SOX application that use a not supported JAVA version 1418



  • Hi,
    We have an application that was developed with a JAVA framework that use an EOL (end of life) Java version (SUN do not maintain any more this version). This application must be SOX compliant. Here are my two questions:
    Is there any problem due to the use of an older JAVA version to achieve this issue?
    Is the JAVA framework must be compliant with SOX (and treated as an application more in the application map)?
    thank’s
    8O



  • …my two questions:
    Is there any problem due to the use of an older JAVA version to achieve this issue?
    Is the JAVA framework must be compliant with SOX (and treated as an application more in the application map)?
    8O
    Two answers:

    1. It does not appear that using an older Java version will cause issue if the application can still accurately, completely, and consistently process information having an impact on the financial statements.
      I would think that many companies are using software or programming language that may not be supported by the developer, or for which the developer no longer exists. As long as the application is still reliable, it seems acceptable to continue to use it.
    2. Not sure if I understand your second question, but SOX is not specific to an application or programming language…it pertains more directly to the application controls having an impact on financial reporting.
      Hope this helps,
      Milan


    1. Not sure if I understand your second question, but SOX is not specific to an application or programming language…it pertains more directly to the application controls having an impact on financial reporting.
      Hope this helps,
      Milan
      Thanks Milan,
      I’ll try to clarify my second question :
      Currently we work to be SOX compliant and we detected the applications and processes that have an impact on financial reporting. One of these applications is the Java development (a Java framework and a Java development created by two different providers). In case of some IT controls, such as maintaining standard application documentation (for example), must we also have and maintain the java framework documentation ?
      Thanks,
      8O


  • Hi,
    Thanks for your clarification…
    ‘…we detected the applications and processes that have an impact on financial reporting…
    One of these applications is the Java development (a Java framework and a Java development created by two different providers)…’
    You state that you have determined that the Java framework and Java development process have an impact on financial reporting. That changes things because now, the framework and process are considered to be within the scope of SOX. I noted that you also said that they are created by two different providers, and more importantly, not by your company.
    The existence and maintenance of application documentation can be considered to be an IT control. It is comparable to an Accounting Manual that is used in the Accounting function and as a guide for understanding the flow of information in/through/out of the process.
    I don’t think anyone would argue that although an Accounting Manual may be lacking, the underlying controls in the Accounting process can be determined to be ineffective as it relates to financial reporting.
    Similarly, lack of IT application documentation alone might also not be considered to be a material weakness even the IT application is used to develop, process, or summarize data used in the financial statements. However, when considered in relation to other IT control gaps or weaknesses, it could in the aggregrate, lead to a significant control deficiency and be material or immaterial to the FS depending on the degree of exposure and related risks.
    Since the Java Framework documentation is developed by an outside provider, I suggest obtaining some application documentation from them to properly understand the system, its relevance to the overall financial reporting process, and if the IT Application were to fail, the likely consquence(s).
    A ‘What Could Go Wrong’ (WCGW) high level risk assessment could be conducted over the Java Framework and related processes to determine the risk implications and need for documentation.
    IT documentation received from the vendor and the results from the WCGW Risk Assessment could be used to identify the key control points and application controls embedded in the system and will be helpful to you to design and perform tests of control effectiveness over the application.
    If you would like to take the dialogue ‘offline’ and discuss specifics, please reply to me at 404cpa_at_gmail.com. Your situation seems to be somewhat unique and it is difficult to understand and answer with precision without more information.
    Regardless, I hope this further clarifies and is helpful to you.
    Milan



  • I agree with Milan’s good points on this. SOX 404 is written from a general standpoint, so you’ll rarely see technology specific information.
    I mainly wanted to share that I’d highly recommend re-engineering the source code to be compliant with the latest Java standards (regardless of SOX compliancy). Hopefully, most of the source code will transition properly, (although I’ve seen some vendor supplied packages that don’t include the source).
    Being on obsolete technology can hold you back from going to more secure OS builds and good maintenance capabilities for the application. For example I’m aware of one server for a company that’s still on NT 4.0 SP6a. There may even be a few Windows 3.11 PCs still floating around as well 😉
    Simply for good technology and business reasons, I’d recommend re-engineering the app so it’s fully compatible with the latest Java programming standards and engine 🙂



  • Hi Harry,
    Thanks for your additional feedback. I was thinking of writing you this weekend for your thoughts about this question. I do not have hands-on experience in IT and thought that you would be able to provide further insight, particularly from an implementation and Best Practices standpoint.
    This Forum has developed into a great network of SOX professionals and its good to know that you and others (John, kymike, mocha, Chaayya, ugogirl)…sorry if I left anyone off…regularly post.
    It would be genius if someone were to develop a computer routine that could simply take the Subject Headers from the Forum, convert them into FAQs or Topics, then attach the various replies to them…sort of an Applied SOX Q-and-A if you will. I think it would be a very useful and valuable resource.
    Sorry…I digressed…anyways, thanks for your insights.
    Cheers,
    Milan


Log in to reply