IT Change Management Audit Templates

  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • warning: Illegal string offset 'data' in /home/priandoyo/smashingpasswords.com/includes/tablesort.inc on line 110.
  • warning: Illegal string offset 'data' in /home/priandoyo/smashingpasswords.com/includes/tablesort.inc on line 110.
  • warning: Illegal string offset 'data' in /home/priandoyo/smashingpasswords.com/includes/tablesort.inc on line 110.
  • warning: Illegal string offset 'data' in /home/priandoyo/smashingpasswords.com/includes/tablesort.inc on line 110.
  • warning: Illegal string offset 'data' in /home/priandoyo/smashingpasswords.com/includes/tablesort.inc on line 110.
  • warning: Illegal string offset 'data' in /home/priandoyo/smashingpasswords.com/includes/tablesort.inc on line 110.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.

Download Free IT Change Management Audit Templates
Download Free IT Change Management Audit Template
1. Identify strengths and weaknesses relating to development, acquisition, and maintenance activities, through a review of:
Prior reports of examination;
Internal and external audits;
Regulatory, audit, and security reports from key service providers;
Organizational charts;
Network topology maps; and
Résumés of technology managers.

2. Review management's response to report and audit findings to determine:
The adequacy and timing of corrective actions;
The resolution of root causes rather than just specific issues; and
The existence of outstanding issues.

3. Review applicable documentation and interview technology managers to identify:
The type and frequency of development, acquisition, and maintenance projects;
The formality and characteristics of project management techniques;
The material changes that impact development, acquisition, and maintenance activities, such as:
Proposed or enacted changes in hardware, software, or vendors;
Proposed or enacted changes in business objectives or organizational structures; and
Proposed or enacted changes in key personnel positions.

4. Evaluate the adequacy of development activities by assessing:
The adequacy of, and adherence to, development standards and controls;
The applicability and effectiveness of project management methodologies;
The experience of project managers;
The adequacy of project plans, particularly with regard to the inclusion of clearly defined:
Phase expectations;
Phase acceptance criteria;
Security and control requirements;
Testing requirements; and
Documentation requirements;
The formality and effectiveness of quality assurance programs;
The effectiveness of risk management programs;
The adequacy of project request and approval procedures;
The adequacy of feasibility studies;
The adequacy of, and adherence to, standards and procedures relating to the:
Design phase;
Development phase;
Testing phase; and
Implementation phase;
The adequacy of project change controls;
The appropriate inclusion of organizational personnel throughout the project's life cycle;
The effectiveness of project communication and reporting procedures; and
The accuracy, effectiveness, and control of project management tools.

5. Assess the adequacy of quality assurance programs by evaluating:
The board's willingness to provide appropriate resources to quality assurance programs;
The completeness of quality assurance procedures (Are the deliverables of each project, and project phase, including the validation of initial project assumptions and approvals, appropriately assured);
The scalability of quality assurance procedures (Are the procedures appropriately tailored to match the characteristics of the project);
The measurability of quality assurance standards (Are deliverables assessed against predefined standards and expectations);
The adherence to problemtracking standards that require:
Appropriate problem recordation;
Appropriate problem reporting;
Appropriate problem monitoring; and
Appropriate problem correction;
The sufficiency of, and adherence to, testing standards that require:
The use of predefined, comprehensive test plans;
The involvement of end users;
The documentation of test results;
The prohibition against testing in production environments; and
The prohibition against testing with live data;
The sufficiency and effectiveness of testing programs regarding:
The accuracy of programmed code;
The inclusion of expected functionality; and
The interoperability of applications and network components; and
The independence of quality assurance personnel.

6. Evaluate the sufficiency of, and adherence to:
Routine and emergency programchange standards that require appropriate:
Request and approval procedures;
Testing procedures;
Implementation procedures;
Backup and backout procedures;
Documentation procedures; and
Notification procedures;
Controls that restrict the unauthorized movement of programs or program modules/objects between development, testing, and production environments;
Controls that restrict the unauthorized use of utility programs, such as:
Policy prohibitions;
Monitoring of use; and
Logical access controls;
Library controls that restrict unauthorized access to programs outside an individual's assigned responsibilities such as:
Logical access controls on all libraries or objects within libraries; and
Automated library controls that restrict library access and produce reports that identify who accessed a library, what was accessed, and what changes were made; and
Version controls that facilitate the appropriate retention of programs, and program modules/objects, revisions, and documentation.

7. Evaluate the sufficiency of, and adherence to, patchmanagement standards and controls that require:
Detailed hardware and software inventories;
Patch identification procedures;
Patch evaluation procedures;
Patch request and approval procedures;
Patch testing procedures;
Backup and backout procedures;
Patch implementation procedures; and
Patch documentation.

8. Assess the adequacy of documentation controls by evaluating the sufficiency of, and adherence to, documentation standards that require:
The assignment of documentationcustodian responsibilities;
The assignment of document authoring and approval responsibilities;
The establishment of standardized document formats; and
The establishment of appropriate documentation library and version controls.

9. Assess the quality of application documentation by evaluating the adequacy of internal and external assessments of:
Application design and coding standards;
Application descriptions;
Application design documents;
Application sourcecode listings (or in the case of objectoriented programming: object listings);
Application routine naming conventions (or in the case of objectoriented programming: object naming conventions); and
Application operator instructions and user manuals.

10. Assess the quality of open sourcecode system documentation by evaluating the adequacy of internal and external assessments of:
System design and coding standards;
System descriptions;
System design documents;
Sourcecode listings (or in the case of objectoriented programming: object listings);
Sourcecode routine naming conventions (or in the case of objectoriented programming: object naming conventions); and
System operation instructions.

11. Assess the quality of project documentation by evaluating the adequacy of documentation relating to the:
Project request;
Feasibility study;
Initiation phase;
Planning phase;
Design phase;
Development phase;
Testing phase;
Implementation phase; and
Postimplementation reviews.
Note: If examiners employ sampling techniques, they should include planning and testing phase documentation in the sample.

Evaluate the security and integrity of system and application software by reviewing:
The adequacy of quality assurance and testing programs;
The adequacy of security and internalcontrol design standards;
The adequacy of program change controls;
The adequacy of involvement by audit and security personnel in software development and acquisition projects; and
The adequacy of internal and external security and control audits.

Free Download AttachmentSize
change-management-audit-templates.jpg60.46 KB
change-management-audit-templates.pdf21.24 KB
change-management-audit-templates.xls29 KB

Trackback URL for this post:

http://www.smashingpasswords.com/trackback/117

User login

Who's online

There are currently 1 user and 62 guests online.

Online users

  • tara1712nkikizao

Who's new

  • brandienalebqvbm
  • eugenerickettsvghld
  • vlmlavonisxbrmefaeuf
  • tara1712nkikizao
  • cruzcrookesprmdubm