The lack of a formal change management process could earn you a big fat “F” on your audit report. Audit experts say you need a formal document and change procedure, as well as oversight on changes. IBM recommends documenting change-management policies and procedures and updating them regularly. Gartner recommends “change reconciliation” where you use tools like Tripwire and database monitoring to automatically detect any changes to data or files. The key is an automated change management system that tracks what changes were made and by whom.”]
Source: https://www.darkreading.com/analytics/eight-sure-fire-ways-to-beat-a-security-audit