SAS 70 and SOX Software and requirements 1504



  • We are a small business investigating SOX complaince software to help in our efforts. We are attempting to identify a software tool that is an all inclusive package; such as managing documentation, surveying, testing, etc. We are also looking for it to be a service or subscription based. Is it recommended for this piece of software to be SAS 70 compliant? Does this in turn become a control that must be tested?
    Any help would be greatly appreciated. Thanks in advance.



  • There are many SOx compliance software packages, although most are only just version control systems for documents. I have researched many of these packages, and would be happy to discuss them with you.
    If you’re interested, send a reply to me directly at jmaleckar_at_soxblox.com
    Best regards.
    John



  • Thank you for quick reply, John. We currently have a long-list of vendors we are interested in the viewing and according to these company’s sales material they are not content/document management systems, obviously some will be. Back to the root of the question however, I want to make certain if we implement an application for SOX, the vendor itself does or does not require its own controls through SAS 70. In addition, will controls need to be documented for this software?



  • Since SOx only covers financial control activities and controls, SOx-compliance software does not need to be included. However, the independent auditor will need to review the overall process that management followed for their Secrtion 404 assessment, including reviewing the software used.
    Likewise, since the software vendor is not actually processing accounting transactions, any discussion of SAS 70 is moot.
    John



  • As far as the ‘review of the software used’, what specifically would an independent auditor require (i.e. documentation)? What questions would you suggest that we ask the vendor to provide during this review if any? Otherwise, I think you’ve just answered my question then. Thank you very much for the ongoing assistance, John.



  • Hi - We have to adhere to SOX, SAS-70, ISO 9000, and other standards, so we have to walk the chalkline 😉 🙂
    I’ll share some quick ideas below:
    As far as the ‘review of the software used’, what specifically would an independent auditor require (i.e. documentation)?

    1. Security - both Network/Internet access and any internal application layers
    2. Application Controls - searching for any areas that could be further strengthened in the overall workflow
    3. Software Licensing Controls for the product - are you legal?
    4. User Groups - The individuals having access to the system and have CALs installed
    5. Is the product on latest version?
    6. For Windows/Office are you up-to-date on security patches?
    7. If the product is used for Financial systems (and thus might need more rigorous security controls to ensure SOX compliancy)?
    8. How does your Change Management System work? Do you have versioning controls for new releases?
      What questions would you suggest that we ask the vendor to provide during this review if any?
      These questions would probably only be required for financial systems directly affected by SOX requirements
    9. Do they have any information related to their product and SOX compliancy?
    10. Describe controls that might further enhance security?


  • Harrywaldron,
    Thank you for your response. This information has been greatly useful.
    Have you gone through this process yourself? Are you a vendor or a company filing for SOX? Have your external auditors asked for you and the vendor to provide the information you are suggesting to gain access to?
    Thanks in advance.



  • Hi - Below are responses to your questions%0A Have you gone through this process yourself? %0AYes - But more as a team member, rather than as the SOX compliancy person. I helped a former employer design SOX related controls for a project in implementing a major financial system. I’m also familiar with my what my current employer does generally, but I’m not involved day-to-day in SOX projects. I had to do a lot of research and reading to design, but haven’t led SOX implementation within a company, so some things I’ve noted may not be 100% accurate or complete.%0A Are you a vendor or a company filing for SOX? %0ACompany%0A Have your external auditors asked for you and the vendor to provide the information you are suggesting to gain access to? %0AI haven’t worked directly on SOX or SAS 70 in our company personally, although I’ve seen it from the outside looking in at some of our steps in adhering to this. I was sharing based on years of experience in working with internal/external audits (what’s on their checklists) plus about 8 years as a senior computer security specialist (e.g., you can click on the www button, so see an on-going interest there). With the SOX 404 standards, examiners are going to be interested in most of these best practices. %0AI’d be glad to answer any additional questions. I’m visiting here mainly for educational purposes, as I’m on the development and project side of the house and simply want to be knowledgeable in doing the right things for our company 🙂


Log in to reply