SOX impact on ongoing projects 757



  • Our company wants to be SOX compliant by this year end. It has got its own methodologies for IT/Business projects.
    It has decided to adopt SDLC methodologies for projects hence forth so as to be SOX compliant. Issue here is how to make ongoing projects SOX compliant. Some are at final stages, some are half way thru.
    Any views on this.
    Thanks
    Yuv



  • If projects are at final stages then it is too late to go back and retro fit to the new SDLC you are adopting.
    do you have a policy/procedure that states you will follow the SDLC effective as of a specific date? if you do, then this may give you some alternatives to consider. one alternative is to look at the larger projects with more risk and make a determination on a case by case basis. Can you begin using the SDLC in the current phase or future phase of each project? what is the impact? cost? etc…
    document the rationale and decisions for excluding projects that are already underway (they started before the policy/procedure was in effect and the project was low risk because…, etc…)
    Make sure any new project is following the SDLC or is covered by an exception (documented, authorized and covered in policy/procedure).
    Good luck.



  • Company has not come out with a policy that it will follow SDLC with effect from so and so date. To comply with SOX it has decided to follow SDLC. However it wants all on going projects to be SOX compliant. Now the issue is how can one go ahead make ongoing projects SOX compliant.
    Projects status can be like:
    A Projects which are ready to go live
    B Projects which are half way thru
    C Projects which are in various stages of development
    The idea of whether the project is relevant for SOX is well taken. If a project is relevant, what next is the whole issue. Can documentation alone be redone?
    Any views on this…



  • We did the same thing last year - implemented a new SDLC. What we did was take any ongoing projects and have them conform to the SDLC from their current phase forward. You cannot ‘go back’ and make something ‘compliant’ to something that didn’t exist at the time, those projects could only conform to what was in place at the time and that is all your auditors can audit against. It also sounds like some folks at your place don’t understand what ‘SOX’ compliant means.


Log in to reply