6. Business User SELECT Access 2378

Business User SELECT Access 2378

  • S

    Is there a rule about a business user, especially a technical one, prohibiting them from having SELECT only to a SOx compliant database?

    0
  • H

    Hi and welcome to the forums 🙂
    Within the framework of the SOX 404 language itself, there are no specific rules of that nature. However, companies may implement special controls or procedures as they desire to address material financial risks .
    These controls are often designed by the compliancy team and may also be added by SOX external auditors. COBIT is also often used as a framework for implementing SOX related controls (and a free PDF copy can be obtained as noted in the thread below)
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920
    This could include access restrictions to production financial systems for IT Developers, powers users, etc. (e.g., using tools like Access, Toad, or other query tools). However, I’ve also seen companies where ‘power users’ are permitted read-only access to data base tables with complementary controls in place (e.g., logging, restrictions to certain tables or views, etc).

    0
  • U

    That being said. Are there any specific restrictions on write (insert update) access for ‘power users’? I am not talking about permanent object creation like createing tables and stored procedures, but specifically insert, update, delete on table data itself?

    0
  • H

    Are there any specific restrictions on write (insert update) access for ‘power users’? I am not talking about permanent object creation like createing tables and stored procedures, but specifically insert, update, delete on table data itself?
    While SOX 404 may not spell this out in detail, it does recommend that management establish a plan based on material risks to control all IT financial system exposures. Thus, I would answer this with a ‘YES’, as there should be:
    – Logging of any updates or changes to financial data should be in place
    – Limitations of any direct changes to relational tables themselves outside the application (e.g., direct updates must not be applied except in cases where there is no other way to make an emergency change). It should not be viewed as a normal process for users to make direct updates without accountability.
    – Classical audit controls on the process itself (e.g., autonomy levels, checks-and-balances, etc)
    The link below might be helpful in further evaluating these exposures:
    COBIT 4 - Used often by SOX external auditors
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920

    0
Log in to reply