× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Greg,

The Auditing standards of which you speak, are not the law and do not
require a computer generated audit trail.

In a given computer system, the only way you could possible provide such an
audit trail, would be through journaling of the database. 

In MAPICS, IFM provides this capability as standard.  You have complete
audit of before can after every data change.

But, no audit firm in the world is going to read through your journal
reports.

However, this is not required by either the Auditing Standards or the SOX
404 requirements.

I've worked with 2 of the "big three" accounting firms and have successfully
received their signature to our processes.

What the law does require is that if you have an "approval" process as part
of your internal procedures (such as a paper approval for changes) that the
process itself is audited for compliance.  That means that you have the
requirement to perform an audit of the changes approved to ensure that the
approval process is in compliance.

This not a MAPICS issue:  my SAP and Oracle clients have the same issues.  

Here is one scenario for you to discuss with your audit team.  Suppose you
are in international company with offices in the EU.  According to EU
privacy regulations, financial data, especially labor related, must be kept
in a physically (not logical) separate database.  Now this company has the
requirement of consolidating the financial data for 10k reporting (etc.).
The detailed data, including the audit trails, must never be physically
consolidated with the summary financial data.  How then to provide the audit
trail for the consolidated financials when the privacy laws of the EU
conflict?

The requirements placed on auditors by PCAOB Auditing Standard No. 2 do not
require computer generated audit controls.  The requirements as explained in
Paragraphs 75, 79, 81-82, 126 among many, are very clear in their meaning
and application.

Also, please see Example B-1, B2 and B3 released with the standard.

>From these guidelines it is clear that what is required is evidence of
changes being approved and applied.

In your original question regarding changes to security files, your
requirement is to show control over the changes, and evidence that you have
tested that the controls are effective.  

Usually, this "testing" is where many fail to understand what is being
required.

According to standards, the testing is to be performed by internal audit
functions as well as external audit functions. The testing may use simple
"inquiry" analysis (i.e. show me what the current settings are.) as well as
evaluating the internal audit controls.  (i.e. on May 31, 2004 the security
for "cash applications" changed by adding employee to the approved security
list. Has this been updated?)

I've participated in many round table discussions of the requirements,
standards, etc.; and as I have stated an "automated" audit control is not
required.

But, auditable internal procedures, internal audits confirmed by external
audits are required.

I hope this helps clear up some of the confusion.

Kevin Fox
kdfox@xxxxxxxxxxxxx

-----Original Message-----
From: Greg Wenzloff [mailto:GWenzloff@xxxxxxxxxxx] 
Sent: Monday, October 25, 2004 12:37 PM
To: 'MAPICS ERP System Discussion'
Subject: RE: PROGRAMMER ACCESS TO PRODUCTION ENVIRONMENT

SOX 404 requires auditors to assess the effectiveness of internal controls
over financial reporting.   It is the PCAOB Auditing Standard No 2 published
in March that gives the auditors guidelines for their evaluations.   This is
where the problems begin.

Since this was only published recently auditing bodies are not up to speed
on what they should be doing with SOX.  I think you got off easy.

How can you evaluate the controls on financials if the data does not have an
audit trail?   

Since no one else seems to have input on the subject <it is not going to go
away> lets just agree to disagree.

Have a nice day.

Greg






-----Original Message-----
From: kdfox@xxxxxxxxxxxxx [mailto:kdfox@xxxxxxxxxxxxx] 
Sent: Monday, October 25, 2004 2:48 PM
To: 'MAPICS ERP System Discussion'
Subject: RE: PROGRAMMER ACCESS TO PRODUCTION ENVIRONMENT

Greg,

Nothing in the SOX 404 requirements, require that IT provide a computer
generated "audit trail".

A manual procedure along with concomitant internal audit controls, are all
that is required.  Remember, SOX was written with the knowledge that some
companies do not have computer systems.

If your "real" auditor is telling you different, they are ripping you off.

Kevin Fox
kdfox@xxxxxxxxxxxxx

P.S.  I've been involved with 3 different MAPICS/SOX audits and have passed
all three.  And no, I will not be doing anymore.

-----Original Message-----
From: Greg Wenzloff [mailto:GWenzloff@xxxxxxxxxxx] 
Sent: Monday, October 25, 2004 7:14 AM
To: 'MAPICS ERP System Discussion'
Subject: RE: PROGRAMMER ACCESS TO PRODUCTION ENVIRONMENT

It's good that you have a process to approve the changes.  But how do you
meet the Sarbanes - Oxley requirement to keep a record of the changes that
occur to the security file(s)?   Your approval papers do nothing for that.
Do you have a trigger program recording changes or journaling?

These paper trails might work for a newbie auditor but a real auditor will
fail you.   You have not complied with the law.

Greg



-----Original Message-----
From: Don [mailto:dr2@xxxxxxxxxxxx] 
Sent: Monday, October 25, 2004 10:01 AM
To: MAPICS ERP System Discussion
Subject: Re: PROGRAMMER ACCESS TO PRODUCTION ENVIRONMENT



Tim,

I'm glad you're comfy with this arrangement.  I used to really hate it
when IT was nothing more than a big adding machine to balance accounting's
G/L...

I use a form that mimics the security assignment screens by application
and the application owner has to signoff on that...

Don in DC

-----------

On Mon, 25 Oct 2004 Tim.Bertnick@xxxxxxxxxxxxxxxx wrote:

> Good morning - re: setting up MAPICS security, our head of accounting must
> sign off on all MAPICS security changes - our auditors seem OK with this.
> _______________________________________________
> This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
> To post a message email: MAPICS-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/mapics-l
> or email: MAPICS-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/mapics-l.
>

_______________________________________________
This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
To post a message email: MAPICS-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/mapics-l
or email: MAPICS-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/mapics-l.



_______________________________________________
This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
To post a message email: MAPICS-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/mapics-l
or email: MAPICS-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/mapics-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.