SOX impact on an IT Department 194



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Where do u start…this is an interesting question.
    However here are my suggestions.

    1. take an inventory of your applications
    2. identify which business processes are ‘in scope’
    3. identify which application is in scope
    4. identify if your IT department directly support the application.
      Finally,
      If the IT department is not directly reponsible for any applications, chances are they need to be well controlled anywayz because SOX requires strong general computer control (‘tone at the top’)
      The main area of focus for General IT controls are
      Program change and program development
      Access to data and computer operations.
      So what does this means?
      well most of my clients have trouble in the following main areas…
    • Insufficient security (physical/logical)
    • Change management (includes all changes software/hardware etc)
    • SDLC
    • Operations documentations.
      good luck
      tristanatbui.com


  • Thanks for the reply.
    I do have one follow-up question. I have read and have been told by KPMG auditors that the only servers impacted by SOX are servers that have financial reporting software that uses balance sheet, general ledger, and etc. functions.
    Basically, Sarbanes Oxley’s application in IT is limited to those applications that may impact what shows up on the financial reports.
    Is this a correct assumption?
    Thanks again.



  • Yes, basically right.
    But check with internal audit which apps they think are in scope. For example, if approvals which are part of the key controls are given by email, then email is definitely in scope (and these emails have to be retained for evidence) It’s not so clear cut as just the financial apps themselves.
    You may also have apps that affect the IT General controls- for example apps that are used for access control or change control. These would be in scope as they affect what happens to the financial apps.
    Scoping can be a difficult exercise and has taken our IT audit team several months. It all depends on what the organisation defines as its key controls, and for anyone who uses IT that almost always includes SDLC, change control, access control etc as mentioned by the previous contributor.



  • Nice response Kool Cat,
    One thing to note is that for General Computer Controls or General IT controls, the theory is that it should be a pervasive control that means it should apply to ALL areas of IT.
    If I was in your position, I would assess what policies/standards are in place at your company and ensure that you comply to them.
    If there is a change management process in place, you should ensure everytime you do a security upgrade on your servers or any changes, you should ensure that it complies to your change management procedures.
    If you are acquiring new hardware for your services, you should ensure it follows and comply to your corporate policies.
    In reality, you may or may not be subject to SOX testing. The external auditors have the right to look at your area as part of General computer controls testing.
    SO in a nutshell find out what policies/security standards/procedures you have in place in your company and ensure you comply to them all an dyou will be fine.
    Regards
    Tristanatbui.com



  • Dateline: October 24, 2004
    Ten days ago our VP of Operations plops the 80 page PDF of
    IT Control Objectives for SOX (the ITGI version) in front of me, and wants an analysis when he returns.
    If you have viewed this monstrosity, I feel your pain.
    I’m the IT manager, so the the web page searchin’ begins.
    Turns out we are really in the SAS70 boat at ground zero in a thermonuclear war. The rope fibers are burning my neck as the chair I’m standing on slowly wobbles apart.
    Ok, so I am a little uneasy, I’ll get over it.
    So, I decided to look for information in forums.
    Probably the best advice is to get a compliance tool kit.
    The entire audit procedure makes me wonder if two auditing companies were hired to do independent audits of a target company, could the target pass one audit and fail another?
    More later, the VP returns monday. 😎



  • I understand from the thread that there is a need to provide documentation relating to policies and procedures (for General IT Controls) as part of SOX Compliance.
    Q: How do we provide evidence of the testing of these controls…and how do we test?
    Q: How can we determine if the level of control and the quality of documentation and testing will be sufficient for compliance?


Log in to reply