IT component of Sarbanes Oxley 90
-
I’m not saying that IT general Controls are not in scope.
What I was trying to get across is, that you only have to document IT general controls as far as they are related to IT systems which carry the risk of a financial misstatement.
-
Hello.
I agree with the other posters that IT process that are in-scope only relate to financial reporting.
If it can adversly effect financial reporting then its in-scope.
There is a huge grey area of general IT controls. UPS, Firewalls, IDS etc etc.
If you are using a Cobit or COSO framework for evaluation I think you will find these to be in-scope for SOX but ONLY for those systems that deal with finacial controls.
Because time is so limited a firm handle on Scoping is extremely important. Beware Scope Creep.
However, document any weak spots you come across during your assessments and bring them to IT managements attention.
Some we have decided to fix because the fixes go along with code changes that are in-scope for SOX etc… Some we put them on our post SOX compliance to do list.