SOX documentation of IT functionality 1315
Ms-Matched_SOX last edited by
As the owner of a business process, I rely on some IT controls (both automatically-enabled IT controls and manually-enabled IT controls) to function like the user guide says they do. My question is where should these IT controls be documented? Should they be documented in the IT toolkits? Should I document the control in my process toolkit because I rely on it to function as it should? How is this treated in other companies? Thanks…
SOXGal last edited by
I’ll try to answer your question to see if this is what you were looking for:
For the IT side, the control matrix is usually referred to as the GCC (General Computer Control). This matrix should show all of the different IT controls for the different domains out there --depending on who your external auditors are and what their guidelines are. (PWC is ours and we have defined our IT domains into 4 sections with them: IT Operations, Access, Program Change, and Program Development or SDLC)
If you have any questions about IT controls, contact the IT SOX person and ask to see the GCC. He/She should know what this is. If not, you may have other problems.
Hope that answers your question.
milan last edited by
In addition to the info provided earlier, the following might also be helpful:
Webcast Tackes SOX IT Controls
SOX: Technical Enforcement of IT Controls
Guide to the Sarbanes-Oxley Act - IT Risks and Controls, FAQs
Demystifying IT Controls
http://www.enterprisefc.com/PDF/IT Controls Article.pdf
calvin last edited by
_at_Ms-Matched_SOX: It would be better if you can give an example here. The IT based controls either fall under ITGC or application level controls. An example will lend more clarity.
milan last edited by
SANS InfoSec Reading Room contains a good example of SOX Process Documentation and distinguishes General Controls from Applicaiton Controls.
The Reading Room:
Sarbanes-Oxley Information Technology Compliance Audit
May 17, 2005
(download paper - PDF) - sans.org/rr/whitepapers/auditing/1624.php
The answer to your question is clearly explained with example SOX Process Documentation in Section 3.5 and 3.6. From your question, it appears that you would like clarification about where to document Application Controls that are addressed in the Software User Guide.
General Controls are broader and would not be specific to an IT application, but overall IT controls…hence the term ‘general’. Again, clear example process documentation may be found by following the link noted above.
Hope this helps,