SDLC documenation 2005

  • If a company does not have any major projects scheduled that would be subject to SDLC controls, is it necessary for them to develop a process for SDLC in order to be 404 compliant? Our auditors seem to think it’s a minimum requirement that such a process exists, however, the subsidiary locations position is that in the event a project arises they would then develop the necessary documentation.
    I’m not directly responsible for the ITGC part of SOX (nor do I have a background in IT), but was drawn into the conversation since it can/will overlap with the financial side.

  • Hi - Based on COBIT 4.0 (which you can now download for free), there is a heavy emphasis on ‘IT Planning and Control’ (section 3) … Also in Appendix 4 the SDLC is referenced as a vital part of the ‘Maturity Model for Internal Control’.
    Free COBIT 4.0 PDF
    I’m not certain if the lack of an SDLC is a complete failure to comply with SOX 404, (i.e., maybe it can be seen as more of a point of improvement needed for more fully complying with SOX 404?) It most likely should be added, as it is beneficial to have the IT development life cycle both formalized and documented. An SDLC can also apply to even to large maintenance projects and other IT initiatives as well.

  • I would say Yes. For ‘Program Development’ one of the key control would be presence of a well defined SDLC which clearly states all the stages of development, the deliverables, roles and responsibilities and exceptions ( for example small or minor enhancements which may not go through full SDLC stages).
    That said a subsidiary may choose to opt for a vendor based SDLC guidelines/models for development instead of writing their own. An example could be ASAP. (For implementation of SAP R/3)

Log in to reply