ContAudIT: An End-to-End Proposal for Continuous Auditing of IT Change Management Using Blockchain
Abstract
IT changes are a critical part of the day-to-day operations of most modern organizations, and poor change management can pose severe risks to business continuity. In this context, shareholders often resort to auditing to ensure change management following accredited procedures. To this end, third-party audit companies perform periodic inspections of the target IT system, log of changes deployed, etc. However, the sheer volume of changes, everincreasing change complexity, and automation make it challenging to deliver change auditing between inspection events. To tackle this issue, we propose ContAudIT, a blockchain-based approach for continued IT change auditing. In summary, we instrumented a change orchestration framework with a solution for certifying each change deployed in the target system through blockchain. The chain of IT changes in between inspection events is then used to ensure that only certified changes were deployed in the infrastructure.
Keywords:
IT Audit, Compliance, Continuous Auditing, IT Change Management, Blockchain
References
Aditya, B. R., Ferdiana, R., and Santosa, P. I. (2018). Toward modern IT audit current issues and literature review. Proceedings of the 4th ICST 2018, 1:1–6.
Axelos (2019). ITIL Foundation. The Stationery Office, 4th edition.
Chan, D. Y. and Vasarhelyi, M. A. (2018). Innovation and practice of continuous auditing. In Continuous Auditing: Theory and Application, pages 271–283.
Chatziamanetoglou, D. and Rantos, K. (2023). Blockchain-based security configuration management for ICT systems. Electronics, 12(8):1879.
de Castro, M., Pereira, M., and de Castro, M. (2022). Uma arquitetura baseada em blockchain para auditoria de conformidade com regulamentos de proteção de dados. In Anais do SBSeg 2022, pages 390–395, Porto Alegre, RS, Brasil. SBC.
de Vries, T. (2022). Anomaly detection in IT audit: The possibilities and potential in the domain of IT audit. Master's thesis, University of Turku, Amsterdam, Netherlands.
Elommal, N. and Manita, R. (2022). How blockchain innovation could affect the audit profession: A qualitative study. Journal of Innovation Economics & Management, 37(1):37–63.
Fraga, C., Abelem, A., Borges, V., Pinheiro, B., and Cordeiro, W. (2024a). A blockchain-based approach for continuous auditing in IT change management. In IEEE/IFIP NOMS 2024 Poster Session, pages 1–4.
Fraga, C., Abelem, A., Borges, V., Pinheiro, B., and Cordeiro, W. (2024b). Uma abordagem de auditoria contínua com blockchain para gerenciamento de mudanças em TI. In VII Workshop em Blockchain, pages 83–96, Porto Alegre, RS, Brasil. SBC.
Gantz, S. D. (2013). The Basics of IT Audit. Syngress.
George, D. A. S. (2024). When trust fails: Examining systemic risk in the digital economy from the 2024 CrowdStrike outage. PUMRJ, 1(2):134–152.
Han, H., Fei, S., Yan, Z., and Zhou, X. (2022). A survey on blockchain-based integrity auditing for cloud data. Digital Communications and Networks.
Hashem, R. E. E. D. R., Mubarak, A.-R. I., and Abu-Musa, A. A. E.-S. (2023). The impact of blockchain technology on audit process quality: An empirical study on the banking sector. International Journal of Auditing and Accounting Studies, 5(1):87–118.
ISACA (2018). COBIT 2019 Framework: Introduction and Methodology. ISACA.
Mahimkar, A., De Andrade, C., Sinha, R., and Rana, G. (2021). A composition framework for change management. In ACM SIGCOMM 2021 Conference, pages 788–806.
Marcel, M., Kristiani, E., and Mudita, D. S. (2024). Enhancing IT change management through communities of practice and social learning: A case study at a university. Journal of Information Systems and Informatics, 6(2):1300–1316.
Marques, M., Jr., M. S., and Miers, C. (2022). Event2ledger: Container traceability using Docker Swarm and consortium Hyperledger blockchain. In Anais do SBSeg 2022, pages 103–110, Porto Alegre, RS, Brasil. SBC.
Mavrovouniotis, S. and Ganley, M. (2014). Hardware Security Modules. Springer.
Moeller, R. R. (2010). IT Audit, Control, and Security. Wiley.
Mohan, V. and Othmane, L. B. (2016). SecDevOps: Is it a marketing buzzword? Mapping research on security in DevOps. In ARES 2016, pages 542–547. IEEE.
Pandey, A. and Mishra, S. (2014). Understanding IT change management challenges at a financial firm. In 2014 Information Systems Educators Conference (ISECON), pages 1–10.
