× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2004

SOX impact on IT ---> the PCAOB's interpretation of Sarbanes-Oxley

Dear Ken and Tom,                                                +> vendor 
response

The Sarbanes-Oxley Act was interpreted by the Public Company
Accounting Oversight Board (PCAOB ... sometimes pronounced 
'peek-a-boo') and the result was a 211 page document called:
'Auditing Standard No. 2.'

PCAOB was created by the SOX legislation for the purpose of
creating these standards and they came up with 216 requirements.
Here is a 65,000-foot level review of PCAOB which has sub-links
which drill down into as much detail as you care to dig into:
        http://www.unbeatenpathintl.com/pcaob/source/1.html

The key finding:
    IT involvement will be very heavy because PCAOB opens every
    business process to detailed external audit review. Since business
    processes typically run through the iSeries, IT will end up in the
    middle of many facets of the SOX audit.

The largest non-compliance cost for an enterprise is likely to be a decline
in the price of publicly traded shares if the external auditor authors
an unfavorable opinion for publication in your annual report. Here's a
document on that topic entitled: "IT Security: What Shareholders Should
Know About the Exploding Responsibility for Data Integrity."
       http://www.unbeatenpathintl.com/debriscloud/source/1.html


IT can prepare for a SOX audit by taking at least these initiatives:

a. Be prepared to give your auditors an exceptionally thorough report about
    OS/400 security generated by an objective source. Make sure you can
    precisely replicate the report generation process so that each time
    something important changes about your system or someone important
    leaves the company, you can run the report again so as to analyze any
    "net change" in your system security profile.

b. Establish a well-thought-out business process for developing new
    applications or repairing/modifying existing software. This business
    process can be administered manually, but that is a nightmare if you
    have more than just a couple developers. Consider a software change
    management product to administer it for you.

c. Find a way to answer this kind of auditor challenge: "prove to me that
    no one got into the vendor master file just before checks ran last
    week, changed the name/address of a vendor, and then restored the
    original data soon after the checks ran."

d. Some ERP systems (older BPCS versions are flagrant examples) 
    have enormous security problems that require substantial effort to fix. 
    Also, if an auditor says, "tell me which users have access to BPCS 
    program INV00x" it can be a tedious, >1 day process to derive the 
    answer for each program they inquire about. 

Here are some solutions that address points a, b, c, and d:
      http://www.unbeatenpathintl.com/upisox/source/1.html

Warm regards,

Milt Habeck
Unbeaten Path
(888) 874-8008
(262) 681-3151
mhabeck@xxxxxxxxxx
www.unpath.com



++++++   +++++++   +++++++   +++++++   +++++++   +++++++
From: Shields, Ken
To: Midrange Mailing List
Sent: Thursday, November 11, 2004 10:49 AM
Subject:  SOX impact on IT

Hello everyone..

I'm curious to know, if anyone has deciphered the Law as it applies to
IT, and does anyone have an itemized list, (probably by application level),
as to exactly what is required?.

The law is so broad in it's implication, that it's not difficult for some
software companies to read into this, and convince their clients that
'their' solution is what is needed.$$$$$$

I expect I can leave it to the lawyers to figure out what the
non-compliance costs might be...

Ken Shields 




++++++   +++++++   +++++++   +++++++   +++++++   +++++++
----- Original Message ----- 
From: Tom Jedrzejewicz 
To: Midrange Systems Technical Discussion 
Sent: Friday, November 12, 2004 11:36 AM
Subject: Restrict ability to alter variables in debugger on production


As near as I can tell, SOX has many similarities to ISO-9000.  There
is virtually no telling you WHAT must be done.  Rather, the regulation
states that the organization must have policies, those policies must
pass the muster of external audit, and the organization must be able
to demonstrate compliance with those policies.
<snip>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.