Manager authority over underlings 2343



  • New to this forum. A while back doing research I found and area of SOX where it wrote that Managers need to have authoritative rights over their underlings. I am not sure if it still exists.
    The situation stems from a company allowing for a techie to have admin rights but tells the manager they can not. Does SOX address this type of situation?



  • Hi and welcome to the forums 🙂
    The short answer is ‘no’ … The actual wording of SOX 404 doesn’t specify this type of granular approach. As SOX affects a wide variety of companies, it instead specifies that management must use sufficient controls on their finanical IT systems and provide appropriate security. This is typically measured and tested by SOX Auditors and many external auditors use COBIT 4.0 as a key guideline for compliancy.
    Having an IT security background, I might agree with the recommendation, as long as there are existing checks-and-balances for the technicians. It is probably appropriate that a non-technical manager or officer not have ADMIN rights to servers and other resources, unless they are specifically trained in using these powerful accounts properly. However, if the manager or superviser is skilled as a ‘working manager’ and understands these privileges – then it would be appropriate to grant ADMIN rights.
    At a minimum, the technician should be kept in check by fellow techs who have the same rights. Also, security control reports need to be produced where highly privileged security rights are granted or invoked (e.g., logging should be place). There are other checks-and-balances.



  • I swear I saw and area describing that a manager should have the authority to remove access or rights to and underling, or grant themselves the same level.
    Here is a condition:
    You cannot hire a person and put them in an authoritative roll where they don’t have experience. Example: a cousin, sister, nephew, friend cannot be hired as an IT Manager without any experience in that field.
    Therefore and IT Manager would have to be experienced in that field.
    the reply seems to say, there are not checks and balances for this.
    Now if the manager does not have authority over employees, what is to stop a different manager from getting to the underlings to do things that the IT manager is not aware of.
    The crux of the matter: A crime can be committed if the manager is not aware and does not have the authority to view configurations that the employee is capable of changing.
    The checks and balances of this in the reply, 'the technician should be kept in check by fellow techs who have the same rights.
    I don’t know, I remember reading something about the authoritative rights a couple years ago. The manager is supposed to be responsible and held accountable.



  • Hi - Some brief responses below:
    a manager should have the authority to remove access or rights to and underling, or grant themselves the same level.
    Agreed - Although, my earlier response was in light of where some Tech managers I’ve seen have been more ‘people’ oriented than experts knowledgeable of network or Operating Security itself. If there were a need to examine or change security for someone with ADMIN authority, they could certainly have the IT security department or another network technician physically perform the changes.
    Therefore and IT Manager would have to be experienced in that field. the reply seems to say, there are not checks and balances for this … Now if the manager does not have authority over employees, what is to stop a different manager from getting to the underlings to do things that the IT manager is not aware of.
    If the IT manager is experienced in network/OS security they can certainly check up on their team members. However, in large companies you might have several computing platforms, (e.g., IBM Mainframes, AS/400, UNIX, Windows Servers, etc.) and even a Technical Support manager can’t be an expert in all these.
    SOX doesn’t make this an absolute requirement, as there are managers who might know in general concepts what their employees are doing, but not the detailed technical day-to-day inner workings.
    In cases where more people oriented managers (rather than technical) exist (which is often), compensating controls can be established outside the direct manager-employee relationship.
    This includes: IT security deparmental monitoring, audit logging on sensitive servers or events, etc. In fact, this type of monitoring approach would be more comprehensive than just the manager trying to keep up with their own work demands plus check up on everyone.
    Violations detected would certainly be brought to the attention of the manager for more detailed analysis and possible disciplinary actions if warrented. The manager still has their role in the process, whether they personally found the security issues or not.
    I don’t know, I remember reading something about the authoritative rights a couple years ago. The manager is supposed to be responsible and held accountable.
    Yes, SOX 404 controls are a senior management responsibility for the company to set up comprehensive controls for automated IT systems, based on material risks. However, they are written in a generic high-level fashion as companies vary widely in their practices. They basically impose a real monitoring process for companies to ensure protection without getting into the ‘nitty gritty’ sometimes (and thus SOX 404 is critiqued for being too confusing or for companies going beyond what’s required due to misinterpretations).
    Not all the security requirements a company may want to adopt to protect their IT resources are covered by SOX alone. There are general IT controls and many other requirements that might be mandated based on the industry a company is in. For financial systems, the required SOX should be seen as minimum baseline standards for Financial Systems primarily, and companies can always go much further.
    Finally, I agree that managers are an important and critical control point over their areas and team members . However the ‘how to’ approaches and specifications for these controls will vary from company to company.


Log in to reply