Show me the evidence.
I think auditors chuckle inside when they say “show me the evidence.” It’s part of their craft to seek and inspect. Over the past several years I’ve been giving documentation and evidence to auditors for various IT controls. With regard to policies, procedures, and standard practices auditors want to see more than a one-time pieces of evidence. They want to see proof that the behavior is happening on a regular basis. It’s the classic audit trail.
SharePoint – Love it. Hate it.
I’ve had my moments with SharePoint on a few items related to workflow. But one valuable attribute I’ve found with the tool is the ability to version documents and lists. This capability creates the perfect audit trail and evidence proof.
Example 1 – Annual Policy Updates
I keep version information in two places for policy documents. The first is in the document header. This shows the date of the policy, the last review date, and a version number. You can do this part without SharePoint.
The second place is in the version of the SharePoint document. First make sure that versioning is turned on for the document repository (one-time setup). Go to the library settings and select versioning settings. Then fill-in the specifics for how you want the versions to be incremented and how many versions to keep.
Each time I edit a document I use the check-out for editing feature. Then I apply my changes and when I check the document back-in SharePoint prompts for a summary of the updates. Each time this happens a new version of the document is created and logged.
To see the previous versions and comments select the version history from the document selection menu.
Example 2 – Production Change Updates
I use a SharePoint list to track requests and approvals for production change updates. As with documents, make sure the list has version control turned on by going to the list settings and enabling versioning.
The version history for a list shows the dates of the field updates and which specific fields were updated. It also keeps the name of the person who updated the fields (redacted in my example).
This is a simple way to keep history of policies, procedures, and updates. Having this available and ready to show an auditor makes the audit process a little easier.
Onward and upward!