Hi

Thanks for the brief overview. I've also been through my first year in a SOX-IT environment, and have three observations:

1. Your A/S/P breakdown is a useful way of looking at things - along with what is the approved access-permissions, and how to make sure any changes are also approved (including monitoring and correction/prevention).

2. Don't know about documenting reports - haven't been asked to do so, though I agree it would be good practice to get reports properly documentated and automated where possible (i.e. so no one can 'fiddle' them).

3. We also work on the principle that anything that could change data should be documented and approved (which probably is a broader view to your reports documentation). So we have monitoring and change management procedures around Applications, Databases, and (to be added) 'Key Control' reports.

Thanks

Andrew