Finance servers out of IT control? 1798



  • The question I have is this; Is there truly a rule stating the CFO must have the data and the server located in their department?
    I have read the SOX law, the OMB Circular A-123, and the COBIT 4.0 standards. I can not seem to find anywhere stating that if financial data is residing on a server, it must be under the CFOs control. Am I missing something? Everything I have read states there must be very clearly defined controls in place and seperation of responsibilities so that one person could not have access to every aspect of the system.
    The basis for my question is that I have been told that under SOX compliance, IT can not have access to the server that houses finacial data because in our structure our IT department does not report to the CFO.



  • The question I have is this; Is there truly a rule stating the CFO must have the data and the server located in their department?
    No - At least not that I’m aware of, from a SOX 404 perspective. I can’t see all SOX companies needing this control. Besides, we’d have a lot of CFOs complaining about the noise from drills and hammers building their server rooms otherwise 😉
    Also, when departments ‘do their own thing’ and deviate from a centralized IT environment, it can be a step back, as they may not have the proper resources or knowledge to implement good security controls, standards, documentation, change control, and other disciplines needed for IT based financial controls.
    However, all financial systems must have proper physical, network, and other IT security controls . From an IT standpoint, there may be additional exposures or risks associated with banks or other financial institutions, that might warrent special physical and even housing controls (e.g., special server rooms, check printing facilities, etc.).
    If this concern has been expressed, it should be reviewed with audit to ensure there are satisfactory controls for the CFO’s data and physical environment.



  • Harry is correct.
    I will add that while it is not an issue to outsource your IT resources, your company is still on the hook to ensure that proper controls are in place.



  • The question I have is this; Is there truly a rule stating the CFO must have the data and the server located in their department?
    Absolutely not. In fact, I would go so far as to say that there SHOULD be a rule that the data and server must not be located in their department - not least because you need to ensure physical security.



  • Server security is one of the reasons that some companies opt to host their SOX software application off-site (often with the SOX solution provider). Although in-house hosting ensures some measure of content security, it could expose the company to physical security problems.
    Most servers today leave very little footprint in the IT dept so I cannot understand why someone would choose to locate it anywhere else in the company. I’m sure Harry could address this further since he has significant first hand IT experience. But as a corollary, I do not believe there are any regulations around that require the server to be located in a separate department from finance.



  • Servers don’t need to be physically at CFO office or related. You just need to ensure a secure physical and logical enviroment with restricted and controlled accesses of IT department to the data.


Log in to reply