Who interpreted this act for IT so poorly? 171



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Arkham,
    that is a common theme for small to medium size companies where the end justify the means.
    SOX is nothing new in the IT audit arena, i have been doing it for 10 years. One annoying thing for SOX is the amount of documentation required, however other than that all your comments posted should of been in place in the first place then you would not have to worry about SOX.
    On a serious note, if you view SOX as a burden to your operations then you will not get much out of it. However, if you view it as a way so you can improve your business processes and justify for more IT budget then you will see the light.
    SOX= more USDUSDUSD and more IT spending which is great for us.



  • yoda404 is missing the point… her statements are true in a scolding-mother sense, but arkham is talking about the same things all SUPPORT staff are going through… we are having our rights cut to access data … and we are desktop/ application SUPPORT. How can you ask your doctor to peform surgery without looking at the body?
    I’m reminded of the fanatics in old england that went on a ‘thou shalt not workship idols’ binge… so these idots went into canterbury cathedral and ripped out the figurines of the 12 apostles, which were decorative above the church nave (chamber) and had NOTHING to do with workshiping jehovah. So - in turn are the SOX-driven fanatics and auditors loosing common sense and limiting access to what has to be used.
    It’s clear from your statement yoda, that you don’t do trench-level support but you should be commended for being organized and having your dokey together…
    DOES ANYONE KNOW ABOUT HELPDESK AND SOX IN TERMS OF DENYING OR GRANTING ACCESS RIGHTS TO NETWORK DATA DRIVES?



  • It obviously doesn’t help the Helpdesk not to have access to the systems they need to support. On the other hand does SOX require a full control over the fincancial data ending up in the paperwork disclosed.
    That impacts not necessarily that the access has to be cut totally. That only means that you need to know and have control over who is accessing the data and what they’re doing with it.
    In terms of the Helpdesk you need a effective and documented four-eye-principle and a effective and documented user management. You also need a guideline / policiy in place defineing very closely what the Helpdesk is allowed to perform and who is responsible for that.
    And of course all the documentation, support tickets etc. need to be archived for at least 7 years.
    You certainly can get around that by restricting the helpdesk so that they can’t access anything at all… 😉



  • My experience is that since SOX 404 and the PCAOB guidance are so generic, it is the audit firms that are defining the specifics of the requirements. Since the auditor must assess and comment on the controls, companies are being forced to implement what their auditor wants.
    This is leading to additional confusion as each audit firm has its own opinions as to what is acceptable. Unfortunately, the key issue for SOX 404 compliance appears to be how happy your auditor is and not actually compliance with the act.



  • :? My company is implementing SOX changes unilaterally across all divisions. Our IT department currently has responsibility for the management of desktops (we have admin rights as do most of the users)and file/print servers for all users across all locations. We run a multi- O/S environment with a Novell based file sharing structure- but slowly changing to a Active Directory based structure (user by user as funding is allowed).
    It appears that (once again) insanity has run rampant at levels that do not understand the actual day-to-day business of desktop support and have jumped off the great abyss without a full understanding of where they will land. Our admin rights to the desktop are in the process of being stripped (although our server rights/file access are in tact?).
    I guess, after the rant, the question is this…how far do SOX regulations extend?
    It appears that the scope was financial controls but then the dominoes start to fall…Finance-reporting-User-IT-local document control-shared document control- applications-
    Also, 7 years worth of backup media? USDcha-chingUSD



  • SOx does not add anything new in relation to IT control. It merely reinforces principles that have been around for a long time via COSO, CobIT, BS7799, etc. Auditors have been using these for years.
    In very simple terms SOx (via COSO) says that where you have business processes that rely on automated controls then you have to address the underlying controls over the relevant systems i.e. General Computer Controls.
    The default framework for GCC at the moment appears to be CobIT which sets out various domains:

    • Plan and Organise (IT Environment)
    • Acquire and Implement (Program Development and Program Changes)
    • Deliver and Support (Computer Operations and Access to Programs and Data)
    • Monitor and Evaluate (IT Environment)
      Within each of these there are a number of Control Objectives and activities.
      Now going back to the original question of ‘Where did someone turn that into ‘Developers cannot access production, production cannot access development,’
      That developers cannot access production is a FUNDAMENTAL segregation of duties. The risk/issue is that developers make changes in production without testing/authorisation/a fallback plan and you have an uncontrolled system that you cannot rely on.
      The preferred controlled solution would be that developers do their work in a development environment and then transfer to test. Only after users have carried out UAT and the change is approved should it be transferred to production - by someone other than the developer.
      and QA can’t access anything outside of QA’?
      Why would they need to?
      How are we as developers expected to effectively do our jobs when we can’t even troubleshoot a problem should it occur?’
      In a well controlled system troubleshooting a problem doesn’t mean making changes on the fly in the production system. There may be an exception to this for EMERGENCY changes - but even in these cases you need to have a procedure for retrospectively ensuring that the testing, documentation, authorisation, etc are done


