External Auditors and Who Sets The Bar? 2884



  • When external auditors come in to a bank to ensure SOX compliance to what level are they checking? Is the bar set by some internal department in the bank or are there hard and fast rules as to what should and shouldn’t be done from a process point of view?



  • Auditors will work to understand the bank’s process flows and understand where risks occur. Based on the risks, they will establish a set of key controls based for each individual bank as processes can differ from location to location. That being said, there are general risks that would apply to any bank, therefore many controls from bank to bank would be similar (daily cash counts/reconciliations, etc.). In addition, the banking industry is highly regulated and has standards that must be adhered to. Compliance with those standards will form the basis for many of the bank’s key controls.



  • Thanks for that, very interesting.
    Here briefly is my situation: I’m a contractor employed to give out very high level passwords in a British bank. The bank suddenly has American interests and everyone is worried if they are SOX compliant, there has been no external audit yet but its a bomb waiting to go off.
    I daily get requests for new passwords to be issued in emails which give an approved change ticket number which more often than not doesn’t state the exact server that is going to be worked on but talks more generally about the problem in hand. Ideally the ticket number would include the server name and USERID being asked for but it doesn’t.
    I then email the user the new password by reply which also states the server name.
    This is a new process, the bank hasn’t as of yet introduced any hard and fast rules on the issuance of these passwords.
    I can see a SOX auditor having kittens when he reviews this process.
    I would have thought a clear mention of the server and USERID that the password request is being made should be mentioned in the change request, also I would have thought the email being sent to the requestor should be in two parts so the server and password details are seperate, or the email should be sent encrypted.
    So to what extent if any would SOX rules and regulations on the issuance of passwords guide this process? or does the bank create its own process which a SOX auditor would simply ensure was being complied with?
    Any views on this situation would be appreciated as I have now been handed the charge of creating a procedure as well as carrying it out, which rings alarm bells in my head straight away.



  • I’m surprised no one has asked you if your bank is publicly traded on America stock exchanges or not. I would guess not? If not, then you don’t have anything to worry about.


Log in to reply