Reading through the anecdotes and resources provided in the ISACA article titled “IS Audit Basics: Auditors and Large Software Projects, Part 3: Can Auditors Prevent Project Failure?”, I begin to see the true importance behind a well-documented and enforced change management process and controls. The story that appealed most to me in the article was the one where the networking lead engineer, who had changed the coding in the information system in an attempt to “optimize the network’s router tables” , had left the change he made undocumented and immediately went on a vacation to Norway right afterwards. The absurdity of this story and how they had to rollback the information systems to a documented version in order to undo the change truly stuck with me how bad issues involving poor change management controls can be. I also appreciate the author of the article citing multiple excellent resources for creating and auditing change control processes, including ISACA’s own “Change Management Audit/Assurance Program”.
The change management process is the sequence of steps or activities that a change management team or project leader follow to apply change management to a change in order to drive individual transitions and ensure the project meets its intended outcomes.
The change management process in systems engineering is the process of requesting, determining attainability, planning, implementing, and evaluating of changes to a system. Its main goals are to support the processing and traceability of changes to an interconnected set of factors.
Also, Change management in an organization is the process, tools and techniques to manage the people side of change to achieve the required business outcome. Change management incorporates the organizational tools that can be utilized to help individuals make successful personal transitions resulting in the adoption and realization of change.
ISACA part 3 focuses on a matter that is very crucial to the managers and that is the large software projects. Matters focused on here are such as the reasons why some of the projects have very high costs, why some of them end up failing in meeting what is expected of them. The previous sections indicated some very crucial factors concerning the handling of the software to ensure the goals are met but this section focuses on how the must-to come changes that can be said to be inevitable to any system can be controlled. This is very vital to the managers because always, poor change control measures have always been the reason behind failing of such projects. ISACA has therefore documented the recommendations on a better change management control for the business managers. This therefore provides us with the knowledge that it is very vital for a business manager to equip him or herself with the required change control management skills.
We both took away the importance of management in ensuring proper change control. Without proper change control from the management level, many projects fail. The business manager has to be educated to equip themself with proper change control management skills.
Without well change management, a project would more likely face problems and issues which leads to the failure of the project. As much as I enjoyed reading the story in this article, I also found that those different audit perspective on change management in terms of capability areas and maturity levels interesting such as leadership, communications, application, competencies, authorities, and standardization. The sample Maturity table would be a very good tool for organizations to evaluate their current change management, and I could see many IT auditors would face a difficult time to raise the issue of poor change management with senior management. I would show them examples of what poor change management could lead to.
Hi Shuyue, I agree with your point that a project would face problems and issues which leads to the failure of the project if it doesn’t have well change management. The main purpose of change management is to control risk and minimize disruption to associated IT services and business operations. It will help the organization to manage risk and safeguard the IT services you deliver and support against unnecessary errors.
Change management is initiated through a Request for Change (RFC), which documents proposed changes, why it is needed, etc. Effective change management allows for a structured and reliable environment that is essential for the success of the business. The goal is to increase awareness and understanding of proposed changes and ensure that all changes are done in a way that reduces negative impact on the business. The narrative in “IS Audit Basics: Auditors and Large Software Projects, Part 3: Can Auditors Prevent Project Failure?” did a good job in presenting the main concern associated with ineffective change management. That is, an individual’s lack of documentation disrupted everyone in the organization and the business itself.
Nice work on summarizing the main point of the article- any type of change, even if it’s seemingly minuscule, can have a grave impact on the business process. I think it also gives us a glimpse of what resistance to change may look like, and why effective communication by management is vital for enforcing these procedures.
After finishing reading Auditors and Large Software Projects Part 3, I found the most takeaway is the Sample Maturity Table. It includes important attributes of change management such as Leadership, Communications, Application, Competencies, Authorities, Standardization. All these attributes are important aspects to take into account during change management. Just by knowing and remembering this should lead an auditor into the right direction when doing an audit review for change management or control.
