(What ARE) Standards vs. Policies and Procedures? 2224



  • Hello. I’m a writer on my third SOX assignment. I have the idea of Policies and Procedures down pretty much cold as far as what needs to be documented, how to gather the information, etc. My current client wants the Standards to be documented as well. Not too sure how to go about this, as I haven’t documented Standards in particular before…any examples as to what a SOX Standard is/how to document them?
    Thanks a ton.



  • I would request a clarification with an example from whomever you are preparing documentation for. I think that you might get 3 different responses from 3 different people by asking this.
    A standard could be best practice or the way a procedure ‘should be’ performed. A policy could provide guidelines tha give leeway as to how a process is performed, with the standard falling within the policy guidelines.
    There are no prescribed SOX standards. A similar process or control across multiple companies could be operated in multiple ways and all be considered at standard for each company.
    I apologize for the vague answer, but I don’t know how better to respond.



  • Hi and welcome to the forums 🙂
    You’ve shared an excellent question. Below is my own brief definition of terms:
    Policies = high level major corporate security goals (e.g., usually augmented by standards and procedures)
    Procedures = operational steps for accomplishing corporate security goals (e.g., ‘how to’ steps for folks to follow)
    Standards = detailed methods of control used to meet corporate security goals (e.g., naming conventions, electronic forms to be used, etc)
    Standards and procedures are closely related and often used synonomously. Procedures are step-by-step workflow controls on ‘how to accomplish’ a security policy objective. Standards are the framework of rules and ‘the way’ a technical security objective must be met.
    For example with passwords, the following are examples of applying each of these conventions to corporate passwords:



  • There are no prescribed SOX standards. A similar process or control across multiple companies could be operated in multiple ways and all be considered at standard for each company.
    I agree with kymike 🙂 While there are no prescribed SOX standards, some of the ideas calvin shares here are certainly on almost any audit checklist … COBIT 4 is used as a framework by many SOX auditors and might be worthwhile to look at for ideas.
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-p=7861#7861



  • Great, thanks a lot. I appreciate the quick response. I’ve never had to pry the Standards out of the Procedure docs, but after reading your replies, I think that this won’t be quite as daunting as I may have imagined.
    Thanks again.



  • Pretty great write-up harry. Love the way you highlight important stuff and provide examples.
    One of the things I want to highlight is Standards can be borrowed from external sources like industry/regulatory guidance, best practices (framework or rules as Harry has mentioned) whereas procedures are mostly tailor made for the company specific environment. So in most cases you just have to pick the appropriate standard whereas for procedures you may end up writing most part.
    Though there are no SOX specific standards as Mike has said, in you case this may means looking at the appropriate external guidance (from PCAOB, ISACA, SEC) and incorporating the applicable ones in a single document.
    For me I have always kept standard different from procedures and try to define policies and procedures using applicable standards.
    Calvin


Log in to reply