Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· Directory
· Downloads
· FAQ
· Forums
· Search
· Sox_Admin
· Statistics
· Submit News
· Surveys
· Top 10
· Your Account

Sarbox Compliance
The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.

For detailed information see the toolkit's own website: Sarbanes-Oxley Compliance


SOX Act and Security
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.

The SOX email storage requirements can be fulfilled using the GFI MailArchiver


SOX Advertisers


Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!

Sarbanes-Oxley Act Forum: Forums

The Sarbanes Oxley Act :: View topic - IT Infrastructure Changes
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

IT Infrastructure Changes

 
Post new topic   Reply to topic    The Sarbanes Oxley Act Forum Index -> Sarbanes-Oxley: IT Issues
View previous topic :: View next topic  
Author Message
ramesh_sil
Newbie
Newbie


Joined: Mar 25, 2008
Posts: 1

PostPosted: Tue Mar 25, 2008 12:55 pm    Post subject: IT Infrastructure Changes Reply with quote

I am new to this forum. In our organization, the SOX testing team consideres all the IT infrastructure changes as in scope and they test them. Due to this the cost of the SOX testing for change management is very high.

We want to exclude the IT infrastructure changes from the SOX testing scope.I am looking for some suggestion to submit a business case to the SOX testing team to exclude the IT infrastructure changes

Your suggestions are highly appreciated.

icon_biggrin.gif
Back to top
View users profile
NC
MasterSoxer
MasterSoxer


Joined: Jan 18, 2006
Posts: 122
Location: Chennai- India

PostPosted: Tue Mar 25, 2008 10:53 pm    Post subject: Reply with quote

Since SOX act in itself is pretty silent on the specifics of ITGC, it would be better if you can do a risk assessment purely from a financial reporting perspective.

Ex- an ERP is an ideal choice for a SOX significant application. It would be a worthwhile exercise to identify the infrastructure like the servers, firewall, routers OS and Database, that supports this application and consider this infrastructure alone in scope.

Of course it is a better practise to cover all the IT infrastructure, but from a cost control perspective, the above would ideally suffice the SOX requirement.

Hope this was useful
Back to top
View users profile
harrywaldron
SoxGuru
SoxGuru


Joined: Jan 12, 2006
Posts: 849
Location: Roanoke, Virginia

PostPosted: Wed Mar 26, 2008 6:37 am    Post subject: Reply with quote

Hi and welcome to the forums icon_smile.gif

As NC noted, the key focus of SOX material risks center on financial exposures. It is easy for SOX compliancy leaders to blend in items that aren't applicable as the standards can be difficult to interpret.

As a perspective, I often quote the following:

SOX 404 controls are a senior management responsibility. Comprehensive controls for automated Financial IT systems must be established, based on significant material risks. These guidelines are written at a high-level and on a generic basis, as company technologies will vary widely.

As many of the regulars in the forums have seen, SOX can be often misapplied. With respect to "SOX testing for change management" or "Infrastructure changes", the key is whether these areas entail significant financial risks to warrant testing? Based on the details of the CM framework, I can see where both applicability and non-applicability might apply.

One idea for clarifications might be to contact the SOX external auditors for their opinion on current controls being tested.
Back to top
View users profile Visit posters website
Bendtsen
Newbie
Newbie


Joined: Mar 19, 2008
Posts: 3

PostPosted: Wed Mar 26, 2008 7:32 am    Post subject: Reply with quote

My company wouldn't entirely agree with the notion that SOX should review only financial applications. Our statement regarding in-scope and out-of-scope applications is as follows:

Quote:
As part of the Sarbanes-Oxley (SOX) assessment of the company's financial processes, General Computer Controls will be documented and tested. The systems included within the scope of General Computer Controls for SOX are primarily the financial systems. However, all systems, regardless of financial statement impact, may be sampled during the testing of General Computer Controls.

For example, a test sample drawn from the change log could include a change to a non-financial system. All such items will be tested according to criteria identified during documentation of General Computer Controls.

Due to the small sample size for SOX testing, if a non-financial system test item fails, the entire test may fail.


