NT Servers _and_amp; SOX 261



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Why do you think that having an NT server would stop you complying with SOX?
    With IT the issue is (very simplistically) do your in-scope systems have sufficient General Computer Controls as defined by COSO/CobIT. There is no fundamental reason why an NT server cannot satisfy these requirements if set up and run properly.
    By in-scope systems I mean ones where you have identified automated key controls within a business process that rely on that system.



  • Dennis is correct to a certain point…
    If your NT server directly support an application that is in scope or is relied upon as part of a key control for a business cycle will need to be well maintained and reasonably secured.
    Most IT hardware/software activities are in scope as part of general computer controls.
    Therefore, it would be wise to review the security settings of the NT server and ensure any changes/maintenance/support of the NT server complies with your operational procedures.
    Then you will be fine.
    Cheers
    tristanatbui.com



  • Yoda404 - you are right but the original poster was under the impression that the NT servers would have to be eliminated because of SOX becuase they CANNOT be SOX compliant. This is clearly not the case and this sounds like BS from someone who wants to sell them new kit.



  • So in order to be SOX compliant your systems must be compliant with COSO/CobIT? Where is that information at? The actual Sarbanes-Oxley Act document.
    Can anyone find the words COSO or CobIT in this document? Better yet, see how many times the word ‘technology’ appears in the document and what it refers to.
    Please. Somone shut me up and display some evidence from the Sarbanes-Oxley Act that says your IT systems must meet the compliance terms of X.



  • You need to look at the SEC’s ‘Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports’ which references the COSO framework extensively. Although it stops short of saying ‘you must use COSO’ - in theory, you could use another framework - it is strongly suggested.
    With respect to CobIT this is not referenced in the legislation at all. However, the widespread use of CobIT comes because COSO doesn’t handle the IT side of things very well and CobIT is seen as the de facto standard. In order to make this ‘compliant’ the IT Governance Institute prepared a mapping of CobIT to COSO objectives (available on ISACA website) to make use of CobIT easier.
    Is this enough to shut you up or do you need more 😉



  • You need to look at the SEC’s ‘Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports’ which references the COSO framework extensively. Although it stops short of saying ‘you must use COSO’ - in theory, you could use another framework - it is strongly suggested.
    With respect to CobIT this is not referenced in the legislation at all. However, the widespread use of CobIT comes because COSO doesn’t handle the IT side of things very well and CobIT is seen as the de facto standard. In order to make this ‘compliant’ the IT Governance Institute prepared a mapping of CobIT to COSO objectives (available on ISACA website) to make use of CobIT easier.
    Is this enough to shut you up or do you need more 😉
    Nope. Not enough. This document references COSO for the definition of ‘internal control’ as well as referencing it for ‘internal control over financial reporting’ but makes no mention of how this should apply to IT. The only mention of IT anything in this document is this ‘adequate safeguards over access to and use of assets and records, such as secured facilities and authorization for access to computer programs and data files.’ Obviously this talks about securing the systems which confidential data. I don’t see how making changes to network infrastructure has anything to do with any of this unless it is affecting a financial system of some sort. Getting back to the subject, then by definition, since Microsoft will no longer be supporting Windows NT, then Windows NT in and of itself cannot be SOX compliant unless you disconnect it from your network.



  • Actually Denis is right, but you have to go into COSO to see specifically how the IT component works.
    COSO covers how control risks should be identified within processes and the controls to cover them. It refers to manual controls and automated controls and how the latter need to be supported by appropriate General Computer Controls.
    Best practice suggests that General Computer Controls are best covered by COBIT.
    You need to go SOX Act to SEC Final Rule to COSO to COBIT.
    For a couple of short paragraphs Section 404 requires plenty of reading :evil:



  • Thanks. Maybe I should have been more explicit.
    The Sarbanes-Oxley Act 2002 plus the SEC Final Rules together tell you inter alia that management must establish and maintain adequate internal control over financial reporting for the company and that by adequate internal control they mean COSO.
    To get more explicit about what that means in practice you need to read COSO and its friend CobIT.



  • And if you’re still not happy try this:
    isect.com/html/ca_faq.html



  • Found a couple of things that tie this together better than I did:
    Excerpts from the SEC Final Rule
    ‘We believe that each company should be afforded the flexibility to design its system of internal control over financial reporting to fit its particular circumstances.’
    In this same final rule, the SEC says:
    ‘The methods of conducting evaluations of internal control over financial reporting will, and should, vary from company to company. Therefore, the final rules do not specify the method or procedures to be performed in an evaluation.’
    They go on to discuss the COSO framework:
    ‘…we have modified the final requirements to specify that management must base its evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.
    The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors.’
    http://www.sox-online.com/coso_cobit_sec_on_frameworks.html
    In most companies of any size, data moves between multiple business groups and IT systems on its way from initial transactions to the reports that the CEO and CFO must attest to.
    Attesting to the accuracy of the data requires confidence in accounting procedures and controls. These are addressed within the COSO framework.
    The SOX 404 attestation also requires confidence in the IT systems that house, move, and transfom data. This requires confidence in the processes and controls for those IT systems and databases. The COBiT framework was designed to address IT concerns.
    Finally, an excerpt from IT Control Objectives for Sarbanes Oxley this is the document that maps Cobit objectives to COSO
    ‘The PCAOB standard includes specific requirements for auditors to understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed and reported. Such transactions’ flows commonly involve the use of application systems for automating processes and supporting high volume and complex transaction processing. The reliability of these application systems is in turn reliant upon various IT support systems, including networks, databases, operating systems and more. Collectively, they define the IT systems that are involved in the financial reporting process and, as a result, should be considered in the design and evaluation of internal control.
    The PCAOB suggests that these IT controls have a pervasive effect on the achievement of many control objectives. They also provide guidance on the controls that should be considered in evaluating an organization’s internal control, including program development, program changes, computer operations, and access to programs and data. While general in nature, these PCAOB principles provide direction on where SEC registrants likely should focus their efforts to determine whether specific IT controls over transactions are properly designed and operating effectively.
    This document discusses the IT control objectives that might be considered for assessing internal controls, as required by the Act. The appendices of this document provide control examples that link PCAOB principles, including their relationship to internal control over financial reporting. To support implementation and assessment activities, illustrative control activities and tests of controls are provided in the appendices.’


Log in to reply