Skip Ribbon Commands
Skip to main content

Global Technology Audit Guide (GTAG) 2: Change and Patch Management Controls: Critical for Organizational Success, 2nd Edition

GTAG 2Every “IT risk” creates some degree of business risk, making it important for Chief Audit Executives (CAEs) to thoroughly understand IT change and patch management issues. GTAG 2: Change and Patch Management Controls: Critical for Organizational Success, 2nd Edition discusses these issues in a language that allows CAEs to build confidence in their knowledge of the area and add value to the conversation when communicating with senior management, the board, and IT management.

IT change and patch management is defined as the set of processes executed within the organization’s IT department designed to manage the enhancements, updates, incremental fixes, and patches to production systems, which include:

  • Application code revisions.
  • System upgrades (applications, operating systems and databases).
  • Infrastructure changes (servers, cabling, routers, firewalls, etc.) .

Stable and managed IT production environments require that implementation of changes be predictable and repeatable, following a controlled process that is defined, monitored, and enforced. Segregation of duties (e.g. separation of preparer, tester, implementer, and approver roles) and monitoring controls will reduce the risk of fraud and errors in the process.

Internal auditors should be familiar with these key controls in the IT change management process:

  • Only the minimal staff required to implement IT production changes should have access to the production environment (preventive).
  • Authorization processes should involve stakeholders to assess and mitigate risks associated with proposed changes (preventive).
  • Supervisory processes should encourage IT management and staff to undertake their duties responsibly (preventive) and be able to detect errant performance (detective).

This guide was developed to help internal auditors ask the right questions of the IT organization to assess its change management capability, to assess the overall level of process risk, and to determine whether a more detailed process review may be necessary.

After reading this guide, you will:

  • Have a working knowledge of IT change management processes.
  • Be able to distinguish between effective and ineffective change management processes.
  • Be able to recognize red flags and indicators that IT environments are experiencing control issues related to change management.
  • Understand that effective change management hinges on implementing preventive, detective, and corrective controls to enforce segregation of duties and ensure adequate management supervision.
  • Be able to recommend best practices for addressing these issues, both for assurance of risks (including controls attestations), as well as increasing effectiveness and efficiency.
  • Be able to sell your recommendations more effectively to your chief information officer, chief executive officer, and/or chief financial officer.

Downloads and Links

English     French

Non-members may purchase this GTAG from the IIA Bookstore.


An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.