How Should I Engage Internal Audit In The Change Management Process?
By the book, audit engagements has four distinct phases: planning, fieldwork, reporting and follow-up. Life in IT management sucks when your time with auditors is dominated by preparing and undergoing audits as they do their fieldwork (imagine teams of auditors showing up with suitcases). Or actually, far worse, when they’re walking you through their findings, extracting promises from you to have them fixed within 90 days in front of your boss. Obviously, the way to reduce time spent in both of these areas is to have an effective change management processes, with both preventive controls (e.g., defined policies, defined authorization levels, defined consequences when people go around the process, etc.) and detective controls (e.g., monitoring and reconciliation controls like Tripwire). This allows you to assert and substantiate that you have no unauthorized changes. But, provided that you have these controls in place, there is also a less formal way that you can help increase auditors’
