SOX and the 404 Help.. 227



  • First off Iwould like to thank the folks who host this site. I have been reading for a couple weeks all of the related info and feel a lot better knowing that people are having the same issues that I am. Keep up the good work.
    I was recently tasked with providing the IT Controls documentation for the 404 section of SOX and have NO IDEA what it is supposed to look like.
    Does anyone have an outline or actual documentation that I could see the format and content ? I have visited the COBIT and ITIL and a few other sites that only discuss the content of the IT controls objectives and no real format discussions.
    Any help would be greatly appreciated.
    Regards,
    Ken Stone
    *** Please post here or feel free to email me. sfraser_at_houston.rr.com



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • If I understand you inquiry correctly. IT Control documentation is in the form of Policy and Procedures. The areas (Category if you will) of policy include Security Administration, Application Change Control, Application Development, Business Continuity, Data Management, Disaster Recovery, Data Center Operations, Problem Management, Asset Management, and Vendor Management.
    Under each area (Category) individual policies document controls for each sub category. Example: Security Administration - Password Policy, Remote Access etc… Hope this helps.
    Jonathan



  • Thank you for the response… What yoru saying seems accurate on the what I am looking for.
    Is there any examples anyone can point me to ?
    I have searched far and wide and coming up with zippo…



  • Note BCP and DRP are not in scope…however backups of critical data IS.
    so i would not waste my time on BCPand DRP…BCP alone will take you longer to implement than SOx.
    tristanatbui.com



  • Jonathan has pretty much said it all but there are other aspects to the controls you need to bear in mind.
    A process or procedure is a way of recording what should be done for a specific task. What you need in addition to this is a method of showing that the procedures and processes are being adhered to. So you need a control in place that monitors the use of the processes and procedures. You should also have a mechanism for showing that in instances where a process was not followed corrective action was taken.
    All of this should be available for when your external auditors come round to do the pre attestation work. If like PWC who did our pre attestation they will be expecting to find evidence books for every process and proedure that relates to a SOx critical application or infrastructure.
    We ended up physically creating an evidence book that had the following components for each SOx related process or procedure.

    1. Copy of the Control and an explanation of what the control is trying to achieve.
    2. Copy of the procedure that relates to the control.
    3. Information on who monitors that the control is effective.
    4. Samples of evidence showing that the control is operating.
    5. Samples of evidence showing that the monitoring of the control is operating.
    6. Location of all evidence relating to 4 and 5.
      When deciding on evidence sampling you need to establish how often a control is performed. PWC gave us this rough scale to work from based upon the number of evidence samples to have in your evidence book over a year.
      Contiuous - Collect 30 - 40 evidence samples.
      Daily - Collect 20 evidence samples.
      Weekly - Colelct 10 evidence samples.
      Monthly - Collect 5 evidence samples.
      Yearly - Collect 1 evidence sample.
      Cheers

Log in to reply