Institute of Internal Auditors Issues Second Report for Establishing IT-Audit Best Practices and Organizational Workflow; New Prescriptive Guide Helps Organizations Manage Change and Patch Management

Business Wire, July 11, 2005

CHICAGO -- At the Institute of Internal Auditors (IIA) International Conference, the IIA today released the second installment of the Global Technology Audit Guides (GTAG), a series of reports that provides chief internal audit executives (CAEs) and their staffs with governance-level guidance and leadership for specific technology areas. The report, titled Change and Patch Management Controls: Critical for Organizational Success, delivers field-tested metrics for quantitatively assessing the strength of change management processes, as well as suggested management guidelines to achieve and sustain higher levels of control and performance.

According to Gartner, a leading provider of research and analysis on the global IT industry, of all the IT disciplines, change management is one of the most challenging to properly implement. Operational change control requires IT management to take action toward adopting change policy guidelines. This, coupled with the increasing frequency and severity of corporate frauds and the growing complexity of compliance mandates, has created the need for internal auditors, IT professionals and security management to work together to align organizational goals and best practices.

"Today's internal auditor is facing many challenges in trying to ensure organizations are complying with regulations that help mitigate business risk," says IIA President Dave Richards. "The audit community is looking for prescriptive guidance that enables process improvement, while enhancing challenge resolution and compliance attestation."

Patch management, a key component of change management, often creates vulnerabilities due to its complexity, resource-intensive nature and ability to change critical system libraries and programs. Most patches come with inadequate information and rarely provide documentation describing what was changed. These factors make the change success rate for patches much lower than typical changes, requiring more comprehensive testing.

"Inevitably, organizations that approach security from the perspective of technology fixes are more vulnerable to business risk and wind up doing more unplanned work than they would have if the right processes were in place," said Gene Kim, co-author of the GTAG, CTO of Tripwire and director of research for the IT Process Institute. "In order to reduce risk and improve effectiveness, you need a solid foundation of controls in the change and patch management processes. This is done by implementing effective preventative, detective and corrective controls, all acting together in an integrated manner."

The Change and Patch Management Controls GTAG provides internal auditors and CAEs quantitative analysis, field-tested metrics, evaluation tools and management guidance to help assess the overall level of process risk associated with change management policies. It provides practitioners with tools that enable process improvement, enhanced challenge resolution, and compliance attestation.

About GTAG

Available free-of-charge electronically, the GTAG series is a ready resource for CAEs to use in the assessment of technology-associated risks, the implementation of recommended best practices, and the education of members of the audit committee of the board of directors, management, process owners, and others who drive governance of IT resources. The series takes a pragmatic approach by transforming the mass of information, including many of the numerous control frameworks organizations are confronted with today, into valuable guidance for analyzing IT controls. It also provides guidance for discussing IT risk management strategies across the enterprise with senior management and audit committees.

The material provided in the global series includes input from a wide range of sources including audit and security experts, board members, chief executives, financial executives, technology providers and IT and security executives. To ensure the guides written to date are accurate from legal, insurance, regulatory and standards perspectives, several GTAG partners were involved in the review process including the American Institute of Certified Public Accountants (AICPA), Center for Internet Security (CIS), Canadian Institute of Chartered Accountants (CICA), Carnegie Melon University Software Engineering Institute (CMU SEI), Information Systems Security Association (ISSA), IT Process Institute (ITPI), National Association of Corporate Directors (NACD) and SANS Institute.

The IT Controls GTAG and Change and Patch Management Controls GTAG are currently available in electronic format (PDF) at www.theiia.org. Hard copies will be available soon for purchase from the IIA Bookstore.

About The IIA

Established in 1941, The IIA has more than 100,000 members worldwide. It serves as the internal audit profession's global voice, recognized authority, acknowledged leader, principal educator, and chief advocate. The Institute monitors legislation, regulations and pronouncements of other professional organizations throughout the world on matters that directly or indirectly impact the practice of internal auditing. It provides the International Standards for the Professional Practice of Internal Auditing and offers a variety of leading-edge professional development opportunities, a comprehensive certification program, thorough quality assessment services, benchmarking surveys, and valuable research reports and educational products through The IIA Research Foundation.