I am currently working on an IT change management audit. I have read through GTAG2 and came across something that had me questioning something. It states there should be a detective control the detects unauthorized changes. How does your organization do this? Is there a software program that does this?
Someone without the ability to perform system maintenance should periodically review changes in system, and trace sample of transactions to supporting documentation/approval. Unless authorizations are required and recorded within the IT system, it would not be possible to use a software program to automatically identify unauthorized changes.
If an electronic approval is required by system, and recorded in system, then you could run a simple report showing all changes and approval for each change as recorded in system, or even better, run an exception report showing all changes without accompanying approals.
Our approval system for IT changes currently is run through SharePoint. A document is filled out and then approve through sharepoint. So, I have no way of knowing what changes have actually been made other than by looking at the sharepoint site, which obviously those changes followed the change management protocol.
What I am trying to figure out is how can I get an independent list of change? How do I find changes that were made and then trace it to the sharepoint documents?
I already have the list of authorized changes via our sharepoint approval process. What I need is a list of all changes. From what I gather from your reply the only way to do this is to manually review the system. There is no kind of software that logs this information automatically?