If the change management process in a production system fails and lacks documentation, what should the IS auditor do next?

Gaining assurance through root cause analysis is the most fitting response after identifying that the change management process has failed and lacks documentation. This approach is essential because it involves investigating the underlying issues that led to the failure of the change management process. By understanding why the process failed, the auditor can identify any specific weaknesses or gaps in the existing system, which is crucial for preventing similar issues in the future.

Root cause analysis enables the auditor to delve deeper into the nature of the failures, such as whether they stemmed from inadequate procedures, insufficient training, lack of oversight, or other operational deficiencies. With this information, the auditor can make informed recommendations for improvements or redesigns to enhance the process and ensure that it is more robust and compliant going forward.

While recommending a redesign of the change management process or stopping all migrations until the process is documented may seem proactive, they do not directly address understanding the reasons behind the failure. Documenting the finding for management is also important; however, it is typically a subsequent step after gaining insights from root cause analysis. Therefore, understanding the root cause is a critical first step that informs all future actions and decisions regarding the change management process.