A set of processes executed within the organization’s IT organization designed to manage the enhancements, updates, incremental fixes and patches to production systems, which include:
· Infrastructure changes (routers, firewalls, proxies, cabling, etc)
· System upgrades (servers, operating systems, , applications, databases)
· Application code revisions (development and testing)

Change management is sometimes difficult for organizations to master because so many stakeholders are involved (e.g., business managers, application system developers, IT operations staff, auditors). However, this is not a reason for organizations to be complacent about inadequate controls or low performance.

Stable and managed production environments require that implementation of changes be predictable and repeatable, following a controlled process that is defined, monitored and enforced. These controls are used in financial processes to reduce the risk of fraud and errors.

Organizations should be very familiar with these controls: Only the minimal staff required to implement IT production changes should have access to the production environment (preventive). Authorization processes should involve stakeholders to assess and mitigate risks associated with proposed changes (preventive). Supervisory processes should encourage IT management and staff to undertake their duties responsibly (preventive), and be able to detect errant performance (detective).

Benefits of Good Change and Patch Management Processes
· Spend more time on new development work to advance business goals and objectives
· Reallocate IT staff resources to deliver new capabilities versus “putting out fires”
· Spend less time on unplanned IT work
· Less IT downtime
· Ability to install critical patches with minimal disruption

Control Activities:
· Common Process in Place and Documented
· Effective Change Control Committee Structure
· Change Control Log Used
· Segregation of Duties Between Developers and Technical Staff Maintained
· Automated Controls to Enforce Process of Promoting Changes into Production
· Automated Process to Return Production Environment to Pre-change State
· Approved Configurations Documented
· Clear Delegation of Authority Documented
· Approvals for Changes Documented
· Automated System and Data Backups and Ability to Restore from Approved Environment