Automation of Testing? 1082

  • I hear talk of automated testing for compliance that would report the results.
    Does anyone have experience with this? If so, what was the approach?
    It sounds to good to be true but was wondering what experiences people have with it if they are willing to share.

  • We are working on automated testing for some controls.

    1. Totally locked down change control environment
    2. Tight access over the automated control
    3. Thorough testing before you ‘go live’ on it
    4. Clear documentation and proof of control working for external audit purposes
    5. Regular revisit of paramenters around which the control is based.
      One area is Privileged access. You can compare who should have access to resources against who does have access. You have to keep the ‘should’ list up to date for any new people, leavers and job changes. We are using our in-house softare to do this (we are a software company). We are actively considering how to extend this to other areas.

  • Take a look at Polivec. It is a new product, but it has some promise.

  • Take a look at Polivec.
    have you used this product before?
    can it do automated testing for compliance in the way that coolcat described?

  • I used Polivec at a previous employer. We had to roll it back due to some bugs, but I have heard that newer releases are much better. I don’t think that it will do change control, but it will help with testing and documentation. It did line us up for 17799 compliance and the lawyers really liked it.

  • Thanks for the feedback.
    We are needing something more robust to conduct SOX testing to replace much of the manual effort involved in gathering evidence, reviewing, evaluating the control is operating effectively. It may not be possible to automate all testing of effectiveness. This is bigger than just user access.
    I appreciate your help.

Log in to reply