Rysbekov, A. (2022). Continuous compliance: DevOps approach to compliance and change management. Master's thesis, University of Oslo, Oslo, Norway.
Zheng, Z., Xie, S., Dai, H. N., Chen, X., and Wang, H. (2018). Blockchain challenges and opportunities: A survey. International Journal of Web and Grid Services, 14(4):352–375.
Axelos (2019). ITIL Foundation. The Stationery Office, 4th edition.
Chan, D. Y. and Vasarhelyi, M. A. (2018). Innovation and practice of continuous auditing. In Continuous Auditing: Theory and Application, pages 271–283.
Chatziamanetoglou, D. and Rantos, K. (2023). Blockchain-based security configuration management for ICT systems. Electronics, 12(8):1879.
de Castro, M., Pereira, M., and de Castro, M. (2022). Uma arquitetura baseada em blockchain para auditoria de conformidade com regulamentos de proteção de dados. In Anais do SBSeg 2022, pages 390–395, Porto Alegre, RS, Brasil. SBC.
de Vries, T. (2022). Anomaly detection in IT audit: The possibilities and potential in the domain of IT audit. Master's thesis, University of Turku, Amsterdam, Netherlands.
Elommal, N. and Manita, R. (2022). How blockchain innovation could affect the audit profession: A qualitative study. Journal of Innovation Economics & Management, 37(1):37–63.
Fraga, C., Abelem, A., Borges, V., Pinheiro, B., and Cordeiro, W. (2024a). A blockchain-based approach for continuous auditing in IT change management. In IEEE/IFIP NOMS 2024 Poster Session, pages 1–4.
Fraga, C., Abelem, A., Borges, V., Pinheiro, B., and Cordeiro, W. (2024b). Uma abordagem de auditoria contínua com blockchain para gerenciamento de mudanças em TI. In VII Workshop em Blockchain, pages 83–96, Porto Alegre, RS, Brasil. SBC.
Gantz, S. D. (2013). The Basics of IT Audit. Syngress.
George, D. A. S. (2024). When trust fails: Examining systemic risk in the digital economy from the 2024 CrowdStrike outage. PUMRJ, 1(2):134–152.
Han, H., Fei, S., Yan, Z., and Zhou, X. (2022). A survey on blockchain-based integrity auditing for cloud data. Digital Communications and Networks.
Hashem, R. E. E. D. R., Mubarak, A.-R. I., and Abu-Musa, A. A. E.-S. (2023). The impact of blockchain technology on audit process quality: An empirical study on the banking sector. International Journal of Auditing and Accounting Studies, 5(1):87–118.
ISACA (2018). COBIT 2019 Framework: Introduction and Methodology. ISACA.
Mahimkar, A., De Andrade, C., Sinha, R., and Rana, G. (2021). A composition framework for change management. In ACM SIGCOMM 2021 Conference, pages 788–806.
Marcel, M., Kristiani, E., and Mudita, D. S. (2024). Enhancing IT change management through communities of practice and social learning: A case study at a university. Journal of Information Systems and Informatics, 6(2):1300–1316.
Marques, M., Jr., M. S., and Miers, C. (2022). Event2ledger: Container traceability using Docker Swarm and consortium Hyperledger blockchain. In Anais do SBSeg 2022, pages 103–110, Porto Alegre, RS, Brasil. SBC.
Mavrovouniotis, S. and Ganley, M. (2014). Hardware Security Modules. Springer.
Moeller, R. R. (2010). IT Audit, Control, and Security. Wiley.
Mohan, V. and Othmane, L. B. (2016). SecDevOps: Is it a marketing buzzword? Mapping research on security in DevOps. In ARES 2016, pages 542–547. IEEE.
Pandey, A. and Mishra, S. (2014). Understanding IT change management challenges at a financial firm. In 2014 Information Systems Educators Conference (ISECON), pages 1–10.
Rysbekov, A. (2022). Continuous compliance: DevOps approach to compliance and change management. Master's thesis, University of Oslo, Oslo, Norway.
Zheng, Z., Xie, S., Dai, H. N., Chen, X., and Wang, H. (2018). Blockchain challenges and opportunities: A survey. International Journal of Web and Grid Services, 14(4):352–375.
Published
2025-05-19
How to Cite
FRAGA, Carlos; ABELÉM, Antônio; BORGES, Vinícius; NOBRE, Jéferson; WICKBOLDT, Juliano; GONCALVES, Glauber; PINHEIRO, Billy; CORDEIRO, Weverton.
ContAudIT: An End-to-End Proposal for Continuous Auditing of IT Change Management Using Blockchain. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 43. , 2025, Natal/RN.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 602-615.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2025.6327.
