Consistently Managing Change Controls

Written By Toby DeRoche

Change management is one of the most fundamental—and most frequently bypassed—IT controls in any organization. When it works, your systems stay stable, secure, and predictable. When it doesn’t, the business faces outages, security gaps, data loss, compliance failures, and a steady stream of audit findings that are entirely preventable.

This guide distills the key lessons on Managing Change Controls into a practical, real-world overview you can apply immediately, whether you’re an internal auditor, a SOX professional, or part of an IT or security team responsible for keeping systems running safely.

Why Change Management Controls Matter

Every technology environment is in constant motion. Configurations shift, systems evolve, patches roll out, and new features are deployed. Without a strong change management process, these routine activities create significant risks:

Key Risks

  • Unauthorized changes that compromise system integrity.

  • Unplanned downtime caused by poorly tested or rushed deployments.

  • Security vulnerabilities introduced by uncontrolled or unreviewed modifications.

  • Data loss or corruption during configuration or code changes.

  • Regulatory non-compliance due to missing approvals, testing evidence, or audit trails.

A strong change control process ensures that changes are intentional, documented, reviewed, tested, and deployed in a way that preserves reliability and security across the organization.

Understanding the Three Types of Change Management

Most systems fall into one of three categories, each with its own control requirements:

1. Baseline Configuration

The foundation that applies to all software. This includes default security settings, required configurations, and organizational standards.

2. Configuration Change Management

Applies to configurable applications—think workflow settings, approval matrices, user permissions, and system toggles.

3. Developed Code Management

Applies to custom-built applications, integrations, and low-code/no-code solutions that involve code-level changes.

Knowing which category an application fits into determines the type of controls—and the depth of testing—required.

The Expected Change Management Controls

A mature change management process includes:

  • Documented change requests and approvals

  • User Acceptance Testing (UAT) in a controlled non-production environment

  • Evidence of testing retained for traceability

  • Proper approvals from system owners or code reviewers

  • Controlled deployments with monitoring for unexpected results

  • Segregation of duties between developers, testers, and deployers

  • Emergency change procedures with follow-up documentation

  • Rollback and recovery plans

  • Detailed change logs and audit trails

  • Separation of development, testing, and production environments

These are the core elements auditors expect to see—and the areas most commonly missing or incomplete.

The Change Management Lifecycle: What “Good” Looks Like

A sound lifecycle maintains discipline from start to finish:

  1. Change is requested through a ticket or documented process.

  2. Developers work in non-production with limited or no access to live data.

  3. Changes are peer-reviewed and tested by end users in a sandbox or QA environment.

  4. Approvals are obtained from the appropriate stakeholders.

  5. Deployment occurs through controlled promotion, ideally automated to prevent tampering.

  6. Logs and evidence are captured for future audits.

Organizations that struggle with change management typically skip or weaken one of these steps—usually testing, approvals, or production access controls.

Special Risk Area: System Administrators

System administrators can bypass nearly every control, which makes them both essential and high-risk.

Two realistic approaches exist:

  1. Accept the risk—not always suitable in a regulated environment.

  2. Implement admin activity monitoring, ideally using:

    • Centralized logging

    • SIEM alerts

    • Automated notifications for sensitive activity

Admins should never operate without oversight.

How to Test Change Management Controls

Audit testing begins with understanding whether an application is configurable or customizable.

For Configurable Software

  • Who has admin rights?

  • How are approvals enforced?

  • Is testing performed in a non-production environment?

  • Is UAT evidence stored?

  • Are backups created before major changes?

For Custom-Coded Software

  • How is the code baseline protected?

  • Who can access production code?

  • Are code changes peer-reviewed?

  • Are approved changes promoted to production through a controlled process?

  • Is the production deployment automated or manual?

For Any System Under Review

  • Start with a complete population of changes, ideally from the source system.

  • Trace each change to its originating ticket.

  • Verify evidence of review, approval, and testing.

  • Confirm the deployed change matches what was approved.

  • Ensure logs support the path from request → testing → approval → deployment.

This is the “audit trail of truth” that every strong ITGC program depends on.

SDLC Controls: When Projects Become Major Changes

For large system implementations or major upgrades, standard change management isn’t enough. You need SDLC controls to ensure secure, reliable development.

Examples of SDLC Controls

  • Planning: Stakeholder meetings, project scope, and objectives

  • Design: Secure architecture and data protection decisions

  • Development: Version control, secure coding, peer review

  • Testing: UAT, integration testing, vulnerability scanning

  • Deployment: Controlled move to production with rollback plans

  • Maintenance: Patching, updates, and ongoing monitoring

These controls ensure systems are built intentionally and safely—not rushed into production.

What Auditors Should Evaluate During SDLC Reviews

  • Project governance: Regular stakeholder meetings, documented risks

  • Business requirements documentation

  • Testing completeness with saved UAT evidence

  • Data validation to confirm correct and complete data migration

  • Issue tracking with resolution documentation

  • ITGC design for the new system (access, change, environment segregation)

  • Go-live approval from stakeholders

  • Rollback plans in case of failure

  • End user training and communication

Organizations often miss one of these steps, leading to post-implementation defects and repeat audit findings.

Final Thoughts

Consistent, well-documented change control is the backbone of secure, stable IT operations. Whether you operate in a SOX environment, follow ISO 27001, or simply want to reduce outages and firefighting, strong change management controls are non-negotiable. A disciplined lifecycle, complete documentation, and clear segregation of duties are what separate organizations with predictable operations from those constantly reacting to issues.

If your team wants to sharpen its control approach, check out the CyberControl System course:

CyberControl System
Toby DeRoche https://www.insightcpe.com
Previous

Why Auditors Feel Bullied
Next

We Need Synergy in IT SOX Compliance