SOX documentation of IT functionality 1315



  • As the owner of a business process, I rely on some IT controls (both automatically-enabled IT controls and manually-enabled IT controls) to function like the user guide says they do. My question is where should these IT controls be documented? Should they be documented in the IT toolkits? Should I document the control in my process toolkit because I rely on it to function as it should? How is this treated in other companies? Thanks…



  • I’ll try to answer your question to see if this is what you were looking for:
    For the IT side, the control matrix is usually referred to as the GCC (General Computer Control). This matrix should show all of the different IT controls for the different domains out there --depending on who your external auditors are and what their guidelines are. (PWC is ours and we have defined our IT domains into 4 sections with them: IT Operations, Access, Program Change, and Program Development or SDLC)
    If you have any questions about IT controls, contact the IT SOX person and ask to see the GCC. He/She should know what this is. If not, you may have other problems. 🙂
    Hope that answers your question.
    SG



  • In addition to the info provided earlier, the following might also be helpful:
    Webcast Tackes SOX IT Controls
    http://www.theiia.org/ITAudit/index.cfm?act=itaudit.archive-and-fid=5493
    SOX: Technical Enforcement of IT Controls
    http://www.computerworld.com/printthis/2004/0,4814,94535,00.html
    Guide to the Sarbanes-Oxley Act - IT Risks and Controls, FAQs
    http://www.protiviti.com/downloads/ProtivitiSOA_ITRiskControls.pdf
    Demystifying IT Controls
    http://www.enterprisefc.com/PDF/IT Controls Article.pdf
    Regards,
    Milan



  • _at_Ms-Matched_SOX: It would be better if you can give an example here. The IT based controls either fall under ITGC or application level controls. An example will lend more clarity.
    thanks,
    Calvin



  • SANS InfoSec Reading Room contains a good example of SOX Process Documentation and distinguishes General Controls from Applicaiton Controls.
    The Reading Room:
    sans.org/rr/whitepapers/auditing/
    The document:
    Sarbanes-Oxley Information Technology Compliance Audit
    Dan Seider
    May 17, 2005
    (download paper - PDF) - sans.org/rr/whitepapers/auditing/1624.php
    The answer to your question is clearly explained with example SOX Process Documentation in Section 3.5 and 3.6. From your question, it appears that you would like clarification about where to document Application Controls that are addressed in the Software User Guide.
    General Controls are broader and would not be specific to an IT application, but overall IT controls…hence the term ‘general’. Again, clear example process documentation may be found by following the link noted above.
    Hope this helps,
    milan


Log in to reply