I agree, and I believe that Maturity table would be a great tool for organizations. Organizations would also need to have their own matric and add their own attributes base on their core business process or nature of the business. Every organization is different than another, and the sample maturity table would be a great start point.
There are several points takeaway from “IS Audit Basics: Auditors and Large Software Projects, Part 3: Can Auditors Prevent Project Failure? ” The challenge in change management is getting people to comply with this policy for all changes to configurations, systems, application software, access rights and system privileges, and project plans. Someone may have been working in the position for decades, but they are also required to comply with the policy. Additionally, when important employees or top leader are fired, It may potentially cause risks towards data confidentiality. This led to the discovery that critical data center processes had been customized. and the risk should be associated with this “indispensable individual,”
Hello,
As I read through the major takeaways you got from reading the ISACA article titled “IS Audit Basics: Auditors and Large Software Projects, Part 3: Can Auditors Prevent Project Failure?”, I found you took a similar approach to me in that you drew most of what you learned from the anecdote shared at the beginning. Often, workers at an organization are often resistant to changes to their previous work routine, no matter the security cost. This is often why organizations perform training sessions and put in place enforced controls, in an effort to mitigate resistance from those unwilling or having difficulty adapting to the change in the organization’s information system.
Change Control is the process that management uses to identify, document and approve changes to an IT environment. It minimizes the likelihood of disruptions, unauthorized alterations and errors. The change control procedures should be designed with the size and complexity of the environment in mind. For example, applications that are complex, maintained by large IT Staffs or represent high risks require more formalized and more extensive processes than simple applications maintained by a single IT person.
A change management audit will focus on the design and operational effectiveness of the controls to meet the change control objective to ensure controls provide reasonable assurance that changes to existing infrastructure, data, and software are authorized, documented, tested, approved and implemented.
Change management is a critical step in maintenance. It’s sample work steps include: verify that security maintenance and configuration changes are subject to a formal change management program; review documentation such as change authorization forms or remedy tickets to verify that security maintenance and configuration changes adhere to policy; obtain and review documentation to verify that a defined approval process exists for security maintenance and configuration changes and also verify that the approver cannot be the same individual who requested the change;
Leadership—Sponsoring the institutionalization of change management; demonstrable senior management engagement in the application of this discipline; and defining business rules, policies and procedures, and ensuring compliance with them.
Competencies—Providing training and documentation, encouraging interchanges between experienced practitioners and learners, ensuring project teams collaborate and share change management knowledge.
Application—Making resources available for the practice of change management and defining those areas and/or functions where a common approach is mandatory, aiming for uniformity in practices and tools.
The key point I took away is about Auditing Change Control Processes. According to the article, Change Control is the process that management uses to identify, document and authorize changes to an IT environment. It minimizes the probability of disturbances, unapproved changes, and blunders. The change control methodology ought to be structured with the size and multifaceted nature of the earth at the top of the priority list. In order to ensure that the project is controllable, the project manager should fully understand the change information, measure the impact of the change implementation on the project, and then decide whether to modify. Also, there are six critical capability areas: leadership, communications, application, competencies, authorities, and standardization. The communication is establishing a culture that recognizes the value of change management.
Hello Ryu. Like most of the topics this week the main point was around change control and the importance of this process. I absolutely agree that the documentation, identifying, and authorizations to the overall environment. I like how you also added the six critical ability areas. Leadership and communication are the two that I think are the most important for the change management process.
In ISACA reading “Auditors and Large Software Projects, Pt 1” the secondary title/tagline is “can IS Auditors prevent project failure”… this is what we will take a deep dive at today. In the introduction of the article we saw that ISACA did provide an outlined the best practices for the System Development and Project Management Audit/Assurance Program. This work of literature outlines different guidelines to help auditors ensure that projects meet their goals and expectations. From there the article breaks down speaking points into a) the business case, b) project risks analysis, and then c) outlining requirements definitions. Through following those three topic and headings, a project manager and auditor and schedule the stages of a project. As the PM and IS Auditor can analyze the project and properly address risk, they can — prevent project failure!
