The organizational importance of IT continues to grow each year, and the importance of change management in IT systems continues to grow along with it. There is a substantial body of evidence that change management contributes critically to the implementation of efficient, effective and secure IT operations. Because every change in an IT system creates a potential consequence to the company’s operations, executives must understand how to impose, enforce, monitor and improve change management thoroughly. Research from the IT Process Institute has shown that organizations that manage their technology well perform substantially better than organizations that don’t.
Simply stated, all IT changes need to be authorized and tested, and unauthorized or untested changes need to be prohibited (i.e., changes to a company’s IT infrastructure are a significant source of risk for every business). To protect the corporate crown jewels, robust change management practices are critical. The need for a positive control environment within IT and an unforgiving attitude regarding unauthorized IT changes cannot be overstated.
Strong change management means planned system implementations, proven (read: tested) solutions, scheduled upgrade windows where recovery is facilitated if needed and much more. To manage technology changes well, a change management program needs to be formally introduced to the organization.
Implementing a change management program means assigning responsibility for the various change activities involved in implementing new technology solutions.
AUDITING TECHNOLOGY CHANGE PROCESSES
An audit of change management should review IT results to identify key improvement opportunities. Auditors need to perform the following tasks during change management program audits:
- Understand the change management processes and procedures.
- Identify and assess key controls within the change management processes that ensure that all changes are properly authorized and tested prior to implementation.
- Determine the quality of the information generated by the change management program and assess whether it is enough to manage the change management process.
- Assess change management performance metrics for their existence, effectiveness, monitoring activities and responses to any program deviations.
- Evaluate whether risk management controls are preventive, detective or corrective and if a good balance has been implemented.
- Define tests to confirm the operational effectiveness of change management activities, including management and staff interviews, documentation and report reviews, and data analyses.
- Recommend opportunities for the improvement of change management activities.
INDICATORS OF POOR CHANGE MANAGEMENT
Unauthorized changes: Anything above zero is unacceptable. Establishing a tone at the top that clearly communicates the company’s intolerance of unauthorized changes is fundamental to the long-term success of change management programs.
Unplanned outages: System outages should be scheduled (planned) to reduce their impact on the organization’s operations. Predetermined “change windows” are where production systems should be updated. Unplanned outages are caused by system problems and encourage a reactionary environment (that is, firefighting), which is not how you stay on top of internal control systems.
Low change success rate: Good change management involves good testing. If changes must be “backed out,” it is an indicator of poor testing that failed to catch problems in the early stages.
High number of emergency changes: Again, emergencies should be emergencies and happen infrequently. Poor planning of changes results in a high number of emergencies.
Delayed project implementations: Delays in project implementation are a sign of unrealistic plans or poor resourcing decisions. Good change management practices encourage good planning and more achievable plans over time, resulting in fewer delays and cancellations of implementations.
An audit of change management should review the above risk indicators as a good measure of the likelihood that controls are or are not effective. Auditing IT processes can be very productive. Good business results happen due to the quality of the processes used to produce them. Reviewing the policies and procedures and related processes that have been implemented will help determine if your IT investments will be productive and worthwhile. Also, discussing with IT management how they do their jobs—their IT change efforts—will be extremely productive and help answer the fundamental question: Are changes being implemented in a controlled or haphazard manner?
When I look at the work some managers have done to test (that is, prove) that a change is working, I want to see four fundamental testing techniques: functional testing, stress testing, logical testing and path testing. It has been my experience that if the above system testing isn’t done, verified and approved by some independent validation unit (quality control, internal audit, outside consultants, etc.), then we have a problem with way too many implementations.
Finally, a robust “release management” process, in addition to strong change management practices, should be the goal. Rigorous practices for building, testing and issuing IT changes have a broad impact on individual IT results and overall performance of an organization. Therefore, while implementing a comprehensive change management program is important, establishing a strong release management process is vital.