CHANGE MANAGEMENT &

BAB 4

IT CONTROL COURSE

Session objectives

The aims of this session are:

to describe the importance of change

management controls in a application

development

to identify risks associated with

inadequate change controls and the

controls a client may put in place to

address those risks.

Introduction

The systems development process should lead

to the implementation of a system which satisfies

audit requirements:-

Change is inevitable

Changes may affect many parts of the system

Have impact on the audit trail,control systems

system functionality and system logic

Effect of change may be out of proportion

What Is Change Management

Change management

v is a systematic approach to dealing with

change, both from the perspective of an

organization and on the individual level.

v has at least three different aspects,including:

adapting to change, controlling change, and

effecting change

A proactive approach to dealing with change is

at the core of all three aspects

Level Of Change Management

ln organisational acceptance

•For an organization, change management means defining

and implementing procedures and/or technologies to deal

with changes in the business environment and to profit

from changing opportunities. Iin application development

process

•In a computer system environment, change management

refers to a systematic approach to keeping track of the

details of the system (for example, what operating system

releaseis running on each computer and which fixes have

been applied). System migration

• A structured procedure to change from existing to new

system

OBJECTIVE OF CHANGE MANAGEMENT

The objective of Change Management is to

ensure that

i standardised methods and procedures are

used for It’s client

Reasons for system changes

To enhance

functionality

To make systems

operations easier,

more efficient

To increase capacity

or performance

Routine updates

To meet changes in

business or

reporting

requirement

To rectify problems

ITo improve security

To adhere with changes in

Policies Guidelines

standards

To suit organisation's

Aim of change controls

Change controls are designed to ensure that

all changes to systems configurations are

authorised, tested, documented, controlled,

the systems operate as intended and that

there is an adequate audit trail of changes.

Risks associated with inade

uate chan e controls

changes

Unauthorised changes

Implementation problems

Erroneous processing,

reporting

User dissatisfaction

Maintenance problems

Use of unauthorised software

and hardware

:- DProblems with emergency

Change control

procedures

l_p_rO_C_e_d_U_r_e_S_f_O_r_C_h_a_n_g_e_re_q_u_e_s_t_------"

[~___..p_ro_c_e_d_u_r_e_s_f_o_r_m_a_n_a_g_e_m_e_n_t_a_u_t_

h_o_ri_s_a_ti_o_n _

, Management review of the effects of any C changes

"

~~_M_a_i_n_te_n_a_n_c_e_o_f _a_d_e_q_U_a_te_re_c_o_r_d_5

~"~_p_r_o_ce_d_u_r_e_s_f_o_r_m_a_k_in_ge_m_e_r_g_e_n_c_y_c

_h_a_n_g_e_s "l

Thorough testing before amended software is

[_ used In the Ilv. env;,onment [," The p,epa<atlon of fallback plans

National Audit Academy

l

]

Change considerations

The potential impact on the IT systems and services

to users (capacity, security, system response times,

reliability

The effect of not implementing the change (the do

nothing approach)

resources required to implement the change (costs,

people)

Future resource requirements if the change goes ahead

Change Process

Approved RFC

Updated

Systems/User

Documentation

Source Code

Accepted

Programs

Application

Programmer

User Acceptance

Testing

EXAMPLE SOURCE CODE

Request For Change Form

(RFC)

Application

[lChange Requested By

c1Date of Change Request

dChange Description and impact

c:Change Priority

(Impact Assessment· tech-mcal

[}Ibusinesslfinancialltiming impact

Signatories

J

J

J

J J

J

J

J

Chan e reviews

Carried out to determine:

if the change has achieved the planned results

if users are content with the amended product

if there have been any unforeseen problems or

unexpected side effect

[ if the resources required to implement and operate the

amended system were as planned.

whether any lessons can be learnt for the next time

Emergency Changes

Emergency change procedures

used when the normal changes

procedures take too long.

"Quick fix" procedures

Control are still required, e.g.

•Emergency change approval

•Audit trail

•Retrospective approval

•Retrospective testing

•Documentation

Version control for

software/application

F A combination of technologies and practices for

tracking and

controlling changes to source code.

F Work on a copy of source code with the latest

version

F Ensures correct software version being used in

the live environment.

Version Control

Need for

consistency

Current version

in production

library

Archiving of old

versions

Version numbers

used as

identifiers

•,e.g.

•Version 1.0,

1.1, 1.1.3,

2.7 etc

Amendment tools and facilities