Your points are great. Project risk analysis need to have a good risk management strategy. Effective risk management strategies allow you to identify your project’s strengths, weaknesses, opportunities and threats. By planning for unexpected events, you can be ready to respond if they arise. To ensure your project’s success, define how you will handle potential risks so you can identify, mitigate or avoid problems when you need to do.
Hi Alex,
I completely agree that knowing the business case, project risks analysis, and then outlining requirements definitions would help prevent project failure. This outline gives auditors the right direction, thus minimizing risks of making a wrong move that will cost the project to fail.
Auditors and Large Software Projects, Part 3 mentions the importance of change management which refers to the process in which the organization makes some or all changes to the system in order to adapt to the changes of various factors related to the project in the process of operation and ensure the realization of objectives, and organizes the project implementation according to the requirements after the changes. IT change management is one of the codes of conduct for IT service management. The goal of IT change management is to effectively implement standardized methods and processes in all changes of the entire IT architecture, so as to reduce the number of unexpected events caused by changes and the impact on the whole IT service.
It is good to talk about the goal of IT change management, that is to effectively implement standardized methods and processes in all changes of the entire IT architecture.
This column focuses on what causes large software projects to have huge costs and timescales overruns and/or fail to meet expectations or, at worst, be abandoned before completion. Poor change control is a frequent cause of projects going wrong.
There are six critical capability areas, leadership, communication, application, competencies, authorities, and standardization. These capabilities areas are drawn into a sample maturity table to be audited and is ranked from levele 1-5. By auditing these six critical areas where change management have problems, problems can be more easily idenitified.
Auditors are encouraged to remind their auditees that there are always going to be ongoing problems in change management, it’s important to raise the issue with senior management and the audit committee.
This article focuses on auditing how to manage the inevitable changes to the project and explains about how some organizations that are bureaucratic in the organizational structures managed to bring about change in the way they worked. Change management has become increasingly important in companies of all sizes, across all industries but resistance to change is a common stumbling block in most companies. It is hard to change the way of working and modify the processes to suit the new application processes or needs but by developing a clear plans and policies with objectives, transparent communications and specific measurable goals helps to achieve project success.
Hi, I agree with you that a clear plan, transparent communication as well as specific measurable goals contribute to change to the project. I also believe it is necessary to identify what will be improved and implement a support structure as well as provide effective training.
******Sorry, I put this to the fourth question********
This part focuses on how to manage the inevitable changes to the project due to the fact that poor change control is a frequent cause of projects going wrong. In the first section, one point I took is that the challenge of the change management is to get people to comply with this policy for all changes to configurations, systems, application software, access rights and system privileges and project plans. The conflicts between people and lack of communication have a huge impact on that. Thus, it is necessary to be patient, keep employees up-to-speed, show how change will contribute to company and create a successful and create a successful timeline for change.
HI, I agree with what you said about the importance of communication within an organization and what change management can do in the process. With an appropriate change management, a single person or a sole department cannot make huge changes to the system, which reduce the possibility of any false decision. Any decisions must be approved by the related department considering the security concerns.
After reading ISACA Auditors and Large Software Projects, Part 3, my biggest takeaway was the 6 critical capability areas. They were:
Leadership: Without proper leadership, any project or application is destined for failure. When you think of an IT project, you tend to overlook the importance of leadership because you think everything is found in the code. Personally, I don’t even think you need an IT expert to be at the head of your project, as long as they have a base understanding of how things work.
Communications: You have to be able to establish a culture that understands the importance of change management. A software project is truly never finished. Your employees have to be willing to remain vigilant for potential issues and act accordingly when there is a request for change.
Application: Of course, without the actual proper application of these changes, everything else is wasted. There needs to be uniformity in practice and tools.
Competencies: You have to make sure your team is competent. There should be proper training and documentation in order for your team members to properly fulfill their responsibilities
Authorities: There should be a formal procedure for requesting changes and the minimum requirements for segregation of duties
Standardization: These processes might not be able to be automated, but they should be standardized as much as possible in order for it to be readily accessed and shared.
