Ensuring Application Doesn't Affect SOX Compliance 2886



  • If I ask a question that has already been answered, I apologize. I have read a ton of threads on this site but feel the need to ask in my own words just so I know I understand. %0AWhere I am newly employed, I recently took over a 10 year old project. The application in question is where employees come to enter expense reports, timesheets, purchase requests, support tickets, quotes, employee information, terminations, mailing lists, document management including contracts, CRM, and much more. Many of these areas are directly fed into our accounting system and CRM packages. Data from those systems is also brought into and displayed within this system as well. Every employee in the company has access to this site and it is available outside the VPN.%0AI have been given the task of redesigning this application and giving it a new look and feel as well as increasing performance and stabilization. As part of the ground work in support of the new project I have been putting together a security policy. I know this company has plans to go public within two years and SOX will be very a very important compliancy hurdle. I want to make sure that I do everything I need to now while redesigning this project to make sure I don’t affect future compliance. %0AThere is so much information out there about SOX compliance for IT but I feel that most of it is BS propaganda to help companies sell services. I read through the CORBIT 4.1 manual and its great and all but it’s a little overwhelming and it seems to me that only 1% of it has to do with SOX compliance and the rest is to do with best practices for running an IT department. %0AI am all about proper approval chains, repeatable process and best practices for security, so don’t get me wrong. For this project I am simply looking for what, if anything, I need to make sure programmers are aware of to ensure that we are prepared for SOX compliance in the future. I have read in many posts that SOX doesn’t explicitly state anything about IT security but that improper security could still affect compliance. So I’m a little confused and any help would be appreciated.%0AThanks,%0ADavid



  • SOX is primarily about reporting financial results that are complete, accurate and timely. From an IT perspective, you need to ensure that access controls and change controls are properly structured.
    Access controls primarily ensure that those having access to applications (both users and programmers) have access only to those areas where they need access, especially if it is access to make changes to data or program codes. This covers both password strength, timing of required PW changes and reviews by those knowledgeable of who should have access to what to ensure that all access is appropriate.
    Change controls help to ensure that program changes are not made without the proper authorization (which should not occur until proper testing has occurred). Separate test and production environments should be maintained as well as backup of all programs and data.
    Both types of controls should be in place for all applications that impact externally-reported financial data.
    All controls will relate to the level of risk that a company is willing to take and the cost/benefit of the controls. Most companies strive to achieve the IT best practice controls as laid out in COBIT.
    Your starting point would be a risk assessment to understand which applications are in scope and the relative risk of errors occurring. You should also work with your external auditor to ensure that he is happy with the controls that you have identified as the auditor will have to provide an assessment of the control environment and the effectiveness of the controls. If your identified control group is smaller than that of your auditor, then you may incur additional audit cost if the auditor cannot rely on your test work and has to test additional controls.
    Good luck in your new position.



  • If I ask a question that has already been answered, I apologize. I have read a ton of threads on this site but feel the need to ask in my own words just so I know I understand. %0AWhere I am newly employed, I recently took over a 10 year old project. The application in question is where employees come to enter expense reports, timesheets, purchase requests, support tickets, quotes, employee information, terminations, mailing lists, document management including contracts, CRM, and much more. Many of these areas are directly fed into our accounting system and CRM packages. Data from those systems is also brought into and displayed within this system as well. Every employee in the company has access to this site and it is available outside the VPN.%0AI have been given the task of redesigning this application and giving it a new look and feel as well as increasing performance and stabilization. As part of the ground work in support of the new project I have been putting together a security policy. I know this company has plans to go public within two years and SOX will be very a very important compliancy hurdle. I want to make sure that I do everything I need to now while redesigning this project to make sure I don’t affect future compliance. %0AThere is so much information out there about SOX compliance for IT but I feel that most of it is BS propaganda to help companies sell services. I read through the CORBIT 4.1 manual and its great and all but it’s a little overwhelming and it seems to me that only 1% of it has to do with SOX compliance and the rest is to do with best practices for running an IT department. %0AI am all about proper approval chains, repeatable process and best practices for security, so don’t get me wrong. For this project I am simply looking for what, if anything, I need to make sure programmers are aware of to ensure that we are prepared for SOX compliance in the future. I have read in many posts that SOX doesn’t explicitly state anything about IT security but that improper security could still affect compliance. So I’m a little confused and any help would be appreciated.%0AThanks,%0ADavid thx very much%0A________________________________________


Log in to reply