Simplifying the SAP IT Change Management Audit: Key Elements Part III
Last month I began a new series on simplifying an SAP IT change management audit through change control automation and provided an overview of the IT change management audit scope and the various elements considered. There are a number of key elements included in an IT change management audit with each element considered critical to effective change management to ensure changes are developed, tested and deployed in a controlled and authorized manner.
This month I take a deeper look at the first few key SAP IT change management elements i.e. change management policies and procedures and change initiation and approval and discuss briefly their simplification through use of automation.
Element 1: Change management policies and procedures
Formally documented change management processes and the effective maintenance of them are expected to prevent faulty or damaging change being delivered into Production systems.
Reviewing these documented change management processes and checking that the processes are being followed for each change introduced into the system validates a) the processes exist and b) the disciplines of the team in managing the changes to the process.
The policies and procedures audit element will verify important change management policy components such as;
- the existence and documentation of change management process(s),
- SAP applications/systems have persons accountable for their management,
- things like change management accountabilities, process flows, scheduling, change handling and exceptions to the norm are included within change management procedures, and
- a process exists for change management procedures maintenance.
By automating change management policies and procedures certain guarantees can be made. Firstly, one can guarantee that every change has been promoted to Production via a predetermined process. Secondly, automation can guarantee that the process, system owners involved, the approvals received along the way and other required information has been fully documented for each change. Finally, automation guarantees that a full audit trail is in place attesting to the first and second guarantees.
Element 2: Change initiation and approval
Change initiation and approval policies prevent unauthorized changes being introduced into Production systems which may cause Production problems.
Reviewing change request initiation and approval processes validate the process by which each change is initiated and effectively approved.
The change initiation and approval audit element will verify that;
- a process is in place to request and approve requests for change,
- the request for change documents things like the requestor and their details, the reason for the change, potential impact of the change and the approver of the change,
- change requests are prioritized, and
- estimated time to complete and costs are included.
Automating (and enforcing) the change request process will guarantee that no unauthorized change takes place and that all changes are processed according to priority, potential impact and a predetermined schedule and that appropriate approvals have been obtained and recorded.
Of course there can be a great deal of further detail required from each element during an IT audit, for example, evidence of segregation of duties, records retention, and emergency exceptions and so on. All components easily managed via automation with the right technology selection and configuration.
In our next post I will take a look at the SAP IT change management audit elements that verify the policies and procedures around compliance testing and managing emergency change.