SOX requirements for usernames and passwords 188

  • This post is deleted!

  • This post is deleted!

  • This post is deleted!

  • This post is deleted!

  • James,
    Yes, one user account, one password and never a shared account or password.
    Your issue with the fax/scanner/printer is a General IT Control and is only a SOx issue if it involves a network with financial data/reporting. So, if your access is such that it does not allow the user to connect to a network with financials on it, it will not be a SOx material issue. However, it will be an IT audit deficiency. If there are financials, then it is a SOx issue.

  • James,
    I would disagree with the previous post. Your consultant is probably some 23 yo fresh out of college using some check list.
    Ideally, having shared password is not ideal however we need to address the risk at hand. In your example, the PC that suppor t the fax/printer etce etc is not the real risk. The risk is that if you have a shared username password, some one with that username/password may be able to log on to your net work and create havoc.
    My recommendation would be for you to restrict the username logon to that one physical machine only and that the user cannot log on other areas of the network. Perhaps restricting it to a single IP address would be ideal. That way you have reduced the risk.
    I have seen many times that people do not consider what is at risk before jumping to conlclusions by recommending what is ‘best’ practice.
    good luck.

  • Thanks for the responses.
    I understand that a shared password poses some risk. However, since the login account has very limited permissions, I consider it a very minor risk. Adding a machine restriction as a further risk limiter is a good idea.
    So as to question 1, the answer is one yes and one no.
    I still would like to read the SOX requirements that talk about network security. Can anyone tell me which section I should read?
    Thanks again.

  • James,
    PCAOB recent publication AS2 has some information but unfortunately the IT side is not too detailed. Unfortunately for IT it is extremely judgemental and as long as you can justify your action in terms of risks then you should be fine.
    The law states that we only have to demontrate the design of effective internal controls the operating effectiveness of such controls.
    It is unfortunate that most Big 4 believe that their word is gospel but you should make ur judgement based on the risks associated to ur situation. I used to work for PwC and they do brainwash you ‘in a good way’ of what best practices is, however ever since i worked in industry I think the best course of action must practical before being ‘best practice’
    good luck

  • IMHO, the biggest problem with SOX is that neither the act nor the ‘guidance’ from the PCAOB is very specific…thus externals are taking a belt, suspenders, duct tape, safety pin, and rope approach. This surely smacks of a newbie with a checklist.
    This is a situation where I’d push back in a big way. As long as you can conclusively demonstrate that the shared PW used on this machine gives access to only one directory that does not contain sensitive information, the machine has limited permissions, etc, I would say your risk here is minimal.
    Just WAIT till you get to spreadsheets.

  • You are right…spreadhsheets can be daunting.
    I wrote a paper on securing spreadhseets for SOX.
    All you really need to do in 30 secs are:

    1. take inventory of spreadhsheets that impacts financial statements
    2. build data validation on cells that require data entry
    3. protect all cells that contains formulas
      4.restrict access to the spreadsheet on the network
    4. build in version controls and change register on the sheet
      then you will be fine.

  • Oh, I know what to do…I just don’t WANT to. 😉 a couple of steps I would add: analyze the type of impact on the financial statements, along with the complexity of the spreadsheet, then assess any compensating controls (ie, recons to external sources), before deciding what, if any, changes you need to make. A simple log of outstanding invoices in AP might need nothing more than restriction to authorized users, whereas a spreadsheet that acts as the system of record for a balance sheet or income statement item, especially if there are estimates, judgements, etc done via formulas or code, need the whole ball of wax…as with most things in SOX, judgment is key.

Log in to reply