Stefan,

A SOX 404 audit is very similar to PCI compliancy, but can also be even less stringent. The main tenants are going to deal with do you have policies in place, are people following those policies, and do you have documentation to the effect that those policies where followed. SOX Policies are such that when you take into account all the businesses activities, the policy should not be all encompassing. It needs to generalized and provide a mechanisms for documentation and approval of exceptions.

Given that statement, when using Splunk there are some key areas to consider.

1. Access rights - Who has access, when was it accessed and was their login authorized
2. Change Management - File changes, AAA changes
3. Configs - Are security and access controls properly configured
4. Testing - Development and Testing Environments (Was development done properly and do you have test results)

Moving this to Splunk, it's good to look at the following:

• Remote Access Logs (VPN Users): Who accessed? When? Do they have authorization?
• Windows/*nix System Logs: Server file/config changes. System Error Messages showing that they were fixed.
• AIX/iSeries: These systems are still widely used. The apps created for them can show you which "Applications" we accessed, changed, removed and used. SOX 404 Auditors love this stuff. They need to see the changes made to the FINANCIAL applications. If you're RPG programmer updated the system, but you don't have any documentation about it or approval, you're not going to enjoy your audit.
• Lastly, I would look into making a custom form for your different systems/applications. An audit is all about answering an auditor's questions. If the answers are good the auditor will move on. If not, they may have just expanded their scope of the audit.

An example of a form might be for an iSeries. You could select the machine name for a list, select the application that runs that program and then display the relevant changes for say that particular user that made the update. A simple one will be just to show all of the users on the system and their access rights.

While doing some work before the audit is great, no two auditors are the same and ad-hoc is their spice of life. Your best bet, is to be ready to search for what they ask you, Save those searches for next year, and be ready for a different person and different questions next year.

I know you are looking for some specifics, but without providing us any details of the type of systems or applications that you are using i can't really offer up any more help. Sorry.

Best of luck during your SOX 404 Audit. Make sure that the finance team know you can help them when needed, if you implemented Splunk for use with the ERP system. You can save them days worth of man hours popping things into Excel or handling the ad-hoc queries that normal Business Intelligence systems don't do.

IT