Sarbox, ITIL, Documentation and User management processes...

On a recent visit to a very large site, they stated that they were Sarbanes Oxley complaint, and it was an enormous Pain In the Ass to update the dammed documentation. To such an extent that it seriously prevented them overhauling processes. Life was just too short.


Which then leads me to this rather interesting idea. Our product - FirM - is a user and group proxy administration tool for Lotus Domino, Active Directory and BlackBerry. Only one of our customers (so far) is Sarbox, and a number of potential customers are ITIL or Sarbox compliant. And a big issue is that our software is complex, and its a complete PITA to document stuff - especially if we add new features, change screens, etc.


Which brings me to the point (finally) of this post. What kind of documentation would someone want to spit out of an automated User ID provisioning, group resource managing, proxy administration system? Something suitable to slay the dragon of the Sarbox guys ? And would you want it to be flexible, so that you could add stuff to it ? It would be very useful to see pointers on what folks have already done, or to some standards based stuff, so I could understand the level required...