IT Infrastructure Changes 2353

  • I am new to this forum. In our organization, the SOX testing team consideres all the IT infrastructure changes as in scope and they test them. Due to this the cost of the SOX testing for change management is very high.
    We want to exclude the IT infrastructure changes from the SOX testing scope.I am looking for some suggestion to submit a business case to the SOX testing team to exclude the IT infrastructure changes
    Your suggestions are highly appreciated.

  • Since SOX act in itself is pretty silent on the specifics of ITGC, it would be better if you can do a risk assessment purely from a financial reporting perspective.
    Ex- an ERP is an ideal choice for a SOX significant application. It would be a worthwhile exercise to identify the infrastructure like the servers, firewall, routers OS and Database, that supports this application and consider this infrastructure alone in scope.
    Of course it is a better practise to cover all the IT infrastructure, but from a cost control perspective, the above would ideally suffice the SOX requirement.
    Hope this was useful

  • Hi and welcome to the forums 🙂
    As NC noted, the key focus of SOX material risks center on financial exposures. It is easy for SOX compliancy leaders to blend in items that aren’t applicable as the standards can be difficult to interpret.
    As a perspective, I often quote the following:
    SOX 404 controls are a senior management responsibility. Comprehensive controls for automated Financial IT systems must be established, based on significant material risks. These guidelines are written at a high-level and on a generic basis, as company technologies will vary widely.
    As many of the regulars in the forums have seen, SOX can be often misapplied. With respect to ‘SOX testing for change management’ or ‘Infrastructure changes’, the key is whether these areas entail significant financial risks to warrant testing? Based on the details of the CM framework, I can see where both applicability and non-applicability might apply.
    One idea for clarifications might be to contact the SOX external auditors for their opinion on current controls being tested.

  • My company wouldn’t entirely agree with the notion that SOX should review only financial applications. Our statement regarding in-scope and out-of-scope applications is as follows:
    As part of the Sarbanes-Oxley (SOX) assessment of the company’s financial processes, General Computer Controls will be documented and tested. The systems included within the scope of General Computer Controls for SOX are primarily the financial systems. However, all systems, regardless of financial statement impact, may be sampled during the testing of General Computer Controls.
    For example, a test sample drawn from the change log could include a change to a non-financial system. All such items will be tested according to criteria identified during documentation of General Computer Controls.
    Due to the small sample size for SOX testing, if a non-financial system test item fails, the entire test may fail.
    The item in your initial question that stands out to me, based upon my company’s practice of SOX assessments, is that they’re testing everything. Our test samples may be selected from a listing of everything but usually number no more than 25 for any given testing. We’ve found our limited sample size to not have an adverse effect on cost.

  • A few quick thoughts on Bendtsen’s excellent reply:

    1. SOX 404 represents a minimum baseline for meeting Sarbanes-Oxley IT financial requirements. Companies can certainly add more safeguards and controls than is required on a statutory basis. They may even fit it under the SOX compliancy umbrella (even though it may not be applicable). As NC shares, there may be overlap with ITGC as well.
    2. For IT systems, it’s desirable to have one set of security, change management and change control standards for all IT applications, (although there may be some additional layers for affected financial applications). For example, if you don’t have good network controls for non-financial systems, it’s likely that hackers breaching these controls could get at the financial systems. Two sets of IT standards would also create confusion for the development and support teams as well.

  • no wonder Big 4 make revenues in Billions. :lol:
    Like mentioned earlier, it would be ideal to have all the infrastructure in-scope. This would ensure that all audits double up as both SOX audits and Quality compliance audits( ISO 27001).
    Cost conscious companies may still will to have a restricted scope

  • Ramesh,
    Take a look at the guidance from the Institute of Interanl Auditors called ‘GAIT METHODOLOGY’. GAIT is an acronym for Guide to the Assessment of IT General Controls Scope based on Risk. This is available from their website at ‘’.
    You will find this guidance very helpful with the question you posted. In short, SOx is ONLY concerned about ICFR, anything not affecting Financial Reporting is out of scope. There are a lot of reasons you do not want to include out of scope items in your SOx testing. This is not to say these items do not need tested under a different task.
    When reviewing the GAIT document, pay particular attention to the phase 3 guidance and especiallypage 19.

  • Thanks Bakosox for sharing as these resources are excellent and educational 🙂
    There are often things done ‘in the name of SOX’ that aren’t always part of the official SOX 404 requirements. While additional controls are often beneficial, these out-of-scope activities can add to the overall costs and overhead. The compliancy leader should obtain good training plus advice from their external SOX auditors in setting up a program that meets the requirements properly without going too far out-of-bounds.
    The primary GAIT document is about 2MB (PDF). Some of the key links are captured below (please copy to browser as direct links aren’t permitted in forums).

    GTAG Series -and-#40;if needed-and-#41;

    Also, added a brief blog entry related to the value of these documents:

Log in to reply