HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Home/ Insights/ IT Audit
IT Audit

IT Change Management: The Control Most Organisations Get Wrong

Kamran Iqbal, CIA, CISA, CFE, CRMA May 2026 6 min read
IT change management is one of the most important — and most commonly deficient — areas of IT general controls. When change management works well, it ensures that modifications to IT systems are authorised, tested, and deployed in controlled ways that preserve system integrity and maintain business continuity. When it fails, it becomes a primary source of system outages, introduced security vulnerabilities, unintended control gaps, and data integrity issues.

What Effective Change Management Controls

Change management controls are designed to prevent four categories of IT change risk: unauthorised changes (changes that were not approved by appropriate parties), inadequately tested changes (changes deployed to production before sufficient testing in a non-production environment), changes that introduce security or control gaps, and failed changes that cause operational disruption without a tested recovery path.

Effective change management requires four structural elements to be present simultaneously: a formal change approval process with defined authority levels for different change categories; segregation between development and production environments so that developers cannot directly deploy to production; mandatory testing in a representative non-production environment before production deployment; and documentation of the change, its approval, its testing, and its deployment that creates an auditable trail.

Where Change Management Fails

In practice, change management controls fail at several predictable points. The first is the emergency change process — almost every change management framework provides an expedited path for emergency changes, which is necessary and legitimate. The failure occurs when the emergency path is used systematically for routine changes to avoid the rigour of the standard process, or when post-implementation documentation requirements for emergency changes are consistently not completed after the fact.

The second common failure is the separation between development and production. In many organisations, particularly smaller ones or those with agile development practices, the practical reality is that developers have some degree of production access — either directly or through tools and pipelines that do not enforce segregation rigidly. When this access is not adequately controlled and monitored, the fundamental protection that change management is designed to provide is compromised.

The third failure area is the quality of testing. Change approval processes that require testing evidence often receive test results that are too superficial to be meaningful — test plans that do not cover the full range of affected functionality, testing conducted in environments that do not adequately represent production, or test results that are completed as a formality after the deployment decision has effectively already been made.

Auditing Change Management

An effective change management audit examines the design of the change process — whether the control structure is adequate — and the operating effectiveness of that process over the audit period. Key procedures include:

  • Review of a sample of change records for completeness of documentation, evidence of testing, and evidence of authorisation
  • Comparison of approved change records against production deployment logs to identify unregistered changes
  • Analysis of emergency change frequency and post-implementation documentation completion rates
  • Assessment of developer access to production environments and associated compensating controls
  • Review of change failure rates and the root causes of post-deployment incidents linked to changes
Unregistered changes in production are a serious audit finding — not because they are necessarily malicious, but because they represent deployments that bypassed the controls designed to prevent system integrity failures. Any environment with a significant number of unregistered changes has lost visibility into a key risk area.

Change Management in Agile and DevOps Environments

Traditional change management frameworks were designed for waterfall development environments with infrequent, large-scale deployments. Modern agile and DevOps practices deploy changes much more frequently — sometimes multiple times per day — making traditional approval and documentation processes impractical at the individual change level. Auditing change management in these environments requires understanding how the organisation has adapted change controls for its development model: automated testing pipelines, deployment gates, infrastructure-as-code practices, and code review processes provide control compensations that must be assessed differently from traditional change management procedures.

Share

Request Training

CTC Global delivers expert-led training on IT Audit topics for corporate teams across all sectors.

Request Training Proposal View All Services

Related Publications

Deepen your knowledge with our practical books, revision kits, and toolkits.

Book
ITGC Audit PlaybookComprehensive guide to auditing IT general controls across all four domains.
Book
Cybersecurity Audit for Internal AuditorsA practical, non-technical guide to auditing information security controls.
 Browse All Publications →

About the Author

Kamran Iqbal is a seasoned internal audit and risk professional holding CIA, CISA, CFE, and CRMA credentials. He leads CTC Global's training and consultancy practice across Pakistan and the UAE.

View Full Profile →

Continue Reading

More practical insights from CTC Global on IT Audit and related topics.

← Back to All Articles & Insights