As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - Migration to new accounting software
Posted: Thu Oct 05, 2006 5:27 pm Post subject: SOX and Implementation of a New Accounting System
A new accounting system implementation will have significant impact on SOX documentation and related evidence to support the controls over financial reporting.
Yes, the SDLC can be used to support effective change management processes. However, the application controls in the new accounting system will need to be reviewed and tested to ensure that transactions are accurately processed in the new system. Also, significant linkages and data interfaces between source systems and the new accounting system should be reviewed. Data migration issues from the old system to the new system might also require assessment.
Additionally, the SOX business process documentation that addresses the ICFR under the older system might need to be reviewed and updated. If you are simply going to a newer version of an existing accounting system, the upgrade and migration will likely require less effort.
However, the implementation of a new accounting system will generally have a significant impact on SOX process documentation, application controls, and possibly general controls too.
A lot of useful information may be found at eitoolkit.com. The software vendor should also be able to provide technical and user documentation that might be helpful to develop SOX process documentation and design/implement tests of controls.
Joined: Jan 12, 2006 Posts: 853 Location: Roanoke, Virginia
Posted: Thu Oct 05, 2006 5:50 pm Post subject:
Hi Jed - I'd recommend checking with the audit on this for specific requirements, as I've seen quite a bit of variability among companies. The SOX 404 (IT) and other standards are written generically for a wide range of IT systems and technologies. Also YMMV depending on your external auditors requirements.
Several promising links here (add www and paste to browser)
I'm in IT and have designed standards for SOX in the past. Here's a few ideas to start with that I've used as applicable:
RECOMMENDATIONS FOR FINANCIAL SYSTEMS DEVELOPMENT IN THE SOX ENVIRONMENT
1. Formal Project Plan
2. Formal write up of SOX controls to be used - make this a standard for the team
3. Formal and rigid change control on source promotions (e.g., alpha to beta to QA to production)
4. Very Detailed and complete accountability of all financials in the conversion from old to new
5. Appoint SOX coordinator (I've been that on a few projects)
6. Invite Internal Audit to participate and give guidance up front
7. If applicable, invite external Auditors to participate and give guidance up front
8. Documentation standards
9. Create an e-Library of documentation (contrary to popular belief you can do SOX using a paperless aproach.
10. Look at low-cost tools if needed
11. Educate the team in SOX standards, basics, and in-depth as needed
12. Streamline workflows for efficiency ... Do it right so you don't have that 30% overhead as a drag on the project. You still might have some (e.g., 5-10%) as doing the extra work for SOX ain't gonna happen by itself.
13. Have an emphasis of SOX being an important deliverable to the team in the development process as well as the application
14. Work with the users to design and use the best practices for workflow.
15. Obtain senior managements support for the extra time and requirements ... That will do wonders for your project.
16. Security, Security, Security ... Best the best controls, autonomy levels, protect workstations and servers, etc.
17. Reconciliation Reports - plan on developing a # of these to compare old v. new systems
18. Make signoffs on the financials a part of the user approval process (it puts the best interest on users to matilously examine test material)
19. Log project history (Promotions, Change control history, correspondence, test plans) in the e-library
20. Revisit your SOX standards and progress at least quarterly.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.