Compliance Toolkit

Sarbanes-Oxley: What IT managers need to know

Staff Tech Republic

Published: 18 Jan 2005 11:30 GMT

Where IT fits into the process
While some of the terms used in this article may seem alien, keep in mind that this is how the auditing world talks in real life. Under SOX, the audit process extends into areas that have a pervasive effect on the ability of the company to perform accounting and financial reporting. Since most business processes are supported by IT directly or indirectly, your project team will make the decision whether or not to create documentation integrated with the business processes or separate documentation for IT. Either way, IT processes that support the applications will also need to be documented.

Put another way, your job will be to document IT processes for computer operations, application development and maintenance, change control, as well as access to programs and data.

Controls, controls, controls
Once the team finishes documenting the company's processes, it's time to start the identifying control activities and assessing control design, control effectiveness, and anti-fraud controls. To help wrap your brain around the meaning of those controls, here's a brief overview of assessment and testing.

The assessment and testing process is a two-step course of action. Test plans can only be created after control activities have been identified. At the outset, a company needs to identify its objectives, risks, and control activities for each process.

After the company's objectives are identified, IT can create test plans to assess the effectiveness of these control activities.

Identifying control activities
At the heart of SOX compliance is putting in place well-designed controls. But how do you know if you have them? A well-designed control activity should satisfy the objective and address the risk that the objective won't be met. For example, if an objective is to allow only authorised users to gain access to corporate data, your control activity must address what would happen if an unauthorised user somehow "gets through" your network defences. Will the breach be detected in a timely fashion? Is there an audit log generated to assist in investigation of the breach?

So, when you sit down to write your test plans, you should think about what control activities or measures you have in place to manage your risks and prevent or detect errors, intrusions, and other breaches of your controls.

1 2 3 4

Did you find this article useful?
230 out of 464 people found this useful

More In Compliance

Loading Video Player ....

Featured Talkback

There will be further activation issues to watch out for as Microsoft plans to offer a similar service to independent software vendors whereby they can "control" licensing through activation and other measures similar to the Software Protection Platform.