Application and SDLC 1461



  • Hi guys,
    Our company’s using an application which is not actually related to finacial data. But do we need to follow whole SDLC procedure because the application is considered as a key system by auditor?
    What’s SOX compliance for SDLC when it is small changes of application which is a day-to-day procedure? Is there any fixed rules or deliverables for application change management procedure or just assum the deliverables we need to produce



  • Hi
    When did auditors start deciding which system was key system?
    As far as sox is concerned only systems that can affect the financials of the system are considered as a key system. SDLC on the other hand is kind of a best practise for system devleopment and not a norm to be strictly adhered to. You can very well contest your auditor’s views w.r.t the above.
    The very key of your second question lies in you question itself. If you have a standard change management process, then even small and routine changes are going to get covered under the same. So its more your change management process that needs to be followed, and this process differs from organisation to organisation
    cheers



  • Don’t blindly accept what the auditors are saying. They’re not the ones running your business, you are. They are working for you, not the opposite.
    In the end, it can save you both time and money.



  • Hi xeraso - I’d recommend the following:

    • Use the SDLC and good change management approaches in ALL SYSTEMS, where you can. It will create less confusion among IT professionals, users, and technical folks in the work flow process.
    • For special SOX requirements, add on the required SOX components (e.g., testing, sampling, special documentation, etc) to the standard SDLC process itself, rather than having two separate ones.
    • Look for INDIRECT relationships in systems when it comes to SOX requirements. For example, if you have a front-end system that’s related to customer service and any USDUSDUSD goes into it, there may or may not be SOX requirements.
    • You’re doing the right thing in working with your auditors and I’d encourage this. However, as some of our members noted, unless they have a lot of SOX expertise, they may also need more training and education in this area. Continue your own research and then get back with them to resolve issues.
      Good luck on this 🙂


  • I agree with Harry.
    We have to determine and challenge the Independent auditors about their decision in considering a particular application related to financial reporting. They may provide their logic for considering a particular application to be of SOX relevance. Even ensuring security by using an IAM (Integrated Access Monitoring) application that reads data from the HCMS ERP Application and triggering the access to Financial ERP Application and Operations ERP Application based on the doctrine of least privilege.
    It is a good idea and a learning curve to make independent auditors justify the application being of SOX Relevance.


Log in to reply