Change control refers to processes within an organizations IT department which manage upgrades, patches, incremental fixes to production systems. Thus change and patch management would include, system upgrades including applications, operating systems and database revisions and infrastructure changes. In a laymans language, change controls are nothing but controls relating to IT changes. Recently, a lot of emphasis is given on auditing change controls. In a presentation made by one of my friends (CIO of a fortune 500 company) he discussed why auditing change control is now imperative for organizations. His presentation made interesting reading. The main reasons he listed in his presentation included:

1. Regulatory requirements - With Sarbanes Oxley and other regulations, auditing change controls is now part of the overall assurance framework. Audit committees and senior management now lay increased stress on change management.

2. Pervasive Information Technology - Any business decision these days invariably results in an IT chnage. This is beacuse almost all organizations are heavily IT dependent. A recent study confirmed that 80% of all system downtime was beacuse of change management issues.

3. Change Management & Internal Audit - One slide in his presentation stressed on the fact that management cannot always rely on external IT audits and assessments for IT assurance. Internal audit can proactively ensure that changes and patches are installed with minimal disruption. Even management would trust internal auditors more than an outside IT audit consultant. Internal audit is now responsible for providing IT audit assurance.

Related Posts

Internal Audit Antifraud Action Plan
Sarbanes Oxley and XBRL
Sarbanes Oxley Record Retention Requirements
SOX - Identifying Significant Accounts