Software change control 111



  • Hi,
    I am new to Sarbanes oxley and want to know one thing
    In case of change in software in a Comapny, for verification of adequacy of software change controls is it necessary to know the new software in-depth? If yes, how is it possible to know the advantages and disadvantages of all softwares for a finance person?
    If no, what are the aspects that one needs to know?
    Thanks



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • I recommend reading IT Control Objectives for Sarbanes-Oxley . The controls they suggest do not require in-depth technical knowledge of the changes but focus on the use of methodologies, policies and procedures for making changes. The procedures used are expected to include business user involvement, thorough testing, standardized change management, and more.



  • Hello:
    The short answer is: No you don’t need in-depth knowledge of the software.
    The longer answer is a little more complicated…
    You need to test the software using generally accepted SDLC / QA / Security Guidelines before you install any software on systems that have in-scope SOX applications.
    Business can do much of the testing for you, but they must use a reasonable methology. Your company should have an SDLC policy and even so called vinilla software (software out-of-the-box) must be tested to ensure the software installation does not impare the security of other SOX applications.
    You don’t have to do black box testing (looking at software code) but general testing must be done and documented.


Log in to reply