SDLC and SOX 1296



  • Hi guys,
    My company is currently going through SOX compliance at the moment and we have hit a slow spot. We are required to provide information about our SDLC methodology. The problem is that our IT department doesn’t actually create any software. The only software we use is software we buy. Any solutions would be appreciated.



  • Do you have a methodology you follow for application software selection and implementation? If so, then this would be the similar to the SDLC. What documentation do you have that supports the selection and implementation of new application software?
    Some companies have an alternative track in their SDLC for application software package implementation. The key deliverables from these projects would have signoffs as required by your application implementation methodology.
    have you purchased or implemented any new software for the year? (the year you are performing testing of your internal controls for) upgrades?
    if you have not purchased or implemented any new software or upgrades for the year then you can confirm this by providing a list of official projects that were approved.



  • Hi – A SDLC would still be needed, even if you purchase software instead of custom building it, (as my own company typically buys rather than builds). An SDLC would include all the steps from the initial analysis through post-production support activities. For example, some major steps might include:
    Highly simplified SDLC for implementing software packages

    1. Planning and Analysis
    2. Software package selection
    3. Software customizations and tailoring
    4. Development of interfaces to other systems
    5. Unit testing
    6. Pilot, Acceptance, and Full System testing
    7. Planning for deployment (e.g., equipment, user training, etc)
    8. Production implementation
    9. Post Production support


  • Hi,
    Some areas for consideration for acquired IT Applications:

    • Do SDLC policies and procedures for XYZ applications exist?
    • Are formal change request forms required?
    • Are there written Policies and Procedures for testing of purchased IT Apps?
    • Are Production Change Mgmt processes in place and documented?
    • Does a List of Customizations exist for significant IT Applications having impact on internal controls over financial reporting?
      Some example control objectives for SDLC:
    • Ensure that formal System Development Life Cycle (SDLC) methodology is available for all Financial applications and the related IT infrastructure.
    • Functional and technical specifications are formally defined, documented, and approved by user management and IT
    • Different levels of testing are formally defined, documented and approved by user and IT management. Testing includes unit-system-integration and UAT to help ensure that deployed systems operate as intended
    • Implementation plans are formally defined, documented and approved by technical and IT team.
    • Post-implementation reviews process is formally followed for all new project implementations
      An example General Controls Matrix can be found at:
      auditnet.org/docs/SOX 404 IT General Controls Matrix 2004.xls
      It contains a number of references to ‘SDLC’.
      When a company acquires an IT Application, versus developing it in-house, the following might be of importance:
      Relevant when the company implements new applications or systems.
      Examples of controls in this area include:
    • Converted account balances are reconciled
    • Testing has occurred
    • Training has occurred
    • Data integrity controls are in place
      In general, an effective Systems Development Lifecycle (SDLC) and implementation methodology should be followed.
      As earlier stated,
      Project management standards are defined and used for all aspects of system development life cycle (SDLC)
    • Project initiation
    • Analysis and design
    • Construction or package selection
    • Testing and quality assurance
    • Data conversion
    • Go-live
    • Documentation and training
      CobiT addresses SDLC at the Activity Level:
      The CobiT SOA framework identified a sub-set of these areas for the purpose of focusing on SOA requirements
      Activity level: Acquisition and Implementation / Delivery and Support
    • Program Development (SDLC)
    • Program Changes
    • Computer Operations (scheduling, backup, problem management)
    • Access to programs and data (applications, database, operating system, network)
      A Whitepaper that illustrates CobiT, SDLC, and provides example Control Objectives and related Control Activities:
      crtgroupinc.com/docs/address_sarbox_rsa.pdf
      Last, ISACA identifies a number of SDLC related concerns in connection with SOX:
      isaca.org/Content/ContentGroups/Research1/Deliverables/IT_Control_Objectives_for_Sarbanes-Oxley_7july04.pdf
      Regards,
      milan

Log in to reply