Fundamental Segregation of Duties 320
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
That’s easy. If you read section 404 in SOX (this is the section that supposedly impacts IT the most) it states that you must have documentation of internal controls. Loosely described, an internal control is any repeated process used for business reasons. Hence, the process for something as simple as moving a computer from one desk to another can be described as an internal control. Audit companies are using this ridiculously vague wording to their advantage by applying it to everything. The same goes for segragation of duties. Do you really think the Sarbanes-Oxley act, created to stop future Enron situations, was intended to stop software developers from troubleshooting production issues? I know. Im going to hear from some moron who would tell me that this is the way they can ensure that IT is not spending money for nothing and all changes and the like are requested and approved and blah blah blah. Ive heard all that crap before. So in this way, the company will end up pissing away god knows how much money on idiotic unnecessary processes instead of just fixing the problem.
Now that I am off my soap-box, why auditors are coming up with all this is 2 fold:- Due to the vagueness of the Act, they and/or the SEC can apply it to anything.
- It’s a great way to rake in a TON of money if you’re an audit company.
-
I’ll come back to you on this as I don’t have the time to give your question the attention it deserves. It appears that you understand most of the risk/control issues but disagree on the practicalities/realities. That’s fine, I can understand where you’re coming from.
Generally my experience has been that this ‘gap’ is not insurmountable but the problem is often one of communication. Auditors do speak a different language to developers and sometimes do not understand IT.
For the record, I’ve been on both sides of the fence on this one. I’ve been an auditor but have also been responsible for systems development projects.