EY – Change Management

Published by admin on

What could go wrong with change management?
✦Data loss
✦Unauthorized changes
✦Resistance to changes
✦Not testing a change sufficiently or correctly
How to reduce risk of things that can go wrong?
❑ Perform an Audit
✦Asses risk
✦Test controls
3 Types of IT Controls
❑ Company-Level Controls
❑ Application Controls
❑ General Controls
Company-Level Controls
❑ Enterprise Management
✦High-level activities
✦Policies and procedures
✦Internal audit function
Application Controls
❑ Business Process
✦Preventative controls
✦Monitoring activities
✦Access controls
✦Segregation of duties
General Controls
❑ Shared Services
✦Support-process controls
Change Management
❑ Process that provides for the analysis, implementation, and follow-up of all changes required and made to the existing IT environment
✦Plan the change, do the change, know the change occurred correctly
Logical Access
❑ Process of safeguarding IT systems and resources against unauthorized use, modification, disclosure, or loss
✦Using passwords
Other IT General Controls (Including IT Operations)
❑ Process for determining that IT resources and applications continue to function as intended over time
IT General Controls
❑ Support Application Controls and IT-Dependent Manual Controls
✦Gives assurance of those controls
IT-Dependent Manual Controls
✦Signing off on an automated process
4 Domains of COBIT
❑ Plan and Organize
❑ Acquire and Implement
❑ Deliver and Support
❑ Monitor and Evaluate
Plan and Organize (PO)
Covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of the business objectives
Acquire and Implement (AI)
❑ Covers the identification, development, and/or acquisition of IT solutions and the implementation and integration of those solutions into the business process
✦ Also covers changes in and maintenance of existing systems
Deliver and Support (DS)
❑ Covers the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities
✦ Daily business
Monitor and Evaluate (ME)
❑ Covers performance management, monitoring of internal control, regulatory compliance and governance
✦ This is present all of the time
✦Part of Acquire and Implement
✦Manage Changes
Manage Changes
❑ To minimize security risks and maximize performance and availability of systems, enterprises need to reliably and efficiently manage changes
✦Efficient – if change takes a long time, could cause you to lose profit
✦Reliable – know the changes that are occurring
Efficient Change Management
Enables an enterprise to promptly handle the need to modify any part of its IT and communications environment, and supports the acceptance, approval and implementation of the modification
Primary Goals of Change Management
❑ Ensure that there is a formal, well-controlled process for changing any piece of the infrastructure, including:
✦Development of new systems
✦Customization of purchased systems
✦Maintenance of existing systems

❑ Reduce risk to the organization by:
✦Increasing reliability
✦Increasing availability
✦Decreasing cost

Why Assess Change Controls?
❑ Increased regulatory requirements around IT controls (SOX)
❑ Provide assurance that financial statements were operating consistently throughout audit period
❑ Technology is everywhere – The majority of an organization’s intellectual property is in electronic form
❑ Provides a way for us to understand how our client’s organization is changing/evolving
Key Components of Change Management
❑ Authorization
❑ Testing
❑ Review and Approval
❑ Segregation of Duties
❑ Monitoring
Change is from someone appropriate to make/ask for change
❑ Make sure the change is working
✦Development stage
✦User acceptance stage
Review and Approval
Sign of by management of the change
Segregation of Duties
Separation of writing code, approving code, implementing the change into the system, and monitoring the change
✦Last step for change
✦Continuous function throughout the change stages and after change is complete
Control Objective of Change Management
To provide reasonable assurance that only appropriately authorized, tested, and approved changes (both routine and emergency) are made to the applications, interfaces, and underlying infrastructure that support key application and IT dependent manual controls within significant processes
Components of the IT Environment
❑ Applications – ERP (SAP, Oracle)
❑ Interfaces (IT controlled)
❑ Database – off in the background, where the transactions sit
❑ Operating Systems/Networks – end user
Application Layer
❑ ERPs – SAP or Oracle
✦Application for recording transactions
Presentation Layer
Browser user is interacting with
System Environments
❑ Development (DEV) – programmers
❑ Test (QA) – quality assurance
❑ Production (PROD) – end users
Types of Changes
1. Program development/acquisition – new system
2. Program change – to existing application
3. Maintenance – patch by vendor, from database
4. Emergency changes – last minute
5. Configuration/parameter changes – modifying thresholds
Types of Applications
❑ Purchased, not customized (off the shelf) – lowest risk for auditors
❑ Purchased customized
❑ In-house developed (highest risk for auditors)
Purchased, Not Customized
✦Company installs application “as is”
✦Once placed in production, very few, if any, changes
✦Applications tend to be fully supported by vendor
✦Relatively simple Change Management process (vendor releases new version and company installs it)
✦Limited testing required
Purchased Customized
✦Unique for company
✦Created in development
✦Tested in QA
✦Deployed to production
In-House Developed
✦Create by company itself
✦Use if it doesn’t exist in market
Auditing Small Clients
✦Segregation of duties
✦Need to mitigate risks – track what users are doing
✦Internal audit function within the entity
Auditing Large Clients
✦More changes needed for larger systems
✦Can’t look at every change – take samples
✦Hard to monitor so many changes
Define Test Approach For Change Management
✦Identify types of changes
✦Identify components of IT Environment in scope
✦Identify population – best source is the system itself (completeness of the population)
✦Determine that changes are authorized, tested, approved and monitored
✦Determine that individuals do not have conflicting duties
Select Sample
❑ Random selection is best
❑ Document if random selection was not used – judgmentally or haphazardly
❑ Sample sizes will vary depending on the methodology being used
✦EY = 10% of population up to max of 25
3 C’s
❑ Culture
❑ Controls
❑ Credibility
✦”Tone at the Top”
✦Vibe you get from management
✦How they assess and deal with risk
✦5 Change Management controls
✦Controls and the framework
✦Goes hand in hand with culture
✦Additional assurance dealing with the entity
Red Flags of Changes
✦Unauthorized changes
✦Unavailable information
✦Unplanned work
✦High employee turnover
✦High number of emergency changes
Professional Skepticism
“Trust then verify”
Categories: Change Management