What about PC's? 412



  • Perhaps someone out there can help me out on this issue. We are now starting our Y2SOX efforts and are beginning to revisit some of the control activities. A general question has started to rise up about the IT organization and the controls required on the user desktop.
    Like most companies we use a lot of spreadsheets, many of which do impact the financial reporting process. We’ve completed our Spreadsheet Audit and know our challenges with those. Where we are starting to run into question are in the areas of PC Maintenance (system software patch and fix management) and the general area of ‘Change Control’ as it relates to the PC itself.
    We have many controls in place already both logical and physical, including secure network drives, password protection, group administration and periodic access audits, etc. What we are beginning to question is the documentation we need on the area of ‘patch management’ and having a ‘Change Management’ plan for items such as installing or upgrading software. Both of these items in general are key controls that are applied to our core business system (ERP) - I suppose a more succinct way to ask the question is how far do we need to extend these controls?
    Personally, I’m of the mindset that due to our high use of spreadsheets, we need these kinds of controls over our desktop environment particularly in the areas where we have financial and other ‘sensitive’ information. Furthermore, I think it’s good practice to have these controls over our desktop’s in any case. I’m getting some pushback because of the ubiquity of things like MS updates that users can apply of their own accord or software that they can install (even though it may violate our policy.) While I understand the challenge our IT department will face I don’t buy the answer that we can’t control the desktop environment.
    Can someone provide any other insight from their own experiences and organizations?
    Thanks, Mickey



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • We cover the End User Computing Topic from a SOX point of view within the IT general controls. As there are e.g. User authorization, change mangement. If there’s a need to e.g. install a patch there’s a testing phase and a defined rollout strategy.



  • Holger thanks - that’s basically what we’ve done too but now we’re getting tremendous push back from the field becuase it means more work. My position is that we should be able to answer basic questions about our PC’s when asked, like:

    • When was the last system software update applied? When and how was it tested?
    • What software is currently installed on this PC? Is it all liscensed and in accordance with your software policy?
    • Are there appropriate controls to prevent unauthorized access when the PC is left unattended? (Suggests password protected screensaver and timeout)
    • What sensitive or critical information is stored on the PC? When was it last backed up?
      While we can’t prevent end-users from installing MS patches or their own software we should be able to have a ‘detect’ control that alerts us to this situation. I also believe that we should have a plan for things like applying patches rather than fying by the seat of our pants and putting our faith in MS.
      Am I crazy? (not in general, just on this topic - LOL.)
      Thanks,
      Mickey


  • What is wrong with allowing all desktops to use (Windows) automatic update and Security software to automatically update? I am seeing a lot of industry columnists recommending it. All other changes are by admin only.
    We also implement a screen saver with password after 10 minutes of inactivity.



  • _at_mickey: Unfortunately SOX in general produces quite a workload in the field, mainly in the form of documentation. In your case I would look out for programs like MS Software Management Server, or any Inventory program which allows you to scan every PC at the network as soon as it is powered up and even more.
    _at_djinks: Sometimes untested Patches and Updates do more harm to the stability of a network than you think. One Topic with respect to sox would be deliver and support, which would be a cobit item and therefore a IT general control. You definetly wouldn’t allow an automated updated of your workstations, like automatically install XP SP2, if this causes the network to go down or your financial applications not running reliable anymore.


Log in to reply