Hello. I am an auditor and am working on a application change management audit. I am running into an issue that I could use guidance on. The client uses a ticketing system to track all change requests for their PeopleSoft application. In their ticketing application, there is a drop down available where the risk of the change can be classified as low, medium or high. However, the client does not make the dropdown mandatory so they never use it. So in summary, no risks are assigned for their change tickets related to PeopleSoft changes.

I intend to make this an audit issue but need to find criteria to use that lists the importance of assigning risks to their change request tickets related to PeopleSoft changes. I searched the NIST site but could not find anything. Any guidance would be appreciated. Thank you.