SARBOX is also regulation for large public companies If the application does not enforce the expected separation of duties OOTB, then reports need to be produced to the auditors, as you point out, to show that only predefined approvers approved/rejected the change, that the approvers did not implement the change, etc, etc, which is time consuming and is not cost effective.
If the Remedy Change Mgmt application was designed and abled to be configured to enforce these SOD rules, then such reports would not need to be produced. Maybe something for BMC to look at for ITSM 9.0 ? Keep in mind that all these extra audit reports are a burden to your reporting group (if you have one) or your Remedy admins, time that most people don't have....that's all. The alternative is to customize the app to enforce some rules. So in the end, you need additional custom audit reports or application customization, pick the one you like. External auditors may opt for the reporting solution, since this would increase their engagement time, which is at the detriment of the audited company. And since audits need to be done every year, they would be quite happy with that. Maybe I should become an auditor! Guillaume ________________________________ From: Action Request System discussion list(ARSList) [arsl...@arslist.org] on behalf of Lyle Taylor [tayl...@ldschurch.org] Sent: Monday, March 29, 2010 8:03 PM To: arslist@ARSLIST.ORG Subject: Re: Change Manager - Change Implementor ** I agree with Christopher; SOD is not specified by ITIL and so doesn’t necessarily need to be enforced by default by the application supporting the processes. SOD is a policy decision. That said, it would be nice if Change Management had the ability to support policies like this. And that said, from my recollection SARBOX is more about policy, procedures and auditing. The tools don’t need to enforce the process policies so long as you can show at audit time that you have controls in place in your process to check for these cases and help prevent them – or take action when something does happen – and if you can show by your auditing that you have been following your process. On that front, I believe CM does support that. Approvals and changes can store audit information, so you have the information you need to show that you are following your process policies with regard to SOD. Lyle _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
