As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - ISO 9001 Internal Audit and SOX Management Testing Integrati
Posted: Mon Jul 10, 2006 9:54 am Post subject: ISO 9001 Internal Audit and SOX Management Testing Integrati
Does anyone have experience with integrating SOX Management Testing with their ISO 9001 Internal Audit program? There is a lot of synergy between the two disciplines and it doesn't make sense to manage the testing/audits as separate processes. I would like to hear if anyone combined the two and how it worked out for them.
I haven't combined the 2 because SOx often requires a little more focus on the Financial reporting side of things.
i would agree, however, that there are similarities..
Yes, you're right, but it shouldn't matter (as far as ISO is concerned)where the focus is. A SOX Key Control is mapped to an ISO process, and it's time to do an ISO process audit, the questions or checklist should include the questions used for that key control that were asked during the management testing of that key control. Not everything in that process will be a key control, but for those that are have to be identified so the proper sample size is collected based on the frequency of activity for that key control. I'm just having a hard time coordinating the ISO Internal Audit schedule so that it satisfies SOX management testing. If anyone is interested and wants to take this offline to discuss further, I'd be happy to set something up. Then we can post what we come up with in this forum so that others in the same environment can take advantage of it if they wish.
Joined: Nov 25, 2004 Posts: 790 Location: London, UK
Posted: Fri Aug 18, 2006 11:48 am Post subject:
I think that with some planning and thought to documentation you should be able to combine both activities into one project. Of course you will have things that you do for SOX and not for ISO and vice-versa and you may have different rigour for different purposes (in which case use the most rigorous) but if you have visibility in the documentation on why you are executing a specific task than this should not cause a problem. _________________ "The art of life is to deal with problems as they arise, rather than destroy one's spirit by worrying about them too far in advance" - Cicero
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.