IT compliance and IT governance
of change management

First of all, I (independent auditor) will show you what a best practice for standard change management processes looks like, based on ITIL. What do you have to consider here, e.g. for change enablement or for organizational changes in general?

And to what extent does COBIT (Control Objectives for Information and Related Technology; central set of rules for auditors/auditors), question SAP’s IT governance and IT change management?
To do this, it’s best to start by taking a closer look at a standard change management process.

• A standard change management process according to ITIL starts with a Change Request (Request for Change (RfC)).
• Regardless of how it is recorded (e.g., ticket system), step 2 consists of system registration and classification of the change request (e.g., as “Normal” or “Emergency”).
• Once the change request has been registered and classified in the ITSM tool, the monitoring and planning of the implementation of the change now begins according to ITIL. What are the expected costs, for example?
• The fourth step is the approval of the change. Here, the main factors for a decision are usually the available budget as well as the check whether the change request actually meets the competencies of the requestor.
• Now it is time for elaboration and testing (in the development system). Before this, the change must be released for testing by the user in charge.
• If the testing was successful, the person performing the test (usually the key user) releases the implementation.
• Step 7: Implementation in the operational system including QA checks
• Last but not least, ITIL evaluates whether the Change “delivers what was expected of it”. If this is not the case, the process starts all over again – which is not uncommon. This means that changes are always occurring.

In general, standard change management processes go beyond this:

• The priority and size of a change have no influence on the process itself.
• Process execution times and priorities can vary (e.g. higher prioritization of approval and release for “emergency” changes).
• All processes must be documented in an audit-proof manner.

So let’s now have a look at the most important processes regarding IT governance of change management for IT and SAP landscapes. To this end, COBIT provides a framework for IT governance from a control perspective.
But which COBIT documents are particularly relevant here? And what should you do, according to them, to get on the “safe side”?

BAI05 – Managed Organizational Change (Organisations Changes)

• Prepare stakeholders for business changes.
• Engage them and reduce the risk of failure.

BAI07 – Managed IT Change Acceptance and Transitioning (relevant for larger projects)

• Implement solutions safely and in line with agreed expectations and results
• Check, repeat and correct if necessary

BAI06 – Managed IT Changes (daily, minor changes)

• Enables fast and reliable changes
• Minimizes the risk of negative impacts on the stability or integrity of the modified environment

The COBIT document BAI06 deals with the daily, minor and thus often most frequent changes in an organization. Therefore, I would like to explain this to you in more detail:

BAI06.01 Evaluate, prioritize, and approve change requests.

• Evaluate all change requests to determine the impact on business processes and IT services and assess whether the change will negatively impact the operating environment and introduce unacceptable risks

BAI06.02 Manage emergency changes

• Manage emergency changes carefully to minimize further incidents.
• Ensure that the emergency change is controlled and runs safely.
• Ensure that emergency changes are appropriately evaluated and authorized after the change.

Important: Emergency changes must always be managed and documented separately.

BAI06.03 Track and report change status

• Maintain a tracking and reporting system to document rejected changes and communicate the status of approved, in-progress, and complete changes.
• Ensure approved changes are implemented as planned

BAI06.04 Finalize and document changes

• Update the solution, user documentation, and procedures affected by the change (e.g., “logging table”) each time changes are implemented.

The general rule for change management according to COBIT is that every change must be traceable in some way via a status – from request through testing and implementation to going live.The general rule for change management according to COBIT is that every change must be traceable in some way via a status – from request through testing and implementation to going live. Everything must also be documented in an audit-proof manner (continuous tracing from the change request to the go-live).

Information about me and Falk IT Audit & Consulting can be found at https://audit.falk-co.de/en/company and https://audit.falk-co.de/en.