IT Change Management Audit Templates

Download Free IT Change Management Audit Templates

1. Identify strengths and weaknesses relating to development, acquisition, and maintenance activities, through a review of:
Prior reports of examination;
Internal and external audits;
Regulatory, audit, and security reports from key service providers;
Organizational charts;
Network topology maps; and
Résumés of technology managers.

2. Review management's response to report and audit findings to determine:
The adequacy and timing of corrective actions;
The resolution of root causes rather than just specific issues; and
The existence of outstanding issues.

3. Review applicable documentation and interview technology managers to identify:
The type and frequency of development, acquisition, and maintenance projects;
The formality and characteristics of project management techniques;
The material changes that impact development, acquisition, and maintenance activities, such as:
Proposed or enacted changes in hardware, software, or vendors;
Proposed or enacted changes in business objectives or organizational structures; and
Proposed or enacted changes in key personnel positions.

4. Evaluate the adequacy of development activities by assessing:
The adequacy of, and adherence to, development standards and controls;
The applicability and effectiveness of project management methodologies;
The experience of project managers;
The adequacy of project plans, particularly with regard to the inclusion of clearly defined:
Phase expectations;
Phase acceptance criteria;
Security and control requirements;
Testing requirements; and
Documentation requirements;
The formality and effectiveness of quality assurance programs;
The effectiveness of risk management programs;
The adequacy of project request and approval procedures;
The adequacy of feasibility studies;
The adequacy of, and adherence to, standards and procedures relating to the:
Design phase;
Development phase;
Testing phase; and
Implementation phase;
The adequacy of project change controls;
The appropriate inclusion of organizational personnel throughout the project's life cycle;
The effectiveness of project communication and reporting procedures; and
The accuracy, effectiveness, and control of project management tools.

5. Assess the adequacy of quality assurance programs by evaluating:
The board's willingness to provide appropriate resources to quality assurance programs;
The completeness of quality assurance procedures (Are the deliverables of each project, and project phase, including the validation of initial project assumptions and approvals, appropriately assured);
The scalability of quality assurance procedures (Are the procedures appropriately tailored to match the characteristics of the project);
The measurability of quality assurance standards (Are deliverables assessed against predefined standards and expectations);
The adherence to problemtracking standards that require:
Appropriate problem recordation;
Appropriate problem reporting;
Appropriate problem monitoring; and
Appropriate problem correction;
The sufficiency of, and adherence to, testing standards that require:
The use of predefined, comprehensive test plans;
The involvement of end users;
The documentation of test results;
The prohibition against testing in production environments; and
The prohibition against testing with live data;
The sufficiency and effectiveness of testing programs regarding:
The accuracy of programmed code;
The inclusion of expected functionality; and
The interoperability of applications and network components; and
The independence of quality assurance personnel.

6. Evaluate the sufficiency of, and adherence to:
Routine and emergency programchange standards that require appropriate:
Request and approval procedures;
Testing procedures;
Implementation procedures;
Backup and backout procedures;
Documentation procedures; and
Notification procedures;
Controls that restrict the unauthorized movement of programs or program modules/objects between development, testing, and production environments;
Controls that restrict the unauthorized use of utility programs, such as:
Policy prohibitions;
Monitoring of use; and
Logical access controls;
Library controls that restrict unauthorized access to programs outside an individual's assigned responsibilities such as:
Logical access controls on all libraries or objects within libraries; and
Automated library controls that restrict library access and produce reports that identify who accessed a library, what was accessed, and what changes were made; and
Version controls that facilitate the appropriate retention of programs, and program modules/objects, revisions, and documentation.

7. Evaluate the sufficiency of, and adherence to, patchmanagement standards and controls that require:
Detailed hardware and software inventories;
Patch identification procedures;
Patch evaluation procedures;
Patch request and approval procedures;
Patch testing procedures;
Backup and backout procedures;
Patch implementation procedures; and
Patch documentation.

8. Assess the adequacy of documentation controls by evaluating the sufficiency of, and adherence to, documentation standards that require:
The assignment of documentationcustodian responsibilities;
The assignment of document authoring and approval responsibilities;
The establishment of standardized document formats; and
The establishment of appropriate documentation library and version controls.

9. Assess the quality of application documentation by evaluating the adequacy of internal and external assessments of:
Application design and coding standards;
Application descriptions;
Application design documents;
Application sourcecode listings (or in the case of objectoriented programming: object listings);
Application routine naming conventions (or in the case of objectoriented programming: object naming conventions); and
Application operator instructions and user manuals.

10. Assess the quality of open sourcecode system documentation by evaluating the adequacy of internal and external assessments of:
System design and coding standards;
System descriptions;
System design documents;
Sourcecode listings (or in the case of objectoriented programming: object listings);
Sourcecode routine naming conventions (or in the case of objectoriented programming: object naming conventions); and
System operation instructions.

11. Assess the quality of project documentation by evaluating the adequacy of documentation relating to the:
Project request;
Feasibility study;
Initiation phase;
Planning phase;
Design phase;
Development phase;
Testing phase;
Implementation phase; and
Postimplementation reviews.
Note: If examiners employ sampling techniques, they should include planning and testing phase documentation in the sample.

Evaluate the security and integrity of system and application software by reviewing:
The adequacy of quality assurance and testing programs;
The adequacy of security and internalcontrol design standards;
The adequacy of program change controls;
The adequacy of involvement by audit and security personnel in software development and acquisition projects; and
The adequacy of internal and external security and control audits.