Personal software 751



  • Are there any ramifications from using personal software, such as a flight simulator (game) on a company laptop?



  • The risk to the company is that an employee may install software that is not properly licensed and the company can be held accountable for it. Another risk is that the employee may be installing software that contains a virus.
    most companies have a policy and/or procedure that prohibits installing personal software on company pcs. some companies go as far as to remove administrative rights to pcs such that the employee is unable to install software. I’ve see outsourcing companies take this approach when they are responsible for supporting all pcs in the company. essentially they are locking down the pc to only authorized software installs and updates which is outside the control of the employee.
    I certainly don’t like being restricted from installing personal software, however I do understand the risks and the steps companies take to protect themselves.



  • Absolutely no SOX ramifications, only business operational considerations.



  • It is too much to allow users to make their own decisions about software and potential risks.
    You must have policies and procedures to authorize specific software according to the needs.
    From the IT Controls Questionnaire
    *Do you have a listing of the different types of software that are available on the network?
    *Is there a documented desktop PC configuration (hardware and software)?
    *Is there a documented laptop PC configuration (hardware and software)?
    *How does the company ensure all software is licensed and current



  • Just playing devil’s advocate - how does this impact controls over financial reporting?
    The PCAOB and SEC guidance recently released - based on feedback from the roundtable in April - indicated that many companies went beyond the intended scope of SOX 404 by including system controls that did not impact financial reporting.



    • how does this impact controls over financial reporting?
      IT systems are use to generate, change, house and transport financial data. We have to build the controls that ensure information stands up to audit scrutiny.
      General and application IT controls are very important for the SOX requirements. I can not think of self assessment questionnaires without questions about authorized software.
      There are a lot of risks: Viruses, trojans, spyware, rootkits…
      Without authorized software list we can not address the possibility of duplicate, retransmitted, or fictitious transactions during all processing stages.


  • I will not purport to be an IT expert, but a layperson’s reading of the SEC comments seems to indicate that you can overdo your IT documentation and testing. Here are the SEC’s comments (emphasis added) -
    Information Technology Internal Controls
    The feedback revealed different views that may have developed as to the appropriate extent of required documentation and testing necessary for information technology, or IT, internal controls, particularly with respect to general IT controls (e.g. controls over program development, program changes, computer operations, and access to programs and data). While the extent of documentation and testing requires the use of judgment, the staff expects management to document and test relevant general IT controls in addition to appropriate application-level controls that are designed to ensure that financial information generated from a company’s application systems can reasonably be relied upon. For purposes of the Section 404 assessment, the staff would not expect testing of general IT controls that do not pertain to financial reporting. A company’s finance and IT departments should interact closely to ensure that the proper IT controls are identified.
    We have also been asked whether those companies that decide to use proprietary IT frameworks20 as a guide in conducting the IT portion of their overall COSO framework assessment are required to apply all of the components related to general IT controls that may be included in such frameworks. While the use of a separate, specific IT framework is not required, the staff understands that management of some companies has found certain parts of available frameworks to be useful. In establishing the scope of its IT assessment, management should apply reasonable judgment and consider how the IT systems impact internal control over financial reporting. Because Section 404 is not a one-size-fits-all approach to assessing controls, it is not possible for us to provide a list of the exact general IT controls that should be included in an assessment for Section 404 purposes. However, the staff does not believe it necessary for purposes of Section 404 for management to assess all general IT controls, and especially not those that primarily pertain to the efficiency or effectiveness of the operations of the organization but are not relevant to financial reporting



  • Kymike, we have both told what we believe. No hard feelings there, I appreciate your opinion and understand your considerations.



  • I appreciate the open discussion that we have here without anyone getting out of joint over comments that they don’t agree with. We are all still going through the learning phase somewhat - even in year 2.
    As the guidance states several times, there is no black and white, one-size fits-all answer in many areas. Significant judgment is involved and that judgment may differ from one person to the next. With the latest guidance leaning more towards a risk-based approach, I am hopeful that we can carve out some of the things that we documented in year 1 and not repeat the testing going forward. IT and HR/Benefits (not payroll) are two areas where we feel we went overboard and will be looking for opportunities to scale back.
    My area of expertise is more on the financial processing / reporting side of controls, so I do appreciate seeing the different points of view in other areas.



  • I would say that from a network security point of view, giving users access to install personal software, is like giving Enron Sr. Management direct access to the company accounts


Log in to reply