Sup Panayiotis. Adding to your explanation, the six critical capability areas are an important part of the change management process. Change management is a structured approach for ensuring that requested changes are thoroughly implemented and the benefits are achieved. The six critical capability areas help to achieve this goal.
This ISACA reading uses a real-life example of why change management procedures are important and allows us to relate our previous readings to the story. We can see that no matter how small of a change is being made, there should always be a certain procedure (i.e. testing, documentation) to implement that change. However, some employees may be unwilling to accept new policies and procedures due to being stuck in their ways, which can be seen throughout many industries. To be frank, the main take away from the story, other than the overview of evaluating the maturity of change management, would be the necessity for upper management to have a spine and put their foot down when employees push back on new rules. In other words, management possessing soft skills is a must, so to ensure that policies are adhered to for the betterment of the company, rather than being seen by an employee as an attack on their work.
Great comments. Thank you for sharing your thoughts on this ISACA reading. I agree with you that change management is important for each organization, and the organization should implement the documentation process even if it is a small change.
Auditors and Large Software Projects, Part 3 focuses on auditing how the inevitable changes to the project are managed. Poor change control leads to firefighting in operational activities and problems in software development. This article introduces one model which integrate several good practices with six critical capability areas, which are leadership, communications, application, competencies, authorities, and standardization. In addition, this model defines 5 different levels for each category. Level 1 means nonexistent. Level 2 means change management is applied to isolated situations, but not with consistent practices. Level 3 means change management is applied to multiple projects and/or operational activities, and good practices are identified and shared. Level 4 means organizational standards for change management include common approaches and tools. Level 5 means organization competency, and change management becomes part of the organization’s way of doing things. Auditors who find that change management is not practiced as well as it ought to be should remind their auditees that those who go around looking for trouble usually find it.
Reading through the anecdotes and resources provided in the ISACA article titled “IS Audit Basics: Auditors and Large Software Projects, Part 3: Can Auditors Prevent Project Failure?”, I begin to see the true importance behind a well-documented and enforced change management process and controls. The story that appealed most to me in the article was the one where the networking lead engineer, who had changed the coding in the information system in an attempt to “optimize the network’s router tables” , had left the change he made undocumented and immediately went on a vacation to Norway right afterwards. The absurdity of this story and how they had to rollback the information systems to a documented version in order to undo the change truly stuck with me how bad issues involving poor change management controls can be. I also appreciate the author of the article citing multiple excellent resources for creating and auditing change control processes, including ISACA’s own “Change Management Audit/Assurance Program”.
The change management process is the sequence of steps or activities that a change management team or project leader follow to apply change management to a change in order to drive individual transitions and ensure the project meets its intended outcomes.
The change management process in systems engineering is the process of requesting, determining attainability, planning, implementing, and evaluating of changes to a system. Its main goals are to support the processing and traceability of changes to an interconnected set of factors.
Also, Change management in an organization is the process, tools and techniques to manage the people side of change to achieve the required business outcome. Change management incorporates the organizational tools that can be utilized to help individuals make successful personal transitions resulting in the adoption and realization of change.
ISACA part 3 focuses on a matter that is very crucial to the managers and that is the large software projects. Matters focused on here are such as the reasons why some of the projects have very high costs, why some of them end up failing in meeting what is expected of them. The previous sections indicated some very crucial factors concerning the handling of the software to ensure the goals are met but this section focuses on how the must-to come changes that can be said to be inevitable to any system can be controlled. This is very vital to the managers because always, poor change control measures have always been the reason behind failing of such projects. ISACA has therefore documented the recommendations on a better change management control for the business managers. This therefore provides us with the knowledge that it is very vital for a business manager to equip him or herself with the required change control management skills.
Hi Feng,
We both took away the importance of management in ensuring proper change control. Without proper change control from the management level, many projects fail. The business manager has to be educated to equip themself with proper change control management skills.
