Since I'm not a lawyer or auditor I won't go into my perception of the details, but I can give you some general information.
The ITSM system itself is a source of record for things pertaining to your financial systems despite it not really being a financial system itself. For example, if someone is making a modification to the code of your payroll system, you will want to ensure that it is an authorized activity via approvals of the Change Request. You could also tie the dates of the change request with log files of the payroll system to close the loop and ensure that the approved modification in the Change Request are the activities actually performed, and that they happened at the time that was planned for. Conversely, you could take the log files on your financial systems and compare them to the list of Change Requests for a certain time period and ensure that no unauthorized changes were made that show up in the log without a related Change Request in ITSM. As a result of this type of scenario, the Change Management system in particular should be used to produce reports to streamline your SOX audits. However, SOX is only one of many laws that may require audits of ITSM depending on your business (e.g. things related to HIPA, FERC, etc), as well as many internal reasons to audit (e.g. COBIT standardization, etc.) At my company we use reports from Change Management to help facilitate some of our internal and external audit processes, and once we have fully utilized Asset Management we may evaluate tying that in as well. I hope this helps, Shawn Pierson From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Kathy Morris Sent: Monday, June 14, 2010 12:38 PM To: [email protected] Subject: OT: SOX and Audits of ITSM ** Hi, Under what conditions can your ITSM system be audited? Does anyone have any compliance documentation that provides steps on auditing guidelines we should comply with for ITSM? For example: - segregation of duties (Change Management) - archiving / retention period for records - modifying records after submission I believe SOX audits your financial systems - so does this mean ITSM would not be audited if financial data is not stored in ITSM? Can ITSM be under some other type of audit? _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ Private and confidential as detailed here: http://www.sug.com/disclaimers/default.htm#Mail . If you cannot access the link, please e-mail sender. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
