One of the effects of SOX, since the whole point of this is to make (a very specific) SOMEBODY accountable for the practices of the business. So, the best CYA strategy is to adhere to so-called "best practice" principles...
Now, the unfortunate effect of the way SOX was written is that defining "best practice" is a little fuzzy, and open to interpretation. The auditor is the arbiter of "best practice", and unfortunately, there is a wide range of opinions on how they should interact with business. Some I've see try to impose THEIR vision of best practice, without question or mercy... Others engage with business to find the best "best practice" they can...
Typically I'd say, the objective is mostly about auditability (logging what happened) and accountability (who allowed it to happen). This broadens into risk management, disaster planning and recoverability studies, volumes of documents describing workflow, policy, and procedure. All in all, it becomes a little monster, depending on how well the business operated prior to being SOXified...
Still, there's much of value to the objectives behind SOX, and as a whole, I think companies can benefit from the experience. Some corporate cultures are more nimble and can embrace change when needed, others not so much...
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Stone, Joel
Sent: Monday, February 25, 2013 9:44 AM
To: Midrange Systems Technical Discussion
Subject: SOX compliance
Does anyone have a summary of how SOX compliance should or could affect a typical Iseries shop?
From an IT auditing standpoint?
For example, outside auditors recommend all sorts of steps and often reference SOX compliance. How detailed does SOX get regarding this such as:
- IT issues in general
- Separation of PROD and TEST environments (or even hardware)
- User ids; using IBM user-ids, control of job schedulers, etc
I thought SOX was more of a financial and top management responsibility and accountability act. How far down the IT control structure of a typical company does SOX reach?
This outbound email has been scanned for all viruses by the MessageLabs Skyscan service.
For more information please visit http://www.symanteccloud.com