Information technology is critical to the long-term success of most organizations. It is a key driver for the cost of operations, and cost of operations tends to be a vital component of overall profitability. It facilitates the introduction of new business initiatives, as well as the ongoing improvement of current processes, and allows the management team to monitor and report on performance. IT enables business operations through connectivity, information processing, business intelligence and the like. Lastly, and especially important to this audience, IT can contribute greatly to a company’s system of internal control.
The organizational importance of IT continues to grow each year, and the importance of change management in IT systems continues to grow along with it. There is a substantial body of evidence that change management contributes critically to the implementation of efficient, effective and secure IT operations. Because every change in an IT system creates a potential consequence to the company’s operations, executives must understand how to impose, enforce, monitor and improve change management thoroughly. Research from the IT Process Institute has shown that organizations that manage their technology well perform substantially better than organizations that don’t.
Simply stated, all IT changes need to be authorized and tested, and unauthorized or untested changes need to be prohibited. Put another way: changes to a company’s IT infrastructure are a significant source of risk for every business. To protect the corporate crown jewels, robust change management practices are absolutely critical. The need for a positive control environment within IT and an unforgiving attitude regarding unauthorized IT changes cannot be overstated.
Strong change management means planned system implementations, proven (read: tested) solutions, scheduled upgrade windows where recovery is facilitated if needed, and much more. To manage technology changes well, a change management program needs to be formally introduced to the organization.
Implementing a change management program means assigning responsibility for the various change activities involved in implementing new technology solutions.
AUDITING TECHNOLOGY CHANGE PROCESSES
An audit of change management should review IT results to identify key improvement opportunities. During the audit of change management programs, auditors need to:
Understand the change management processes and procedures
Identify and assess key controls within the change management processes that ensure all changes are properly authorized and tested prior to implementation
Determine the quality of the information generated by the change management program and assess whether it is sufficient enough to manage the change management process
Assess change management performance metrics for their existence, effectiveness, monitoring activities and responses to any program deviations
Evaluate whether risk-management controls are preventive, detective, or corrective, and if a good balance has been implemented
Define tests to confirm the operational effectiveness of change management activities, including management and staff interviews, documentation and report reviews, and data analyses
Recommend opportunities for improvement of change management activities
INDICATORS OF POOR CHANGE MANAGEMENT
Unauthorized changes: Anything above zero is unacceptable. Establishing a tone at the top that clearly communicates the company’s intolerance of unauthorized changes is fundamental to the long-term success of change management programs.
Unplanned outages: System outages should be scheduled (planned) to reduce their impact on the organization’s operations. Predetermined “change windows” are where production systems should be updated. Unplanned outages are caused by system problems and encourage a reactionary environment (that is, firefighting), which is not how you stay on top of internal control systems.
Low change success rate: Good change management involves good testing; if changes have to be “backed out,” it is an indicator of poor testing that failed to catch problems in the early stages.
High number of emergency changes: Again, emergencies should be emergencies, and happen infrequently. Poor planning of changes results in a high number of emergencies.
Delayed project implementations: Delays in project implementation are a sign of unrealistic plans or poor resourcing decisions. Good change management practices encourage good planning and more achievable plans over time, resulting in fewer delays and cancellations of implementations.
An audit of change management should review the above risk indicators as a good measure of the likelihood that controls are or are not effective.
Auditing IT processes can be very productive; good business results happen due to the quality of the processes used to produce them. Reviewing the policies and procedures and related processes that have been implemented will help determine if your IT investments will be productive and worthwhile. Also, discussing with IT management how they do their jobs—in particular their IT change efforts—will be extremely productive, and help answer the fundamental question: are changes being implemented in a controlled or haphazard manner?
When I look at the work some managers have done to test (that is, prove) that a change is working, I want to see four fundamental testing techniques: functional testing, stress testing, logical testing and path testing. It has been my experience that if the above system testing isn’t done, verified and approved by some independent validation unit (quality control, internal audit, outside consultants, etc.), then we have a problem with way too many implementations.
Finally, a robust “release management” process, in addition to strong change management practices, should be the ultimate goal. Rigorous practices for building, testing and issuing IT changes have a broad impact on individual IT results and overall performance of an organization. Therefore, while implementing a comprehensive change management program is important, establishing a strong release management process is vital.
Are your technology changes well-managed? I believe it’s time to find out.
ADDITIONAL RECOMMENDED READING
This article was written by Dan Swanson.