I’ve always been confused with Change Management at the Database and OS layer. How do you audit these layers and what changes are significant? My clients always find it it difficult to provide a list of changes for the OS and DB and I feel like infrastructure is always a last thought in our audits.

like
Posting as :
works at
You are currently posting as works at

Depends on the OS or DB. For windows server (or any Windows OS) you can either go through WMIC or PowerShell to generate a list of all hotfixes/patches applied to the machine. You can then compare install date to a change ticket. Usually we were fine with just running the patch in a L3 test environment for a certain amount of time prior to production implementation with no errors or incidents as evidence of sufficient testing. Obviously infrastructure testing becomes less relevant as you move to a cloud solution since you're relying on a SOC 1

like

@EY2 non-custom changes to the SaaS app would be subjected to change management at the service organization and therefore audited as part of the SOC procedures. If the customer has the ability to delay the deployment of changes (or a CUEC calls out testing requirement by the client) then there should be testing performed. However I could not foresee a situation where a client would be required to test infrastructure changes at a SaaS provider

kind of a joke how our IT audit practice doesn’t have standard queries for each system that we can use….especially for OS and DB

like

@EY2 not it would not. Obtaining sufficient appropriate audit evidence to support the functioning of the control (the control is that change went through change management) is not an independence violation.

like

The key here is what type of “changes” are you interested in. Most IT Auditors only focus on patch type changes at the OS and DB layer for SOX. For Windows server, this can be easily pulled via a simple powershell or by logging in directly to the server and then going to the update history. For Linux, you can Google some commands to pull Kernel patching history. Same for DB.

**If you really want to get into the nitty gritty, you can also run queries at DB layer to understand changes made to tables, objects, including store procedures and triggers.

like

Related Posts

Is BA Continuum and Bank of America a separate entity in terms of IT operations? I know In India it's BA Continuum, but I find reviews for both BOFA and BA Continuum in Glassdoor. So getting confusedBank of America BA Continuum India Pvt. Ltd.

Hey Fishes,
Looking for a change,
Any reference will help to make a first jump successful.

YOE: 2.9
Technology Stack: NodeJs , MySQL/Mongodb, JavaScript jQuery.
Secondary Stack :- Angular, VueJs, Kafka, Docker and Kubernetes using ISTIO.

like

What diwali gifts/goodies we can expect from cognizant this year?

like

Interested in cybersecurity companies. What are some other than Symantec?

like

Where all my annoyed moderates at?!?!

likefunny

Promotions announced in EY India. Any one in GDS received the call till now ??

What's it like working with BCG in Dubai? Which service lines have the best people and which should be avoided?

like
like

@Partners - how much money do you need to invest I to the firm to get your partner share?

likefunny

ENBD is the crappiest bank in the UAE. Thank you

like

What is the quickest and most efficient way to digitize all of my papers from pre-covid life?

like

Losing hair really badly!!! :( I dont know if its the thyroid meds or just pregnancy. I'm currently 13 weeks. Any recommendations? I'm doing the hair oil stuff but that will take time.

like

This one was harder.
Wordle 213 5/6

⬜⬜⬜🟨⬜
⬜⬜🟨⬜⬜
🟨⬜🟩⬜🟩
⬜🟩🟩⬜🟩
🟩🟩🟩🟩🟩

likeuplifting

13 years experience / female / SF / 150k

like
like

Hi fishes, i have a friend who suffered a lot in previous companies due to toxic work culture and worst people. She now left the job and preparing for new job interviews. Current ctc was 5lpa . Total exp 5.5 years. Can you suggest companies which have best work culture with friendly and polite people. And not too difficult to crack interviews. She’s ready to compromise on salary part. Expect 10Lpa, which is less as per current market. Domain: automation testing with java.wfh due to Above reason

likeuplifting

I am a Recruiter in the Civil Engineering and Design industry (Land Design) in the DFW area. I would love some insight on the offers that you are getting in Texas.

