CM-22 Change Management

Post-Implementation Review

Outcomes and controls are validated after release.

Domain: Change Management
Control type: Detective
Automated / manual: Manual
Frequency: Per project
Framework reference: COBIT BAI07.08

What good looks like

PIRs assess whether objectives, benefits and control expectations were met.

Risk if it fails

Recurring project/control failures.

How Tess tests it

2 tests — each concludes only on cited evidence.

PIR process defined

Design

Procedure: Inspect the process.
Expected: Defined.
Sample: 1 (design inspection)
Evidence: PIR report, action items.

PIR performed for sampled project

Operating

Procedure: Inspect the PIR.
Expected: Conducted; actions tracked.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: PIR report, action items.

Evidence Tess looks for

PIR report, action items.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production

Want Tess to test CM-22 against your evidence?