User Access to Source Code 2619

  • Hi,
    We often have issues where a support case is logged regarding an error with an application or report that requires a review of the source code.
    Since our Support folk are pretty technically proficient, they can review the source code to determine if the error is a result of coding changes or an unforeseen circumstance. Does giving the Support person read only access of the source code violate SOX?
    We have separate environments and code reviews can only be done in the development environment. No changes can be made to the development environment without change control.

  • Hi Kane and welcome to the forums 🙂
    SOX 404 requires identification of risks and controls pertinent to automated financial systems. It is silent often on how to implement detailed controls, because it allows companies to formulate controls for areas of risk in a flexible manner.
    As a bottom line, I would answer that ‘yes’ it is permissible through proper controls . While allowing users access to source code does represent risk, it can also be controlled.
    In fact, some SAS financial systems utilize ‘end-user’ computing or Excel based solutions (where VBA scripts or macros may be programmed by the users themselves). In all cases where this is permitted, there must be checks-and-balances and autonomy controls in place.
    What you’ve have shared is reasonable and seems to control the exposure. You can also check with your SAS external auditor if needed. End users who access application source code for Financial systesm should ensure:
    – Read only access
    – Automated logging could also be setup if desired or needed to document all access by support team members.
    – Users cannot release any source or compiled code into PROD environment
    – Corporate IT security policies are in place to document the approach

    As COBIT is used by many external SAS auditors to provide guidelines for controlling automated financial systems, this resource may be helpful to research IT needs:
    Free COBIT 4.x PDF copy by registering with ISACA
    Also, COSO provides excellent guidance in the general design of financial and workflow controls as noted here:
    COSO Guidance - Monitoring

  • Thanks.
    We’re always getting the SOX limitations thrown back at us and I get the feeling that IT departments have gone extreme rather than apply common sense and a touch of reasonability.
    Thanks again.

Log in to reply