As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - SOX Compliance
Posted: Mon Jun 26, 2006 11:06 am Post subject: SOX Compliance
I work for a IT Company - sister company for a Freight Logistics. The parent company is trying to go for SOX Compliance next year. I have been asked by my Manager to give him a plan how the sister company can go for sox compliance. I have no idea what that is. I am a Quality Assurance Consultant not an internal auditor.
Can someone please help me to know what are the prelim things that i have to do and any sample phase plans for going sox compliance.
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Mon Jun 26, 2006 12:14 pm Post subject:
Below is an updated list of recommendations, from one I had previously shared ... To me, the cornerstones for success include: Planning, Training, and Commitment ... Good luck to you
SOME GENERAL RECOMMENDATIONS FOR SOX IMPLEMENTATION
1. Set up a Project Plan for meeting SOX compliancy requirements (Research and explore what is needed prior to doing anything). Good planning will pay dividends for establishing this process.
2. Get training right away. The core team and especially the leader of the process should invest a week or so in training. Consider attending a formal seminar away from work where you can focus and interact with other participants. This will create a good foundation for what's required.
3. Perform an inventory of all your IT applications. Identify all of your financial systems and look for any indirect relationships.
4. In conjunction with the inventory, examine the workflow and human factors surrounding financial processing.
5. After the inventory, perform a Risk Management study on all your financial applications (looking at possibilities that someone could either accidently or alter financial records)
6. Look at ways of strengthening the Financial process and implement new controls (e.g., versioning, change management, and security)
7. Evaluate random sampling controls and requirements for your financial applications to setup a testing/sampling program on controls each quarter or month, depending on the needs.
8. Evaluate the SOX 404 standards for best practices associated with IT control improvements. Set up a plan to implement and improve standards. Evaluate the COBIT 4.0 standards for IT controls over financial applications (note that COBIT 3.0 is the minimal acceptance level)
9. Work closely with both internal and external auditors and gain their approvals for the work that will be done.
10. Setup an e-Library (electronic documentation library) to include all your SOX documents, test plans, communications, etc.
11. Make sure you obtain senior management support for the process. It is an important aspect for implementing change. They must also support the additional work, human resources, and costs that will be needed to gain compliancy.
12. After the initial process is implemented, continue to improve the SOX controls and keep up-to-date with changes in business and legal requirements.
Note Denis and Milan's excellent advice in this thread related to COBIT ... While it's not necessarily mandatory, it's highly advisable to be COBIT-compliant, as many of the audit firms feel it is the most applicable IT framework for SOX compliancy
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.