I’m in the Service Desk at a large, recently publicly traded company that is going through a lengthy SOX audit. This is uncharted territory for most of us. One of our new requirements when creating/modifying system access is to take a screenshot of what was modified. Is this really a best practice? I get the importance of tracking these changes, but I feel there has to be a better way to track this information, at least in some of our systems. Is this necessary, are our auditors blowing smoke?<\/p>\n

Advertisement

Close

I’m sure Active Directory and SAP would be the easiest to figure out, however we also have multiple AS400s, EnView/RedPrairie/JDA, web portals, the list goes on.<\/p>\n

Advertisement

Close

Any suggestions or advice would be greatly appreciated.<\/p>","upvoteCount":6,"answerCount":7,"datePublished":"2018-09-21T14:20:23.000Z","author":{"@type":"Person","name":"brandondoss","url":"https://community.spiceworks.com/u/brandondoss"},"suggestedAnswer":[{"@type":"Answer","text":"

I’m in the Service Desk at a large, recently publicly traded company that is going through a lengthy SOX audit. This is uncharted territory for most of us. One of our new requirements when creating/modifying system access is to take a screenshot of what was modified. Is this really a best practice? I get the importance of tracking these changes, but I feel there has to be a better way to track this information, at least in some of our systems. Is this necessary, are our auditors blowing smoke?<\/p>\n

I’m sure Active Directory and SAP would be the easiest to figure out, however we also have multiple AS400s, EnView/RedPrairie/JDA, web portals, the list goes on.<\/p>\n

Any suggestions or advice would be greatly appreciated.<\/p>","upvoteCount":6,"datePublished":"2018-09-21T14:20:23.000Z","url":"https://community.spiceworks.com/t/audit-woes/674664/1","author":{"@type":"Person","name":"brandondoss","url":"https://community.spiceworks.com/u/brandondoss"}},{"@type":"Answer","text":"

I’m no SOX expert but there has to be a better/more efficient way than taking a screenshot. Needs to be automated.<\/p>\n

Following for future use. Good luck!<\/p>","upvoteCount":0,"datePublished":"2018-09-21T14:52:49.000Z","url":"https://community.spiceworks.com/t/audit-woes/674664/2","author":{"@type":"Person","name":"spiceuser-5ub1v","url":"https://community.spiceworks.com/u/spiceuser-5ub1v"}},{"@type":"Answer","text":"

Also no specific SOX knowledge, but I agree that screenshots don’t sound like an efficient method of tracking.<\/p>\n

I could understand making a one-time export dump of some kind (screenshots if no export function is available) to record the initial condition. After that, I would expect to see some kind of change-tracking system in place where the nature of each change (who-when-where-what-why) is recorded. This can be as simple as a spreadsheet or SharePoint table if no system designed for the purpose is in place.<\/p>","upvoteCount":0,"datePublished":"2018-09-21T15:53:25.000Z","url":"https://community.spiceworks.com/t/audit-woes/674664/3","author":{"@type":"Person","name":"eriklangeland","url":"https://community.spiceworks.com/u/eriklangeland"}},{"@type":"Answer","text":"

Never had that issue at publicly traded companies that had SOX audits.<\/p>\n

What SOX really expected was:<\/p>\n

\n
1. user request comes in for access (new hire, change request for additional rights, termination etc.)<\/li>\n
2. approval from who ever is responsible comes is documented<\/li>\n
3. change is executed and documented in the ticket<\/li>\n<\/ol>\n

   What SOX then did:<\/p>\n

   \n
   1. you had a new hire on x/x/x - show me the documentation of it\n
      \n
      1. often good to have an additional written paper with signatures of department managers of rights needed etc.\n
         \n
         1. create a template with checkboxes to mark them off<\/li>\n<\/ol>\n<\/li>\n
         2. scanned version attached to the ticket for new hire<\/li>\n<\/ol>\n<\/li>\n
         3. termination similar to new hire with\n
            \n
            1. written version (template/checkboxes) with signatures<\/li>\n
            2. data was retrieved from email / local system / user-home<\/li>\n
            3. data was archived on a defined system<\/li>\n
            4. scanned and attached to ticket<\/li>\n<\/ol>\n<\/li>\n
            5. changes to rights<\/li>\n
            6. written version (template/checkboxes) with signatures<\/li>\n
            7. change execution date<\/li>\n
            8. scanned and attached to ticket<\/li>\n<\/ol>\n

               Similar for backup and final data archive / long time archive while adhering company retention needs and policies - you document that the backup was checked and successful. If not, you document that it failed and what was done to correct it. Minimum weekly, but based on your company policy.<\/p>\n

               Depending on the amount of data - if you can - make sure the maximum retention policy for data is the one you follow for all data - if you need to divide it due to the sheer amount, this becomes more complicated.<\/p>\n

               What you want:<\/p>\n

               Look at a helpdesk ticketing system that lets you document all of it - categorize it as well so you can quickly find it once they ask for it.<\/p>","upvoteCount":4,"datePublished":"2018-09-21T17:34:52.000Z","url":"https://community.spiceworks.com/t/audit-woes/674664/4","author":{"@type":"Person","name":"spiceuser-pfqtq","url":"https://community.spiceworks.com/u/spiceuser-pfqtq"}},{"@type":"Answer","text":"