Without well change management, a project would more likely face problems and issues which leads to the failure of the project. As much as I enjoyed reading the story in this article, I also found that those different audit perspective on change management in terms of capability areas and maturity levels interesting such as leadership, communications, application, competencies, authorities, and standardization. The sample Maturity table would be a very good tool for organizations to evaluate their current change management, and I could see many IT auditors would face a difficult time to raise the issue of poor change management with senior management. I would show them examples of what poor change management could lead to.
Hi Shuyue, I agree with your point that a project would face problems and issues which leads to the failure of the project if it doesn’t have well change management. The main purpose of change management is to control risk and minimize disruption to associated IT services and business operations. It will help the organization to manage risk and safeguard the IT services you deliver and support against unnecessary errors.
Change management is initiated through a Request for Change (RFC), which documents proposed changes, why it is needed, etc. Effective change management allows for a structured and reliable environment that is essential for the success of the business. The goal is to increase awareness and understanding of proposed changes and ensure that all changes are done in a way that reduces negative impact on the business. The narrative in “IS Audit Basics: Auditors and Large Software Projects, Part 3: Can Auditors Prevent Project Failure?” did a good job in presenting the main concern associated with ineffective change management. That is, an individual’s lack of documentation disrupted everyone in the organization and the business itself.
Nice work on summarizing the main point of the article- any type of change, even if it’s seemingly minuscule, can have a grave impact on the business process. I think it also gives us a glimpse of what resistance to change may look like, and why effective communication by management is vital for enforcing these procedures.
After finishing reading Auditors and Large Software Projects Part 3, I found the most takeaway is the Sample Maturity Table. It includes important attributes of change management such as Leadership, Communications, Application, Competencies, Authorities, Standardization. All these attributes are important aspects to take into account during change management. Just by knowing and remembering this should lead an auditor into the right direction when doing an audit review for change management or control.
Hi, Yuchong:
I agree, and I believe that Maturity table would be a great tool for organizations. Organizations would also need to have their own matric and add their own attributes base on their core business process or nature of the business. Every organization is different than another, and the sample maturity table would be a great start point.
There are several points takeaway from “IS Audit Basics: Auditors and Large Software Projects, Part 3: Can Auditors Prevent Project Failure? ” The challenge in change management is getting people to comply with this policy for all changes to configurations, systems, application software, access rights and system privileges, and project plans. Someone may have been working in the position for decades, but they are also required to comply with the policy. Additionally, when important employees or top leader are fired, It may potentially cause risks towards data confidentiality. This led to the discovery that critical data center processes had been customized. and the risk should be associated with this “indispensable individual,”
Hello,
As I read through the major takeaways you got from reading the ISACA article titled “IS Audit Basics: Auditors and Large Software Projects, Part 3: Can Auditors Prevent Project Failure?”, I found you took a similar approach to me in that you drew most of what you learned from the anecdote shared at the beginning. Often, workers at an organization are often resistant to changes to their previous work routine, no matter the security cost. This is often why organizations perform training sessions and put in place enforced controls, in an effort to mitigate resistance from those unwilling or having difficulty adapting to the change in the organization’s information system.
Change Control is the process that management uses to identify, document and approve changes to an IT environment. It minimizes the likelihood of disruptions, unauthorized alterations and errors. The change control procedures should be designed with the size and complexity of the environment in mind. For example, applications that are complex, maintained by large IT Staffs or represent high risks require more formalized and more extensive processes than simple applications maintained by a single IT person.
A change management audit will focus on the design and operational effectiveness of the controls to meet the change control objective to ensure controls provide reasonable assurance that changes to existing infrastructure, data, and software are authorized, documented, tested, approved and implemented.
Change management is a critical step in maintenance. It’s sample work steps include: verify that security maintenance and configuration changes are subject to a formal change management program; review documentation such as change authorization forms or remedy tickets to verify that security maintenance and configuration changes adhere to policy; obtain and review documentation to verify that a defined approval process exists for security maintenance and configuration changes and also verify that the approver cannot be the same individual who requested the change;
Leadership—Sponsoring the institutionalization of change management; demonstrable senior management engagement in the application of this discipline; and defining business rules, policies and procedures, and ensuring compliance with them.
