As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - IT Audit Data Requests
Posted: Mon Feb 28, 2011 6:37 pm Post subject: IT Audit Data Requests
My company's IT org has mandated that all requests for data (user listings, config screenshots, what have you) for our SOX audits must flow through our Compliance group only. Of course, they have made the process of requesting the data as difficult as possible...for instance, there is a form we have to fill out and a ticket we have to submit which needs approval first, etc, etc.
Basically, we can no longer ask for any data from anyone in IT without going through the "proper" channel. In the past the Compliance group has been less than forthcoming with sharing information and they have been designated control owners for the majority of our ITGCs and therefore stand the most to gain by hindering the flow of information. I do not really feel comfortable with this approach as I feel the only purpose is to filter the data and make our job as difficult as possible.
Does anyone have any advice for me, as I am very certain this flies in the face of our Audit Charter, but I am unsure of how to approach this? Please help!
At my company, we run into similar problems. IT is understaff and has too many projects, so they are forced to prioritize by using these request forms.
The simple answer is, work your connections. I'm not sure how long you've been at your current company and what type of internal networking you've done, but find some allies and go through them to what you need. This should help you in the short term.
On the side, I'd recommend a sit down with the lead of the Compliance group and see if your team and his team are duplicating efforts and if so, could information be set up on a shared drive so that both teams can have access to the raw data, and then it can be used by either team and saved to their respective drives upon use. Also, see if there are some ways to reduce or eliminate excessive duplicative efforts. Maybe by bringing someone from IT in could help you prove that one request for both would save a lot of time and hassle for for his team which could lead to faster turnaround time for both your and the Compliance team.
As an aside, if you already know all the of the request you will need for the next 3 months worth of projects, perhaps a massive request list could speed things up. Since it will only have to flow through the "proper channels" one time as opposed to 50 different times for the 50 different requests.
Joined: Jan 18, 2006 Posts: 122 Location: Chennai- India
Posted: Thu Dec 22, 2011 9:30 am Post subject: isnt it nice
To channelize communication and information is indeed a good practice. I do admit it causes considerable delays for us to get data/information internally. However, it also takes care of one of the infosec requirement triad of Confidentiality.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.