  • yoda404 is missing the point… her statements are true in a scolding-mother sense, but arkham is talking about the same things all SUPPORT staff are going through… we are having our rights cut to access data … and we are desktop/ application SUPPORT. How can you ask your doctor to peform surgery without looking at the body?
    DOES ANYONE KNOW ABOUT HELPDESK AND SOX IN TERMS OF DENYING OR GRANTING ACCESS RIGHTS TO NETWORK DATA DRIVES?
    There are some basic principles that need to be applied. How each company does that will differ, but ultimately how you are going to manage your IT resources needs to be documented and enforced.
    SOx does not say what access rights should sit with the help desk and neither does CobIT. The sort of questions that are prompted by your questions are:

    • Is the scope of your help desk defined? Who is responsible for 1st line/2nd line support, etc. Presumably if a help desk call needed a program change then this should not be done on the fly but rather should go through a controlled process. Similarly changes to access rights should go through a formalised process.
    • If you don’t have access to network data drives do you need it? who does have these rights, is there a process to make sure that changes happen?
    • Who should have admin rights? Obviously someone needs to have admin rights or you can’t administer your system. However, admins can do a lot of things so a company needs to make sure that these rights are restricted to only those who really need them.
    • Who is the owner of data and applications? This should be the business and not IT. It is the business that needs to define who can do what, when and how.
      If you have a specific scenario that you are concerned about perhaps I can help?


  • You GO Denis 🙂
    First of all, the GUEST assumes i’m female…last time i check i was a man 🙂
    Now getting back to the ‘GUEST’ complaints about over controls…
    Just briefly, there is nothing in the SOX ACT to say that support can’t have access to everything. Now using one of the poster’s analogy that how can a doctor perform surgery without tools. Well my response is that do the doctor ALWAYS have the tools in his control all the time? the obvious answer is NO so then I must stick to my recommendation for most of my clients is that they do not need to have 2000000 Administrators and they DO NOT need to have access to EVERYTHING 24 hours per day.
    There is nothing wrong with providing temporary access for support purposes however the access should be removed.
    I am sure there are numerous statistics around to show that most frauds occur from WITHIN the organisation and not outside. So i am sorry to all you support people but i would NEVER give you full assess to everything all the time.
    Yoda404.



  • Thanks 😄
    Although to be fair to our irate IT friends I think there is probably a huge amount of BS coming their way from auditors and management alike. This seems to be amplified by there being a real shortage of people who understand how the business process and IT work fits together - unfortunately this is not just confined to SOx, I’ve been fighting that battle for at least a decade :evil:



  • Denis and Yoda404 obviously do not have any experience in what it takes to support live systems.



  • Just briefly, there is nothing in the SOX ACT to say that support can’t have access to everything. Now using one of the poster’s analogy that how can a doctor perform surgery without tools. Well my response is that do the doctor ALWAYS have the tools in his control all the time? the obvious answer is NO so then I must stick to my recommendation for most of my clients is that they do not need to have 2000000 Administrators and they DO NOT need to have access to EVERYTHING 24 hours per day.
    But wouldn’t it be nice if the doctor didn’t have to apply for a new access code to get into the operating theatre for each operation he has to do?
    Having administrator access to the network for the helpdesk (workstations, servers, filesystem, etc to be able to perform support on systems) is not automatically access to all the numbers in the databases. There are ways to protect sensitive information.
    Regarding the company I work for, I think it actually would be a SOx requirement that we have enough administrators to be able to keep everything running 24/7 with offices, supply ships and barges in all the corners of the world.



  • Thank you to the poster who indicated that it’s the auditing firms running the show here. I am an consultant that has worked with three companies and three different Top Four auditing firms on SOX projects. All of them are doing it differently. In may cases I am finding the auditors themselves are not familiar with ISACA, COBIT, PCAOB, COSO and other referenced guidelines for SOX compliance.
    They are winging it, base on what each auditor feels is important. This is a very dangerous and plain wrong issue for companies to deal with. Now what ticks me off… Each of the firms CLAIMS to be using COSO, COBIT, ISACA, etc. for it’s baseline auditng, however as I mentioned most of the independant adutiors I have met don’t know squat about COSO, ISACA, PCAOB IT Controls as they relate to SOX. They are trying to enforce ALL IT controls outlined by COSO, COBIT, etc. , whether they are in scope of SOX or not. This is causing companies to spend much more time and resources then needed to comply with SOX.
    The other issue I have is that IT organizations are having a hard time finding direction on what they need to do to comply. They only get general guidance that is almost useless. The external auditors won’t give guidance on what they want to see or what they are auditing for. The places that claim to have the info (COSO, ISACA, etc.) want to charge you for it. So the auditing organizations are making the rules. The auditing firms won’t tell you what you have to do and are the main partners that run the auditing organizations, AND you have to pay the auditing organizations for guidance.
    Doesn’t anyuone find this to be somewhat immoral, unethical? In my opinion criminal. Bottom line is that the SOX law itself had good intentions, but I think the auditing firms and auditing organizations have collaborated to make sure they make the most money as possible out of this by ripping off companies.
    My two cents worth.


Log in to reply