Internal Audit in IT Change Management
What room number are we in?
3F09
True or False:
The only compliance guideline that organizations need to follow is the SOX Act.
False
What is the first step in a typical change process?
A) Implement the change
B) Identify the need for a change
C) Obtain business justification
D) Schedule and coordinate the change
B) Identify the need for a change
Explanation? Seriously?
What software do we use in the lab activities?
ACL
What did we not discuss regarding patches?
A) How vendors automatically roll out patches
B) Success rate pimple patches
C) How patches can increase the chance of cyberattacks
Pimple Patches
What type of change involves urgent fixes, such as applying a security patch to address a vulnerability?
A) Regular Changes
B) Emergency Changes
C) Preapproved Changes
D) Automation 'Bot-driven' Changes
B) Emergency Changes
Explanation: Emergency changes are to correct immediate issues that cause service disruption.
Regarding the controls in place supporting the change management process, we want to provide assurance that the controls supporting the processes are:
Designed appropriately and operate effectively.
What position did Amit hold at Grand River Hospital before teaching at Conestoga College?
Chief Audit Executive
Which of the following environments is typically used for end-user testing before a change is deployed to production?
A) Development (DEV)
B) Testing (TEST)
C) User Acceptance Testing (UAT)
D) Production (PROD)
C) User Acceptance Testing (UAT)
Explanation: UAT is a type of testing performed by the end-user or the client to verify the functionality and usability of the software system. It's the last phase before moving to PROD.
True or false: internal audit can provide value to the organization regarding its change management process by participating as voting members of the change advisory board
False. They can provide value by participating as non-voting members of the change advisory board.
What report created by the vendors do we not have to review when evaluating third-party risks associated with Change Management?
A) Financial Statements
B) DE & I Report
C) System/Entity Reports
System and Entity Level Reports
Which of the following best describes 'preapproved changes'?
A) Changes that are scheduled for implementation.
B) Routine, low-risk changes that do not require additional approval
C) Urgent fixes for critical issues
D) Automated updates by bots
B) Routine, low-risk changes that do not require additional approval
Explanation:
A) is Regular Changes
B) is Preapproved Changes
C) is Emergency Changes
D) is Automation "bot-driven" Changes
Name any 3 of 5 factors mentioned in the slides that can impact the scope of the engagement:
Internal audit staffing, time sensitivity, mitigating processes, prior deficiencies, and newly identified risks.
What emerging risk regarding changement did we not discuss today?
A) BYOB
B) BYOD
C) Cloud Systems
BYOB
Which of the following best describes the role of a Change Approval Board (CAB) in the change management process?
A) The CAB is responsible for testing changes in the User Acceptance Testing environment
B) The CAB evaluates, authorizes, and prioritizes change requests to ensure they align with organizational goals
C) The CAB is tasked with training employees on new changes
D) The CAB monitors the implementation of changes in real-time
B) The CAB evaluates, authorizes, and prioritizes change requests to ensure they align with organizational goals
Explanation:
A) End-users or clients will test and validate the changes in the UAT environment.
B) CAB
C) HR, project experts, and trainers help the employees to adapt to the changes.
D) The Change Control Board (CCB) can monitor the implementation status of changes in real time.