Why does audit care so much about change management?
In the world of Sarbanes-Oxley (Sox), section 404 is concerned about the integrity of financial reporting. As such, material systems are scrutinized to ensure they are providing accurate information for the financial reporting process. To this end, new systems are to be tested and validated prior to becoming the system of record to safeguard the sanctity of financial reports. To prove that existing systems were accurate many management teams had to undertake expensive baselining processes wherein transactions were tracked through the systems from end to end to ensure proper processing. The reason that change management is so important from a control perspective is that once those systems go live, or after the baseline is performed, if uncontrolled changes are allowed then the validity of the information provided to the financial reporting process is called into question. Audit must be able to see that all changes are reviewed, tested and accounted for and that the only level of unauthorized change is zero.
In this regards, Visible Ops can help organization create an initial change management process and then work towards a closed loop model wherein all changes are accounted for. As mentioned in the Visible Ops handbook IT must be prepared to provide a list of all changes, and ideally these should be the entire population of detected changes found by an automated objective detective control. For each change, IT should be able to generate documentation showing that the changes were properly managed from the initial user request through to review, approval, and implementation according to the organization’s change management policy. The objective is to demonstrate that all changes as are accounted for and that the integrity of financial reporting was not compromised.