|
Greg, The Auditing standards of which you speak, are not the law and do not require a computer generated audit trail. In a given computer system, the only way you could possible provide such an audit trail, would be through journaling of the database. In MAPICS, IFM provides this capability as standard. You have complete audit of before can after every data change. But, no audit firm in the world is going to read through your journal reports. However, this is not required by either the Auditing Standards or the SOX 404 requirements. I've worked with 2 of the "big three" accounting firms and have successfully received their signature to our processes. What the law does require is that if you have an "approval" process as part of your internal procedures (such as a paper approval for changes) that the process itself is audited for compliance. That means that you have the requirement to perform an audit of the changes approved to ensure that the approval process is in compliance. This not a MAPICS issue: my SAP and Oracle clients have the same issues. Here is one scenario for you to discuss with your audit team. Suppose you are in international company with offices in the EU. According to EU privacy regulations, financial data, especially labor related, must be kept in a physically (not logical) separate database. Now this company has the requirement of consolidating the financial data for 10k reporting (etc.). The detailed data, including the audit trails, must never be physically consolidated with the summary financial data. How then to provide the audit trail for the consolidated financials when the privacy laws of the EU conflict? The requirements placed on auditors by PCAOB Auditing Standard No. 2 do not require computer generated audit controls. The requirements as explained in Paragraphs 75, 79, 81-82, 126 among many, are very clear in their meaning and application. Also, please see Example B-1, B2 and B3 released with the standard. >From these guidelines it is clear that what is required is evidence of changes being approved and applied. In your original question regarding changes to security files, your requirement is to show control over the changes, and evidence that you have tested that the controls are effective. Usually, this "testing" is where many fail to understand what is being required. According to standards, the testing is to be performed by internal audit functions as well as external audit functions. The testing may use simple "inquiry" analysis (i.e. show me what the current settings are.) as well as evaluating the internal audit controls. (i.e. on May 31, 2004 the security for "cash applications" changed by adding employee to the approved security list. Has this been updated?) I've participated in many round table discussions of the requirements, standards, etc.; and as I have stated an "automated" audit control is not required. But, auditable internal procedures, internal audits confirmed by external audits are required. I hope this helps clear up some of the confusion. Kevin Fox kdfox@xxxxxxxxxxxxx -----Original Message----- From: Greg Wenzloff [mailto:GWenzloff@xxxxxxxxxxx] Sent: Monday, October 25, 2004 12:37 PM To: 'MAPICS ERP System Discussion' Subject: RE: PROGRAMMER ACCESS TO PRODUCTION ENVIRONMENT SOX 404 requires auditors to assess the effectiveness of internal controls over financial reporting. It is the PCAOB Auditing Standard No 2 published in March that gives the auditors guidelines for their evaluations. This is where the problems begin. Since this was only published recently auditing bodies are not up to speed on what they should be doing with SOX. I think you got off easy. How can you evaluate the controls on financials if the data does not have an audit trail? Since no one else seems to have input on the subject <it is not going to go away> lets just agree to disagree. Have a nice day. Greg -----Original Message----- From: kdfox@xxxxxxxxxxxxx [mailto:kdfox@xxxxxxxxxxxxx] Sent: Monday, October 25, 2004 2:48 PM To: 'MAPICS ERP System Discussion' Subject: RE: PROGRAMMER ACCESS TO PRODUCTION ENVIRONMENT Greg, Nothing in the SOX 404 requirements, require that IT provide a computer generated "audit trail". A manual procedure along with concomitant internal audit controls, are all that is required. Remember, SOX was written with the knowledge that some companies do not have computer systems. If your "real" auditor is telling you different, they are ripping you off. Kevin Fox kdfox@xxxxxxxxxxxxx P.S. I've been involved with 3 different MAPICS/SOX audits and have passed all three. And no, I will not be doing anymore. -----Original Message----- From: Greg Wenzloff [mailto:GWenzloff@xxxxxxxxxxx] Sent: Monday, October 25, 2004 7:14 AM To: 'MAPICS ERP System Discussion' Subject: RE: PROGRAMMER ACCESS TO PRODUCTION ENVIRONMENT It's good that you have a process to approve the changes. But how do you meet the Sarbanes - Oxley requirement to keep a record of the changes that occur to the security file(s)? Your approval papers do nothing for that. Do you have a trigger program recording changes or journaling? These paper trails might work for a newbie auditor but a real auditor will fail you. You have not complied with the law. Greg -----Original Message----- From: Don [mailto:dr2@xxxxxxxxxxxx] Sent: Monday, October 25, 2004 10:01 AM To: MAPICS ERP System Discussion Subject: Re: PROGRAMMER ACCESS TO PRODUCTION ENVIRONMENT Tim, I'm glad you're comfy with this arrangement. I used to really hate it when IT was nothing more than a big adding machine to balance accounting's G/L... I use a form that mimics the security assignment screens by application and the application owner has to signoff on that... Don in DC ----------- On Mon, 25 Oct 2004 Tim.Bertnick@xxxxxxxxxxxxxxxx wrote: > Good morning - re: setting up MAPICS security, our head of accounting must > sign off on all MAPICS security changes - our auditors seem OK with this. > _______________________________________________ > This is the MAPICS ERP System Discussion (MAPICS-L) mailing list > To post a message email: MAPICS-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/mapics-l > or email: MAPICS-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/mapics-l. > _______________________________________________ This is the MAPICS ERP System Discussion (MAPICS-L) mailing list To post a message email: MAPICS-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/mapics-l or email: MAPICS-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/mapics-l. _______________________________________________ This is the MAPICS ERP System Discussion (MAPICS-L) mailing list To post a message email: MAPICS-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/mapics-l or email: MAPICS-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/mapics-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