Competencies—Providing training and documentation, encouraging interchanges between experienced practitioners and learners, ensuring project teams collaborate and share change management knowledge.
Application—Making resources available for the practice of change management and defining those areas and/or functions where a common approach is mandatory, aiming for uniformity in practices and tools.
Hello Yuan,
I also chose to write about some of the critical capabilities. These are some vital capabilities to be aware of when managing change.
The key point I took away is about Auditing Change Control Processes. According to the article, Change Control is the process that management uses to identify, document and authorize changes to an IT environment. It minimizes the probability of disturbances, unapproved changes, and blunders. The change control methodology ought to be structured with the size and multifaceted nature of the earth at the top of the priority list. In order to ensure that the project is controllable, the project manager should fully understand the change information, measure the impact of the change implementation on the project, and then decide whether to modify. Also, there are six critical capability areas: leadership, communications, application, competencies, authorities, and standardization. The communication is establishing a culture that recognizes the value of change management.
Hello Ryu. Like most of the topics this week the main point was around change control and the importance of this process. I absolutely agree that the documentation, identifying, and authorizations to the overall environment. I like how you also added the six critical ability areas. Leadership and communication are the two that I think are the most important for the change management process.
In ISACA reading “Auditors and Large Software Projects, Pt 1” the secondary title/tagline is “can IS Auditors prevent project failure”… this is what we will take a deep dive at today. In the introduction of the article we saw that ISACA did provide an outlined the best practices for the System Development and Project Management Audit/Assurance Program. This work of literature outlines different guidelines to help auditors ensure that projects meet their goals and expectations. From there the article breaks down speaking points into a) the business case, b) project risks analysis, and then c) outlining requirements definitions. Through following those three topic and headings, a project manager and auditor and schedule the stages of a project. As the PM and IS Auditor can analyze the project and properly address risk, they can — prevent project failure!
Your points are great. Project risk analysis need to have a good risk management strategy. Effective risk management strategies allow you to identify your project’s strengths, weaknesses, opportunities and threats. By planning for unexpected events, you can be ready to respond if they arise. To ensure your project’s success, define how you will handle potential risks so you can identify, mitigate or avoid problems when you need to do.
Hi Alex,
I completely agree that knowing the business case, project risks analysis, and then outlining requirements definitions would help prevent project failure. This outline gives auditors the right direction, thus minimizing risks of making a wrong move that will cost the project to fail.
Auditors and Large Software Projects, Part 3 mentions the importance of change management which refers to the process in which the organization makes some or all changes to the system in order to adapt to the changes of various factors related to the project in the process of operation and ensure the realization of objectives, and organizes the project implementation according to the requirements after the changes. IT change management is one of the codes of conduct for IT service management. The goal of IT change management is to effectively implement standardized methods and processes in all changes of the entire IT architecture, so as to reduce the number of unexpected events caused by changes and the impact on the whole IT service.
It is good to talk about the goal of IT change management, that is to effectively implement standardized methods and processes in all changes of the entire IT architecture.
This column focuses on what causes large software projects to have huge costs and timescales overruns and/or fail to meet expectations or, at worst, be abandoned before completion. Poor change control is a frequent cause of projects going wrong.
There are six critical capability areas, leadership, communication, application, competencies, authorities, and standardization. These capabilities areas are drawn into a sample maturity table to be audited and is ranked from levele 1-5. By auditing these six critical areas where change management have problems, problems can be more easily idenitified.
Auditors are encouraged to remind their auditees that there are always going to be ongoing problems in change management, it’s important to raise the issue with senior management and the audit committee.
