Change Management / Terminated User 2749
E2badG last edited by
I need to know what needs to be documented for SOX under Change Management
I ran it to a situation Friday that needs clarification.
Does setting changes in a ERP System (application under the SOX scope) need to be documented… example. there was an error with the achieve function in the ERP system…it turned out that the path to the achieve was wrong and needed to be change. Does this needed to be documented???
I asked for IT change request. I was told that I was taking SOX to seriously …was I wrong to ask for a change request??
2nd Question on User Termination.
Do we terminate accounts when the user is told he is being terminated or on his last day??
AuditorSox last edited by
a) When ERP Package is first installed , the settings should be printed
and during CM testing , settings should be verified
If changed , need CM documentation (e.g. User / MIS request , approval etc.)
b) Termination : System access to be removed on last day of work.
NC last edited by
You were not wrong in asking for a change request
Any changes, be it changes to in built configuration(known as customization) or changes to code(workbench) have to follow a change management process, which has to necessarily be documented.
User should stop having his privileges ending his/ her last working day. As a safer/proactive measure(and where the infrastructure permits) you can time the ID, i.e. set it to expire, mid night of his/her last day…