additional assurance dealing with the entity

✦Unauthorized changes
✦Unavailable information
✦Unplanned work
✦High employee turnover
✦High number of emergency changes

“Trust then verify”