Impact of SOX Act for IT in the Corporation 5
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
As a QA Manager, I’d say it’s up to your QA (or analogous) group to audit your group against those procedures to ensure compliance. If you’re not following them, or if they are not adequate to ensure that you meet regulatory standards for your industry, QA would include that information in their audit report, and work with you to establish corrective action.
Where Sarbanes-Oxley comes in is in areas where you or your team cannot implement corrective actions without support of upper management, be it monetary, cultural, etc. For example, if you need to have a computer system validated to meet a regulatory requirement, but keep being turned down on budgetary requests for costs associated with the validation, that is beyond your control. An audit report containing that observation needs to go to upper management for consideration. If they are presented with evidence of problems that need fixing, and ignore that evidence, then they are liable.[img][/img]
-
I would make sure that your policies look and feel like an ISO 17799 product. Many of the Big 5 consulting firms expect to see that you’re following some standard. The ISO has worked well for me in the past when I’ve had to go through other attestations (i.e. Graham Leach Bliley, Web Trust, etc.) If you get the outline, you can kind of piece your existing polcies and standards into the ISO model and then work to create the remaining pieces.
-
The use of the ISO standard has got to be the right approach. I have always found that somewhere down the line someone will ask why the compliance effort followed the path it did. It’s a question which is FAR easier to answer if you have used an international norm.
-
The only thing sox is out for is financial misstatement risks. So all you have to do is to identify financial processes which if not function correctly could lead to significant financial misstatements.
You have to document every business process which could lead to a financial misstatement and identify the controls and procedures whithin it. After that you have to point out your key controls. And only these have to be documented and tested.
Looking at IT you also have something called general IT controls which are basicly IT controls which apply to all of the systems which carry financial buisness processes. Like User authorization, buisness continuity (e.g. you need no limit control within SAP if that server is not functioning)
To do this properly there are frameworks outthere.
An external auditor will review your documentation and perform some additional tests.
Have fun…