Information Technology Reference
In-Depth Information
c) Explain the enterprise procedures for IT change control management
IT change control is about ensuring that all changes made to IT systems are documented,
tested, and approved before being implemented. Change control procedures ensure that
change is managed and does not introduce new risks. Change procedures would involve
generating a change request, designing the change, testing the change, and approval of the
change before implementing it in production.
Evidence on the implementation of change control procedures can be obtained from change
control documentation, which is generated as a result of implementing change control pro-
cedures such as change request forms, testing, and implementation documents. Where these
procedures do not exist, it is recommended that the IS auditor advises management to take
appropriate action.
d) What criteria are used to ensure that IT staff are trained in operating IT sys-
tems?
Training is a key part of ensuring effective IT service delivery in an enterprise. IT manage-
ment should ensure that all relevant staff are trained to run IT systems efficiently. Trained
members of staff have high motivation and perform better. All training programs should
be based on training needs and related to requirements of IT systems deployment in the IT
infrastructure. Most training on IT systems which have been deployed in the enterprise is
conducted by vendors.
Information on staff training criteria can be obtained from the training plans, job descrip-
tions, needs assessments, and actual training objectives.
The IS auditor can also interview members of staff on effectiveness of training attended. It
is expected that after training, performance of staff should improve. Supervisors can be a
good source of such information on staff performance.
e) What controls does the enterprise have regarding access to IT systems by IT sys-
tem administrators?
System administrators normally access the systems using administrator accounts on applic-
ation or network operating systems. The IT system administrators also can access the sys-
tems using their own personal accounts which have administrator privileges. Administrator
accounts can be controlled by using access controls, such as granting or limiting rights for
administrators, using password policy based on job descriptions, and monitoring the use of
such accounts.
More information on administrator accounts can be obtained from audit trails and password
and account policy settings on the IT systems. These settings are in some enterprises docu-
mented and can be found on the system. Data generated from monitoring systems can also
be used as evidence for audit purposes.
Search WWH ::
Custom Search