Application Controls - Standard List 581

  • As a software vendor, it’s very hard to determine what reasonable IT Application controls are required for my application to pass most of our customers SOX audits.
    While not a Sox application - the tool we sell is often used by firms to check financial records (recon cile data).
    We find that we pass some customers audits and not others - we also find that the requests for changes seem to very greatly one customer to another.
    Is their an IT auditors checklist that is used for an ERP product that we could build an enhancement list with? Hoping for a bit of a magic bullet…

  • I may not be able to provide you with Readmade list. But there are guidelines which can provide the starting points for ERPs to comply with SOX requirements.

  • I also work for a software company who is trying to ride the SOX wave. Here are some quick thoughts that I have had as I’ve tried to keep the marketing people’s feet on the ground:
    account based access - ie each person that uses the system has a separate account
    tunable authentication characteristics - like password length, password expiration, etc. I have to say, being able to use AD/LDAP authentication is a HUGE plus in my book.
    depending on what your app actually does, granular security controls over what each user can do - like add/delete users, make data changes, read-only, etc.
    ability to provide a clean report on the user accounts
    an activity/data/system change log - depending on what your app actually does, this could be keeping an audit of data that was changed, when and by who, or who altered a report, etc.
    If your app supports some kind of process, think about the workflow and separation of duties requirements of the customer. Again, I know nothing of what your app does, so it’s hard to say if this would even apply.
    Hope that helps.

Log in to reply