Katrina, Business Continuity and Sarbanes Oxley 1153
lekatis last edited by
These days there are several questions like ‘In light of Katrina and other recent disasters, what does SarbOx require of IT managers, if anything? Does it address DR and BCP at all? Is DR considered a control?’
According to Sarbanes Oxley Act, the certifying officers (CEO, CFO) need to establish an infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse. This infrastructure could cost a lot of money. Unfortunately, we could not find any explanation in the act, so business continuity was a hot issue and an area of huge concern.
On June 17, 2004, the Securities and Exchange Commission (SEC) approved the Public Accounting Oversight Board’s (PCAOB’s) Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements.� This Auditing Standard governs the independent auditor’s audit, and reporting, on management’s assessment of the effectiveness of internal control over financial reporting. This Auditing Standard gave clear answers about business continuity:
‘Furthermore, management’s plans that could potentially affect financial reporting in future periods are not controls. For example, a company’s business continuity or contingency planning has no effect on the company’s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company’s business
continuity or contingency planning is not part of internal control over financial reporting’
After that, data backup and off-site storage is the ultimate solution for Disaster Recovery, Business Continuity and Contingency Planning, as far as Sarbanes Oxley compliance is concerned.
We continue to hear other (sometimes misleading) opinions…