Related Posts
Where all my annoyed moderates at?!?!
I've had a hybrid role for the past 4 years where I get unlimited sick days (well 14 really until fmla kicked in), 3 weeks of vacation, 3 personal days. I am also given the week after Xmas off. if my toddlers are sick I can work at home with them. Interviewing w fortune 500 that offers 15 pto days that have to use for sick days too.Strictly in office job 9-5 and dress bus.prof. These bad benefits? Outdated culture?I am a seasoned professional. Seems tough.
ENBD is the crappiest bank in the UAE. Thank you
13 years experience / female / SF / 150k
Additional Posts in Risk Assurance
What makes more money IT Audit or IT GRC?
New to Fishbowl?
unlock all discussions on Fishbowl.



Depends on the OS or DB. For windows server (or any Windows OS) you can either go through WMIC or PowerShell to generate a list of all hotfixes/patches applied to the machine. You can then compare install date to a change ticket. Usually we were fine with just running the patch in a L3 test environment for a certain amount of time prior to production implementation with no errors or incidents as evidence of sufficient testing. Obviously infrastructure testing becomes less relevant as you move to a cloud solution since you're relying on a SOC 1
@EY2 non-custom changes to the SaaS app would be subjected to change management at the service organization and therefore audited as part of the SOC procedures. If the customer has the ability to delay the deployment of changes (or a CUEC calls out testing requirement by the client) then there should be testing performed. However I could not foresee a situation where a client would be required to test infrastructure changes at a SaaS provider
kind of a joke how our IT audit practice doesn’t have standard queries for each system that we can use….especially for OS and DB
@EY2 not it would not. Obtaining sufficient appropriate audit evidence to support the functioning of the control (the control is that change went through change management) is not an independence violation.
The key here is what type of “changes” are you interested in. Most IT Auditors only focus on patch type changes at the OS and DB layer for SOX. For Windows server, this can be easily pulled via a simple powershell or by logging in directly to the server and then going to the update history. For Linux, you can Google some commands to pull Kernel patching history. Same for DB.
**If you really want to get into the nitty gritty, you can also run queries at DB layer to understand changes made to tables, objects, including store procedures and triggers.