Simplifying the SAP IT Change Management Audit: Key Elements Part IV
This is the fourth in the series on simplifying an SAP IT change management audit through automation and this month I will take a look at the SAP IT change management element that verifies the policies and procedures around emergency change management.
Element 6: Emergency Changes
Emergency change policies and processes are designed to prevent unauthorized code being introduced into production systems. They are also designed to ensure that only emergency changes are managed as an emergency change.
As controls increase and change management moves away from an ad-hoc process to a well-managed and well controlled process, it is not unusual to see an increase in the number of emergency changes as business owners and developers utilize the change category as a work around to get standard changes into production quicker.
Reviewing the policies governing emergency change verifies that, an emergency change process exists and is followed, that emergency changes are emergencies and that appropriate controls exist.
The emergency change process audit will verify a range of interlocked process and control requirements including requirements such as:
- Emergency change initiation controls
- Emergency change approvals
- Documentation is completed within a pre-set time period
- Emergency change back out procedures
- Time to close out emergency requests
Automation can enforce emergency change policies and process.
Through automated enforcement only authorized persons can initiate and approve emergency change requests, the process an emergency change must pass through is guaranteed and any documentation requirements are met. Appropriate segregation of duties can be enforced adding to the comfort that controls are in place and process is followed.
When the end to end emergency change management process is automated so too is the audit trail production. For any set of emergency changes IT change management auditors can trace each and every emergency change back to its initiator, verify the process followed and attest to the documentation requirement.
Selection of an automation technology that does not fully enforce the process will not ensure emergency change process is followed, will not guarantee controls and will not simplify the audit process.
In my next post I will take a look at the feature set an SAP change control technology should have in order to ensure simplified and effective SAP IT change management audit.