The item in your initial question that stands out to me, based upon my company's practice of SOX assessments, is that they're testing everything. Our test samples may be selected from a listing of everything but usually number no more than 25 for any given testing. We've found our limited sample size to not have an adverse effect on cost.
Back to top
View users profile
harrywaldron
SoxGuru
SoxGuru


Joined: Jan 12, 2006
Posts: 849
Location: Roanoke, Virginia

PostPosted: Wed Mar 26, 2008 11:49 am    Post subject: Reply with quote

A few quick thoughts on Bendtsen's excellent reply:

1. SOX 404 represents a minimum baseline for meeting Sarbanes-Oxley IT financial requirements. Companies can certainly add more safeguards and controls than is required on a statutory basis. They may even fit it under the SOX compliancy umbrella (even though it may not be applicable). As NC shares, there may be overlap with ITGC as well.

2. For IT systems, it's desirable to have one set of security, change management and change control standards for all IT applications, (although there may be some additional layers for affected financial applications). For example, if you don't have good network controls for non-financial systems, it's likely that hackers breaching these controls could get at the financial systems. Two sets of IT standards would also create confusion for the development and support teams as well.
Back to top
View users profile Visit posters website
NC
MasterSoxer
MasterSoxer


Joined: Jan 18, 2006
Posts: 122
Location: Chennai- India

PostPosted: Thu Mar 27, 2008 4:05 am    Post subject: Reply with quote

no wonder Big 4 make revenues in Billions. icon_lol.gif

Like mentioned earlier, it would be ideal to have all the infrastructure in-scope. This would ensure that all audits double up as both SOX audits and Quality compliance audits( ISO 27001).

Cost conscious companies may still will to have a restricted scope

icon_smile.gif
Back to top
View users profile
BAKOSOX
Newbie
Newbie


Joined: Aug 04, 2005
Posts: 8
Location: CENTRAL CALIFORNIA

PostPosted: Thu Mar 27, 2008 10:29 am    Post subject: Reply with quote

Ramesh,
Take a look at the guidance from the Institute of Interanl Auditors called "GAIT METHODOLOGY". GAIT is an acronym for Guide to the Assessment of IT General Controls Scope based on Risk. This is available from their website at "theiia.org".
You will find this guidance very helpful with the question you posted. In short, SOx is ONLY concerned about ICFR, anything not affecting Financial Reporting is out of scope. There are a lot of reasons you do not want to include out of scope items in your SOx testing. This is not to say these items do not need tested under a different task.
When reviewing the GAIT document, pay particular attention to the phase 3 guidance and especiallypage 19.
Back to top
View users profile
harrywaldron
SoxGuru
SoxGuru


Joined: Jan 12, 2006
Posts: 849
Location: Roanoke, Virginia

PostPosted: Thu Mar 27, 2008 11:44 am    Post subject: Reply with quote

Thanks Bakosox for sharing as these resources are excellent and educational icon_smile.gif

There are often things done "in the name of SOX" that aren't always part of the official SOX 404 requirements. While additional controls are often beneficial, these out-of-scope activities can add to the overall costs and overhead. The compliancy leader should obtain good training plus advice from their external SOX auditors in setting up a program that meets the requirements properly without going too far out-of-bounds.

The primary GAIT document is about 2MB (PDF). Some of the key links are captured below (please copy to browser as direct links aren't permitted in forums).

Code:

KEY IT AND GAIT LINKS
http://www.theiia.org/
http://www.theiia.org/guidance/technology/
http://www.theiia.org/guidance/technology/gait/
http://www.theiia.org/guidance/technology/gait/gait-methodology/
http://www.theiia.org/guidance/technology/gait/gait2/
http://www.theiia.org/guidance/technology/gait/gait2/

GTAG Series (if needed)
http://www.theiia.org/guidance/technology/gtag/


Also, added a brief blog entry related to the value of these documents:

Code:
http://msmvps.com/blogs/harrywaldron/archive/2008/03/27/sarbanes-oxley-404-requirements-iia-s-gait-and-gtag-free-resources.aspx
Back to top
View users profile Visit posters website


Display posts from previous:   
Post new topic   Reply to topic    The Sarbanes Oxley Act Forum Index -> Sarbanes-Oxley: IT Issues All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Forums ©

 
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters.
Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox.
Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.