This article focuses on auditing how to manage the inevitable changes to the project and explains about how some organizations that are bureaucratic in the organizational structures managed to bring about change in the way they worked. Change management has become increasingly important in companies of all sizes, across all industries but resistance to change is a common stumbling block in most companies. It is hard to change the way of working and modify the processes to suit the new application processes or needs but by developing a clear plans and policies with objectives, transparent communications and specific measurable goals helps to achieve project success.
Hi, I agree with you that a clear plan, transparent communication as well as specific measurable goals contribute to change to the project. I also believe it is necessary to identify what will be improved and implement a support structure as well as provide effective training.
******Sorry, I put this to the fourth question********
This part focuses on how to manage the inevitable changes to the project due to the fact that poor change control is a frequent cause of projects going wrong. In the first section, one point I took is that the challenge of the change management is to get people to comply with this policy for all changes to configurations, systems, application software, access rights and system privileges and project plans. The conflicts between people and lack of communication have a huge impact on that. Thus, it is necessary to be patient, keep employees up-to-speed, show how change will contribute to company and create a successful and create a successful timeline for change.
HI, I agree with what you said about the importance of communication within an organization and what change management can do in the process. With an appropriate change management, a single person or a sole department cannot make huge changes to the system, which reduce the possibility of any false decision. Any decisions must be approved by the related department considering the security concerns.
After reading ISACA Auditors and Large Software Projects, Part 3, my biggest takeaway was the 6 critical capability areas. They were:
Leadership: Without proper leadership, any project or application is destined for failure. When you think of an IT project, you tend to overlook the importance of leadership because you think everything is found in the code. Personally, I don’t even think you need an IT expert to be at the head of your project, as long as they have a base understanding of how things work.
Communications: You have to be able to establish a culture that understands the importance of change management. A software project is truly never finished. Your employees have to be willing to remain vigilant for potential issues and act accordingly when there is a request for change.
Application: Of course, without the actual proper application of these changes, everything else is wasted. There needs to be uniformity in practice and tools.
Competencies: You have to make sure your team is competent. There should be proper training and documentation in order for your team members to properly fulfill their responsibilities
Authorities: There should be a formal procedure for requesting changes and the minimum requirements for segregation of duties
Standardization: These processes might not be able to be automated, but they should be standardized as much as possible in order for it to be readily accessed and shared.
Sup Panayiotis. Adding to your explanation, the six critical capability areas are an important part of the change management process. Change management is a structured approach for ensuring that requested changes are thoroughly implemented and the benefits are achieved. The six critical capability areas help to achieve this goal.
This ISACA reading uses a real-life example of why change management procedures are important and allows us to relate our previous readings to the story. We can see that no matter how small of a change is being made, there should always be a certain procedure (i.e. testing, documentation) to implement that change. However, some employees may be unwilling to accept new policies and procedures due to being stuck in their ways, which can be seen throughout many industries. To be frank, the main take away from the story, other than the overview of evaluating the maturity of change management, would be the necessity for upper management to have a spine and put their foot down when employees push back on new rules. In other words, management possessing soft skills is a must, so to ensure that policies are adhered to for the betterment of the company, rather than being seen by an employee as an attack on their work.
Hi Sarah,
Great comments. Thank you for sharing your thoughts on this ISACA reading. I agree with you that change management is important for each organization, and the organization should implement the documentation process even if it is a small change.
Auditors and Large Software Projects, Part 3 focuses on auditing how the inevitable changes to the project are managed. Poor change control leads to firefighting in operational activities and problems in software development. This article introduces one model which integrate several good practices with six critical capability areas, which are leadership, communications, application, competencies, authorities, and standardization. In addition, this model defines 5 different levels for each category. Level 1 means nonexistent. Level 2 means change management is applied to isolated situations, but not with consistent practices. Level 3 means change management is applied to multiple projects and/or operational activities, and good practices are identified and shared. Level 4 means organizational standards for change management include common approaches and tools. Level 5 means organization competency, and change management becomes part of the organization’s way of doing things. Auditors who find that change management is not practiced as well as it ought to be should remind their auditees that those who go around looking for trouble usually find it.