SOX Periodic MTP reviews 1944

  • One of SOX key control requirement is to review the changes done in production environment on periodic basis. Testing of this control requires system generated list of changes done in production environment and checking for whether there was an appropriate approval for every change that was done in production environment.
    But what if it is not possible to get system generated list of changes from production environment due to technical limitation? What kind of control should be put in place to achieve this control objective and how that control should be tested?

  • Nilesh
    Welcome to the forum.
    The answer to your question depends on your applications. If change managements are vendor controlled you can procure the listing from your vendors. If not, then I do not recollect any control if change management are related to inhouse production and you maybe written up on this.
    Library control software should be used to ensure that all program changes have been authorized.

Log in to reply