× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Under SOX, the auditors are not allowed to be both auditors and consultants at the same company. This is because of collusion between the two roles in the Arthur Anderson scandal that eventually took that big-8 company out of existence.

Lest you forget what that was all about.
http://www.wallstreetfollies.com/
(scroll to bottom & click on the diagram, then scroll down again)

That notion of Separation of Duties for the auditing firms may need to get some further tuning because many of them are not doing a good job with computer security on their client's data on laptops for which auditor security is sometimes an oxymoron (I suspect Ernst & Young is at risk of going the way of Arthur Anderson).

In case you not know what I am talking about.
http://www.privacyrights.org/ar/ChronDataBreaches.htm

Here is input to a data base of the incidents, so Y"all can slice & dice to see what other organizations are constantly in the breach news & what types of vulnerabilities seem most popular
http://attrition.org/dataloss/dataloss.csv

Looks like some "auditors" may be on automatic from how they used to behave before SOX, just adding to the marketing collection, not rethinking the process.

Part of the audit should include what the size of the company is in terms of practicality of implementing their suggestions. Some companies are large enough to have separation of duties by person. Some are not. But even those that have only one "technical" specialist for an OS, they can implement change management where non-technical people approve changes and the fact that tests were satisfactory.

Computers is not the only place where this separation of duties question comes up.
We have one person doing all the accounting ... money coming in, money going out.

At a former employer, I found what I thought was clear evidence of embezzlement, to the tune of millions of dollars, where there was a conspiracy of several division managers, and several departments ... later it turned out that there were 2 dozen people involved. They all got to keep their jobs ... it was me who got in big trouble for saying the "E" word in a private briefing to higher management. I don't think the auditors were even told about that. I also reported to higher management, did not get in trouble that time, where I witnessed a senior accountant bambozzle the auditors with a report, that was constructed like we would put a green bar report out of word processing. Lots of indigestion from those and other kinds of "games" ultimately contributed to me leaving that employer.

How can a one person shop "afford it" when that one person is not given the
budget? Many of my clients have several Windows server support people. Who
do they have for their System i support? Me, and I'm not even on site.

Always remember that the auditors are also consulting services vendors. They
like to make recommendations that will get their consultants in the door.

Paul Nelson
Cell 708-670-6978
Office 512-392-2577
nelsonp@xxxxxxxxxxxxx


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Dave Odom
Sent: Thursday, November 01, 2007 4:21 PM
To: midrange-l@xxxxxxxxxxxx
Subject: Separation of Duties...

Kenneth,

It is reasonable and prudent to have a separation of people/duties for all
major privileged (System Programmer, Security Officer, DBA, Programmer,
etc.) personnel. It is an accepted practice in any well run and mature IT
shop AND any well managed business where protection of company assets is
taken seriously.

Most i5/AS/400 shops don't qualify as they are much like Windows-only shops
when it comes to having one or a few people that are "chief cooks and bottle
washers" and being expedient and cheap is more important then proper
business controls. I notice that at least one shop, a bank and I think an
i5 shop, understood what good business practices means and had many controls
in place to protect assets and force serious collusion to "steal" or harm
assets without anyone knowing.

It is a shame that most i5-centric folks on here sneer at such things and
think their system and "business practices" superior.

If you do what the auditor suggests, if you can afford it, you'll be in
better stead over time and pass your audits when it comes to good business
and IT practices.

Sincerely,

David Odom
Arizona
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.