Change management is important to IT leaders and the enterprise as a whole. Over the past decade, companies have been tackling change management to some degree. While most enterprises have taken steps to establish and refine change management procedures, more can be done. And the importance of doing so is not simply a management issue, but also one of compliance with security, regulatory and audit provisions.

Failures in the area of change management have far-reaching consequences. Poor change management practices can result in a failure to meet service commitments. It can also put organizations in a precarious position involving audits and a negative public image.

Compliance refers to adhering to a variety of policies and regulatory provisions. IT governance, or running IT as a business, involves risk management, portfolio management, productivity and measuring financial results for IT investments. Change management plays a role both in compliance and governance from an audit perspective and operationally to ensure that all changes meet established policies and the provisions for related regulations.

Common issues arising with change management are related to difficulty handling emergency changes to material systems, unauthorized changes and problems dealing with security and unauthorized access. Other concerns of particular interest to auditors tend to focus on these questions: Did the work get completed as planned? Why was the approved request not completed? And why was there no request for a particular change?

The key to meeting many of these challenges is tight control on the change management process. There may be loopholes in approval procedures or in the change management guidelines. Reporting and tracking can also be a limitation due to insufficient automation in change management software and a lack of capabilities for tracking change history.

Some specific areas to address in managing the change process are:
• Request management - determining who will initiate the change and how the workflow for the change will be managed. Consider how the service desk can be effectively used for initiating and tracking changes, making certain to provide a means for the change through its workflow steps.
• Change approval - allows the organization to take the necessary precautions in approving any change, involving the right people, and evaluating implications to the best of your ability. At the same time, no company wants to create too many gates or involve too many people so that it becomes inefficient. Many organizations have established a Change Advisory Board (CAB). The CAB is a cross-section of individuals that meet on a periodic basis, usually weekly, to plan and approve changes that will be needed over the coming week. This works well for important changes. However, lower thresholds should be established for more routine changes - this would allow, for example, department supervisors to approve smaller changes.
• Security and direct access. Unauthorized system and database access are a concern, as well as maintaining the confidentiality of information. It is true that employees and their respective roles change frequently, and controlling appropriate access to all types of systems is difficult and requires diligence on the part of administration.
• Unauthorized and emergency changes. Perhaps the stickiest part of change management is determining how you will deal with unauthorized and emergency changes. The problem is twofold: It is difficult to document a change that has already taken place, and in many organizations staff members are resistant to the change management process itself. Decisions need to be made in advance as to the consequences of failure to follow procedures as well as those that cannot be foreseen.