Any suggestions on good books on consulting for reading during holidays

like

Compliments to Walgreens creative team. Love the new pharmacy commercial with a focus on sun damaged skin.

like

I've got a couple PMO roles to fill. Contact positions thru end of 2020 in Chicago.
DM me for more info.

Additional Posts in Risk Assurance

Crowe is hiring for quite a few positions across the US (Internal Audit, IT controls and cyber/digital security, Compliance,etc)… I’m a manager and would think some of these niche areas have great opportunity for new folks to excel rather quickly. Great flexibility and mobility policies. I’d be happy to chat if interested and get you directly in touch with the right people internally.

likefunny

I’m getting put up for manager a year early. I have PPMD ,SM, and M support. Pretty much support from all the key individuals on my team and in my service line. Since it is a year early if i don’t get promoted this round I know it’ll come mid year but I do expect a good salary increase still without the promo. If I don’t get the promo nor a salary increase that I’m okay with, how do I let my partner know that I will begin to entertain outside offers? some of which have offered the manager role.

like

How do you apply design factors to IT Audits. Just overheard someone explain 'level of aggregation' for IT Security policies by describing how many people have access to it. Why is this a thing???

like

I'm a Tech Risk SC, but have an accounting/finance background. I'm doing the FRM now for broader cert experience, is it worth doing CA long term in my area?

Identifying a common process, what does this even mean 😩 please help.

like

Does Deloitte and PWC has a dedicated app sec pen-test team? What percent of the time do you travel? Do you guys work from home or need relocation to any place in US?

like

What makes more money IT Audit or IT GRC?

like

How is IT audit at Baker Tilly? Looking to change from a big 4.

like

Be honest, do you see yourself staying in the game to make partner?

likehelpful

What’s it mean if your boss tells you to start looking for a new job? What would be your first step?

like

Is anyone here a HITRUST CCSFP? Was the exam hard?

like

Should I take this offer in a second line role with similar bad WLB as public? Current salary: 155k base, 8k annual bonus (7YOE):

Offer:
170 base
17k sign on
25,500 (15% annual bonus)
28k annual RSUs (vest quarterly)

like

What’s your worst experience with a senior? (As an associate)

If anyone (non EY) wants some referral money, I am looking for a job. Have 1yo in EYs Technology Risk Advisory practice and Gold Standard reviews. Also speak 3 languages but I don't think it matters.

like
like

Has an tested roles for SAP through productive test simulation within production? Is there any risk doing this as the test is in production?

like

How do you tell your boss you're quitting without burning bridges? Please note we're in busy season for the engagements I've been staffed on, which is what makes me nervous and guilty. TIA

like

Im looking at new job opportunities out side of PA but struggle to confidently answer how much I’m looking to be paid. I’m so worried of over asking or leaving money in the table.
I’m in a SoCal HCOL and have been asking for 100k for Senior Internal Audit Roles (2 years) and working on my CiSa.
Is that too optimistic?

like

What exit ops are there outside of testing controls all day? Getting tired of this. Resume is ready

likefunny

New to Fishbowl?

Download the Fishbowl app to
unlock all discussions on Fishbowl.
That was just a preview…
Sign Up to see all discussions
  • Discover what it’s like to work at companies from real professionals
  • Get candid advice from people in your field in a safe space
  • Chat and network with other professionals in your field
Sign up in seconds to unlock all discussions on Fishbowl.

Already a user?
Login here

Share

Embed this post

Copy and paste embed code on your site

Preview

Download the
Fishbowl app

See what’s happening in your industry
from the palm of your hand.

A phone with Fishbowl app

Scan your QR code to download
Fishbowl app on your mobile

Download app

Sign up for free to view this conversation on Fishbowl

By continuing you agree to Terms of Use and Privacy Policy

Already have an account? Log in

Sign up for free to continue using Fishbowl

By continuing you agree to Terms of Use(New) and Privacy Policy(New)
Messaging rates may apply

Already have an account? Log in

For account settings, visit Fishbowl on Desktop Browser or

General

Legal