I've seen a lot of banter about SOX and since we just had an audit this
week, I thought would add my two cents.
 
I'm not a huge fan of government mandated controls and I think it's very
ironic that the improprieties of one audit firm now means huge business
for the remaining Big 5.
No doubt, the controls can be maddening at times.  However, remember
that the auditors are not defining the controls, you are (or your
management).  They're just verifying that the controls you say you have
in place are there and that they meet certain criteria.  They will most
likely suggest some things be put in place, but if you feel like you
have a compensating control, it's in your best interest to bring it up
and argue it.  
 
I've been try to look at the SOX controls as opportunities to make
improvements.  Here are a few examples:
 
-  We currently have inadequate fire suppression in our data center.
We'd had a hard time convincing management that we needed it when we
moved into a new building two years ago.  Well, now because of SOX,
we'll be putting one in shortly.
-  We had a pretty good disaster recovery plan in place before SOX, but
we now have a much more robust plan in place.
-  Prior to SOX, development project requests typically came in the form
of users calling or emails asking us to do this or that.  Testing was
typically by trial and error.  We now have a formal, documented
procedure for project requests that require the users' managers'
authorization, requires user testing and IT management approval before
moving into production.  Just having the procedure in place has forced
the users and their managers to think about what they are asking for.
This has resulted in projects being more thought out and improved user
acceptance.
- Did you know that Iseries Client Access for Windows will allow a four
character, all numeric password, even if your system value QPWDMINLEN is
set to 5 characters?   We were somewhat embarrased when our auditor
discovered this while observing users signing on to the system.
However, in researching it we discovered that this is something that IBM
has allowed since V3R2.  If a user creates an all numeric password, a Q
will automatically be placed in front of the password and 1234 would get
passed as Q1234.  So for us, it was an opportunity to learn something
new.
 
So, our audit has turned up a few minor issues, that will be relatively
easy to fix and we learned some things during the process.   I guess I'm
a "glass is half full" kind of guy...
 
Marty
 
 
 
     
 
 
 
 
  

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.