Role of IT in SOX 798



  • Hi all,
    How does SOX-compliance impact IT controls and environment? While there is much talk about COBIT and COSO helping organizations comply with SOX, what exactly is the impact of SOX on IT controls and how do these frameworks help achieve this?
    Cheers,
    Geeta



  • How does SOX-compliance impact IT controls and environment?
    IT objectives before SOX - To do the job, to find technical solutions to business problems.
    IT objectives after SOX - We also need time, effort and money to meet the documentation, testing and reporting requirements. IT professionals don’t like these requirements so much…
    Also, it is the change management process : You need to ask for approval before doing something, and you must document it…
    Now, we first need control objectives (documentetation is mandatory) and after that, controls. So, we must forget the try-and-see-if-it-works approach.



  • Just to expand on what Lekatis said - this should only apply to general IT controls or finance-specific application controls. SOX would not impact changes in non-financial applications. It is, however, hard to see where a company could easily have separate standards for financial and non-financial applications and consistently adhere to both sets of standards.



  • How does SOX-compliance impact IT controls and environment? While there is much talk about COBIT and COSO helping organizations comply with SOX, what exactly is the impact of SOX on IT controls and how do these frameworks help achieve this?

    My view is that SOX should have little impact in IT controls 8O
    The reason is that the bar for IT controls is, effectively, COBIT which has been around for quite some time. This standard, or it’s proprietry equivalent, has been used by audit firms to assess IT control around significant financial applications for, literally, decades. The result is that Companies are only being asked to address the issues that their auditors have been raising for years.
    SOX is not requiring anything particularly new around IT control it is just making people actually do it.



  • SOX is not requiring anything particularly new around IT control it is just making people actually do it.
    Yes. A poorly managed IT shop must pull-up bootstraps other than a computer’s to ensure appropriate IT controls and prevention and detection of fraud.
    Geeta,
    Well-documented ISO or COBIT frameworks are easier to learn and implement. The impact is measurable: reduced outages, faster tech response times, and appropriate incident response procedures. It pulls the IT staff together as a team, if well executed.
    The IT department will need training and S-OX oversight.
    New expensive equipment and software may need to be purchased, depending on needs.
    S-OX impact on IT controls really depends on whether existing controls meet generally accepted standards for IT controls: physical security, segregation of duties, change control, access controls, and etc.
    A direct impact may be the segregation of computer maintenance duties and incident response. Traditionally IT staff performs all computer-related investigations.
    Investigations of employee’s computers by IT staff should stop and be conducted by Certified Computer Examiners. It has been my experience that IT staff lack the equipment, training, and impartiality to perform appropriate forensic investigations of information systems. Forensic computer examinations are a key control in support of IT and Financial controls under S-OX. Such controls help detect fraud. Reports of appropriate computer examinations are proof that the company has section 404 and 302 controls, if I read the act correctly. Random investigations alone are not the whole of the IT controls needed.
    Moreover if there should ever be an SEC investigation, it’s good to know that your investigator uses the same tools and techniques as the SEC. Something that may make your attorney smile.
    It is my opionion that such investigations should be performed by a team: an attorney experienced in electronic discovery and a certified computer examiner. If accounting issues are suspected then change the mix to include a forensic accountant.



  • I agree with you: Investigations of employee’s computers by IT staff should stop. IT staff lack the equipment, training, and impartiality to perform appropriate forensic investigations of information systems.
    But, computer forensics is out of the scope of all the SOX projects I know. I do not believe that things about computer forensics will change after Sarbanes Oxley.



  • Well I agree with the view point about the lack of training and skills in the IT staff to do forensics but then i dont think forensics are in the perview of SOX IT controls.
    SOX is more about being proactive to prevent fraud (by placing controls) rather then reactive (by investigating it through forensics).

    Calvin


Log in to reply