Questions Re SOX requirements for systems 2210



  • Are there any rules or regulations related to SOX that say a company must keep current on sofware releases and fixes, etc? For example, I have a client running an ERP solution that is about 8 months old on hot fixes, service packs, etc. They don’t seem to care…but complain when they find a bug that was fixed with a hot fix or SP release, etc. Is there anything telling them to stay current or within a certain timeframe?



  • Hi - Unfortunately, the short answer to this is most likely ‘NO’, as SOX 404 standards are written at a high level reflecting management’s need to control IT financial systems. For example, SOX compliant companies may run on older operating systems (e.g., Windows 2000 Server rather than Windows 2003 Server, Office 2003 rather than Office 2007, or Windows XP rather than Windows Vista).
    Even within product families, there are no firm requirements for Service Packs as SP3 just came out for Office 2003 and probably a lot of folks are on SP2 or lower. These same principles apply to application systems, where folks are on older releases, a delta version behind, etc.
    The only time I could see a definitive requirement is when security is greatly compromised by not performing a highly critical update that may result in true security or financial integrity issues if it were not applied.
    While SOX might not mandate this specifically as a requirement, I’m in your camp in agreeing that folks need to keep up-to-date and they may even be running at risk by being too far behind. It is both good business and IT policy to stay reasonably up-to-date.
    If the client is having related issues with older software, I’d still continue encouraging and ‘educating’ them on why they need to stay up-to-date, whether it is strictly required by SOX or not.


Log in to reply