Having problems with message search?
Hi,
I am working through the same issues at Xicom. As I understand it, there are two key components here. The auditors seem to want a form giving IT permission to apply an update, and a second form to document testing after the patch or update is applied. The first could be a notification that the various department heads sign stating that IT is going to apply a patch on such and such a date. Attaching the expandable program change list to the document is a nice touch. The second part of this "end user testing" is that part you will have trouble with the auditors over. The important thing to remember is that SOX auditors are weenies with a check list. If they had any real skills of their own, they would not be auditors. They will try to get you to sign up for "Best Practices" that no one except huge companies with large budgets follow. Do not be afraid to push back on the
auditors, be polite but firm. Here is where you point out that Expandable is an "Off the shelf" Software product, not at all like SAP. You do not have a test environment, or a large staff with nothing better to do than put Expandable through all the tests that we hope and count on Expandable Software Inc. to be doing prior to releasing the update. Then you present a extremely simplified test plan. Which includes simple things like checking to see that users can still log on, bills of material still exist, etc. It would be really nice if Expandable would write a utility that checks the number of records in all the user tables, that could be run before and after the upgrade and would compair the results. The final important bit, is to document the entire procedure, and then follow the procedure and store the results.
To summarize
1 Must have documented change
management procedure Check
2 Change management procedure has form to initiate change Check
3 Change management procedure has documented test results
with "end user" sign off. Check
4 Evidence that procedure is being followed Check
Beyond the requirements of segregation of duties, the auditors can not tell you who has to sign the forms, or what needs to be in the test procedure.
Regards,
Tim Rivers
IT Manager
Xicom Technology
deelittlegeneral <dmerrick@...> wrote:
We are working on all of our SOX documentation and permissions right
now and I am wondering if any of you can help me with the following:
1. Change Control Procedure
- We are looking at creating a documentaion set and methodology for
Expandable server change control that will ultimately fall under the
eye of SOX404 controls and regular audit. Has anyone developed
comprehensive change control methods for managing changes to
Expandable? I'm looking for any pointers for creating our own document
set covering the whole shebang from user access controls, to interim
and full server upgrades.
2. We are wanting to put our Expandable servers in a VMWare environment.
- We are using the newest VMWare Infrastructure 3 server and want to
know if anyone else has used this for their Expandable production
environment.
Thanks!
Deirdre Merrick
Occam Networks
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Offline 
Send Email