Network Security, IDS - In or out for SOX 404? 152



  • EY is telling us network security, intrusion detection, firewalls, anti-virus software, and the like is out of scope for 404 while KPMG is saying they haven’t come across a company that didn’t include it in their documentation and testing plan. What are your experiences with this?
    Assuming that it isn’t part of your core business, and you have controls in other places (i.e. access control software that mitigates any network intrusion risks), how will it affect financial reporting if someone is able to get onto my network? I use the analogy–just because someone can break the window on my car doesn’t mean they can drive away with it. Their is another level of defense. Your thoughts?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • You make a very good analogy, but SOX looks at it as there is more of a likely hood if they break into your car using a jimmy their intent is malicious in nature and they are just as likely to steal the quarters in your cup holder as the whole car. If you have mitigating controls, those should be documented accordingly, but all aspects which can have a significant impact on the financials are relevant, this includes IT systems and policies. If IT’s function is only that of network, who maintains the payroll, AP, AR, purchasing systems? Yes, typically there are mitigating controls which are sufficient, but you have to evaluate them to ensure they are sufficient enough to deter the risk involved with a system open to intrusion (aren’t most systems?). My experience with EY and SOX was actually that they felt these areas were important and did test them, so I was surprised to read your comments. :lol:



  • I definitely agree with Cassandra. I have experienced many situations with clients asking what has this got to do with SOX.
    One thing to note is that most companies only cover 2 areas of the COSO frame work. the other two which are usually company wide controls are left out.
    In your case, network should be performed part of the GCC (general computer controls) and that GCC is part of the ‘tone at the top’ and is a pervasive control. Therefore, strong controls over GCC and by default ‘networks’ provides a foundation for SOX.
    Cheers.
    Tristan



  • Interesting Topic:
    Well if E and Y is your external Auditor and they say it to you in writing to Exclude networks, IDS, Security etc out of Sarbanes - you may want to do that.
    I interfaced with various external-auditing companies - in my opinion, Networks (General IT Controls as a whole) contribute to origination, processing, transportation and reporting of the financial data. Hence these need to be considered as part of 404 compliance.
    From Assertions point of view the general IT controls fall are a crucial reference to key assertions such as Availability of assets, Authorization, Completeness and Timeliness. (some people know it as CAVR)
    It is essential that in each GC ( IT) area, you identify key controls and ensure that you have key controls in fact effective. If they are in place, however you find gaps implementation/design deficiency - a convincing compensatory control could be substituted. However a compensatory control in its own merit cannot replace the necessity of a key control.
    Again at an individual control level - in case you find gaps and you could settle with a compensatory control - however when you the gap in control when combined with other weaknesses in other key controls could result in a material deficiency. Such material deficiencies are the ultimate fear factor to the Mgmt. At that time, given the SEC/PCAOB guidelines - External Auditors do not hesitate a minute to recommend that the Mgmt discloses such Mat- Def in the Financial Reports. Imagine why 26 companies in July honestly disclosing their control deficiencies.
    Good Luck and if you have any questions, please feel free to write to me
    Madhav Vedula, CISA*
    Sr.Internal Audit Consultant
    mvedula_at_go.com


Log in to reply