Network Security - GC (Sox) vs. IT Audit 2009



  • As a veteran of Sox and IT Audit, I still have a trouble scoping network security in the confines of a General Controls/Sox review. Typically, I gain evidence that the control is in place, however I do not perform any detailed testing of configurations. For instance, I will gain evidence of the existence of firewalls, IDS/IPS, etc., however I don’t go into testing the configurations. My feelings is that this level of detail should be covered in a dedicated IT (internal) audit of network security.
    Any thoughts/experience on scoping network security for GC/Sox would be appreciated.



  • Absolutely agree with you. Testing firewall or IDS/IPS configuration against the network policy should be a part of IT audit and not SOX compliance audit.
    Additionally I think a good change management process covers the configuration changes in a firewall or IDS/IPS.
    We haven’t tested it, nor is it the part of our key control portfolio but we do have included a non key control related to log reviews of firewall.



  • I also agree 🙂 … SOX 404 is more about management assurances that financial controls are in place for automated systems, spreadsheets, and workflows. Obviously IT security is a critical aspect of this and it’s important to define what ‘is’ and ‘is not’ part of the scope for meeting SOX 404 compliancy.
    SOX 404 can be somewhat subject to interpretation by auditors (something I’m hopeful might be addressed by the SEC this year). COBIT 4.0 is a recommended framework for compliancy and control evaluations. As meeting SOX 404 requirements might be somewhat subjective, I’d recommend touching base with auditors or your internal SOX compliancy manager to ensure this detailed level of testing is not expected.


Log in to reply