Newbie to SOX Questions 2424

  • I have a question about admin priveleges to a local server.
    I was hired on as IT locally. We have a Company in another state, and the IT Director is there. The Exchange Server is there, and another Server.
    But here in my state we have a Domain Controller, which is basically a file server and handles logins.
    BTW, we are sister Companies.
    The IT Director will not make me admin to this local server to do my daily duties because of SOX laws. So, i have to email him to add users, edit users, install software on the server here, etc.
    Is he correct in saying that you cannot have a local admin? If so, can you point me where it spells this out.
    Thanks much.

  • You can find the text of the Sarbanes-Oxlay Act of 2002 on the website under Laws and Regulations.
    The Act’s intent is to improve the accuracy and reliability of (mostly financial) reporting to the investors (trough quarterly reports and other forms filed with the Securities and Exchange Commission). Section 404 (to which the IT Director probably refers) only concerns that the management of issuers needs to assess the effectiveness of the issuer’s internal control over financial reporting and that that a registered public accounting firm needs to audit the effectiveness of the issuer’s internal control over financial reporting. The assessment and audit need to be based on a generally accepted framework for internal control. In practice in the U.S. (and even in Europe) uses the COSO framework (Internal Control - Intregrated Framework on The Sarbanes-Oxley Act and the COSO framework do not contain specifics about IT controls.
    I would tell him the law and the auditing standard for the CPA contain no specifics about IT. What is more important is the system where you have administrator rights in any way related to the accounting and financial reporting system? As I mentioned, SOX only cares about the accuracy and reliability of financial reporting. So is there a risk that you could change accounting entries of a material dollar magnitude in relation to the total consolidated financial statements or fake documents that somebody else would rely on to make an entry with a material impact? Probably not. If the IT directors does not swallow the argument, I recommend to refer the issue to your controller or CFO.

  • The SARBOX act’s requirement are very high level and require an organizations’ management to attest on the Internal controls over financial reporting.
    The case presented by yourself relates to IT general controls(ITGC), where the IT management vouches for the existence and effectiveness of controls over the IT environment which supports the financial reporting( to be very brief)
    My personal opinion would be that you can be added as an administrator and privileges restricted to user managment and not to grant a Domain Admin( default domain admin privileges) account to you. Present this case and c what happens…

  • Thanks for the reply’s.
    I presented this and they simply said ‘No, not at this time.’
    So, what really happened is that i proved that they just want to keep their arms around the server, and don’t want any help from me. They are using SOX as a crutch. Pretty sad.
    I can take hours of work off of the IT Director and free him up for more important things.

  • Hi - As gmerkl and NC shared, SOX 404 controls won’t specifically state what type of controls are needed for automated IT financial systems. As COBIT 4.x standards are a framework many external auditors like to use, the following links might help research this further.
    While there are no absolute restrictions in remote administration of servers, a company can certainly do anything they desire ‘in the name of SOX’. Also IT security does play an important role in SOX 404 controls as auditors always want to know who is administering the servers on every audit (whether it’s SOX, ITGC, SAS-70, etc).
    Below are a few ideas:

    1. As direct local server authority is usually discouraged in a Windows environment, I wonder if being added a Domain Administrator (with logging and remote control capabilities to their site might be an answer).
    2. Maybe as a compromise, you can access the companies server remotely (e.g., Dame Ware, Terminal Services) and perform the most common functions with ‘Help Desk’ levels of security (e.g., password resets, etc).
    3. If you run into resistance, setup an email or change management system that works as efficiently as possible given the circumstances. You’ll need to build these delays into your own servicing of user needs. If prompt turnaround becomes a factor, the issue might be naturually escalated by the business over time where by you might be granted some limited authorities.
      Good luck and please feel free to ask additional questions 🙂

Log in to reply