Which of the following is required in effective IT change management?

IIA IIA-CIA-Part3 Question Answer

The sole responsibility for change management is assigned to an experienced and competent IT team

Change management follows a consistent process and is done in a controlled environment.

Internal audit participates in the implementation of change management throughout the organisation.

All changes to systems must be approved by the highest level of authority within an organization.

Explanation:

Effective IT Change Management Principles:

Change management ensures that modifications to IT systems are controlled, tested, and implemented in a way that reduces risks.

A structured and consistent process is required to prevent disruptions, maintain system integrity, and comply with governance requirements.

IIA Standard 2110 - Governance:

IT governance must include structured change management processes.

Change management should be repeatable and standardized to ensure effectiveness.

IIA GTAG (Global Technology Audit Guide) on Change Management:

Change management must be conducted in a controlled environment to minimize unintended consequences and security risks.

A. The sole responsibility for change management is assigned to an experienced and competent IT team. (Incorrect)

While IT plays a key role, change management should involve multiple stakeholders, including business units, security, compliance, and risk management teams.

IIA Standard 2120 - Risk Management states that risk oversight should not be assigned to a single function.

C. Internal audit participates in the implementation of change management throughout the organization. (Incorrect)

Internal audit evaluates change management but does not implement it.

IIA Standard 1000 - Purpose, Authority, and Responsibility emphasizes that internal audit provides independent assurance rather than operational involvement.

D. All changes to systems must be approved by the highest level of authority within an organization. (Incorrect)

Approvals should be based on a risk-based hierarchy rather than requiring executive-level approval for all changes.

IIA GTAG - Change Management recommends a tiered approval system based on change complexity and risk impact.

Explanation of Incorrect Answers:Conclusion:The most critical factor in effective IT change management is having a consistent, controlled process (Option B).

IIA References:

IIA Standard 2110 - Governance

IIA Standard 2120 - Risk Management

IIA Standard 1000 - Purpose, Authority, and Responsibility

IIA GTAG - Change Management

IIA IIA-CIA-Part3 View All Questions