IT SOX Compliance...

NathanBWF · Aug 1, 2006

So I get hired as an IT Manager for this publically traded company about a month ago, and now have the lovely task of making sure we're SOX compliant (which I believe we need to meet by the end of this year?).

Anyway, the 'SOX Person' that we have here has no idea what she's doing. I myself am also new to SOX and don't really know what exactly we need to do as far as my department is concerned to make sure we 'comply'.

I've been trying to find online information, as well as a list of requirements as far as IT goes that need to be met. Unfortunately, nothing I've found is really straight forward.

Have any other of you IT Managers gone through SOX recently? Recommendations? Basically, I'm looking to create an action plan to attack this but don't really know where to start...

xospec1alk · Aug 1, 2006

we have to comply here where i work, but my boss does all the dirty work...so sorry, can't help...heres a free bump though

KLin · Aug 1, 2006

I don't envy you one bit. I believe there are auditing consultants that you could use to help you setup controls within your company to make yourself SOX compliant.

MrChad · Aug 1, 2006

Found this article: http://www.informit.com/articles/article.asp?p=337041&rl=1

Most of it is related to your security, data integrity, backup, and code review policies.

NathanBWF · Aug 1, 2006

Originally posted by: MrChad
Found this article: http://www.informit.com/articles/article.asp?p=337041&rl=1

Most of it is related to your security, data integrity, backup, and code review policies.

Looks like there is some really good info in that link so far. Thanks!

:beer:

NathanBWF · Aug 1, 2006

Originally posted by: KLin
I don't envy you one bit. I believe there are auditing consultants that you could use to help you setup controls within your company to make yourself SOX compliant.

Yeah we have one here, she works part time. Unfortunately, she's 100% useless and every time I ask her for help or recommendations, the best I get is a blank stare.

BigJ · Aug 1, 2006

Originally posted by: NathanBWF

Originally posted by: KLin
I don't envy you one bit. I believe there are auditing consultants that you could use to help you setup controls within your company to make yourself SOX compliant.

Click to expand...

Yeah we have one here, she works part time. Unfortunately, she's 100% useless and every time I ask her for help or recommendations, the best I get is a blank stare.

Then you're going to have to go to your boss about it. If you don't get it done, it's going to be your ass on the chopping block. You need to get a competent consultant in there.

wyvrn · Aug 1, 2006

PM me.

wyvrn · Aug 1, 2006

Originally posted by: BigJ

Originally posted by: NathanBWF

Originally posted by: KLin
I don't envy you one bit. I believe there are auditing consultants that you could use to help you setup controls within your company to make yourself SOX compliant.

Click to expand...

Yeah we have one here, she works part time. Unfortunately, she's 100% useless and every time I ask her for help or recommendations, the best I get is a blank stare.

Click to expand...

Then you're going to have to go to your boss about it. If you don't get it done, it's going to be your ass on the chopping block. You need to get a competent consultant in there.

Agree. Don't play around with it, SOX can be a nasty beast.

JulesMaximus · Aug 1, 2006

You think it's bad for IT...I work in Accounting. I hate SOX.

wyvrn · Aug 1, 2006

Originally posted by: JulesMaximus
You think it's bad for IT...I work in Accounting. I hate SOX.

Apparently, Europe is going to get its own version of SOX and it is supposedly worse than ours.

spidey07 · Aug 1, 2006

Originally posted by: BigJ
Then you're going to have to go to your boss about it. If you don't get it done, it's going to be your ass on the chopping block. You need to get a competent consultant in there.

Agreed.

You have to get a competent person/auditor to do it for you. It isn't something you can just "pick up".

JS80 · Aug 1, 2006

ummm hire an IT SOX consulting firm to set it up for you...what kind of incompetent people do they hire at this public company/

wyvrn · Aug 8, 2006

One point I wanted to make about consulting companies. Be careful how much you depend on them, because they are good at making inroads into your company and they are hard to employ for short periods of time unless that is specifically outlined in your contract. They are very good, but also hella expensive.

tfinch2 · Aug 8, 2006

Why would a publicly traded company hire someone for something as serious as SOX compliance who has no experience with SOX?

Doctorweir · Aug 8, 2006

Is your company a foreign filer? Otherwise you are way too late for SOx...

As a Auditor and Consultant (also for SOx) I would suggest starting with This one or the revised edition (still under review) here.
IMHO gives a good overview with IT impact...

Doctorweir · Aug 8, 2006

Also, as supporting docs I recommend:
- COSO enterprise risk management framework
- PCAOB auditing standard No. 2
- Protiviti guide to SOx here
- Other Protiviti stuff published on their website under publications

SViper · Aug 8, 2006

I work for a financial institution (bank for the laymen), and my boss takes care of all of our compliance paperwork. I do know that we have VERY restrictive policies to ensure our compliance with state and federal regulations. Have fun with that.

Edit: I work IT for a bank.

dman · Aug 8, 2006

Call a few of the big vendors and get them to do some sales consulting.

http://www.zantaz.com/
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=322
http://www.quest.com/compliance/
http://www-306.ibm.com/software/data/commonstore/

My point: While the above products may not be needed, the vendors above (and others) certainly want to sell you stuff to help in this effort, so, give them a ring and have them come out and give you some advice as to what they can do.

You also need to have your legal group available to answer policy based questions that will come up.

rchiu · Aug 8, 2006

Don't you have an audit department or auditor to tell you what exactly you need for SOX compliance? In the end, it is those auditor who is gonna have the final word on if you are SOX compliant or not, so it's probably a good idea to work with them instead of going off on your own.

In our company, each department has it's own requirement. For our department, which is application development, we developed migration procedures to make sure no body can touch production data, application without authorization, and all application changes are documented.

brandonbull · Aug 8, 2006

hahaha. That is funny. Sounds like someone isn't fully qualified for their position and now is mad because no one is there to cover for them. CYOA.....FTW!

Pacemaker · Aug 8, 2006

SOX audits are not fun. Nor are they an easy change. What they will accept and what they won't is almost splitting hairs. Where I work what they used to do with the backups is, backup person makes sure the backups run and send the IT manager an email saying they are done or letting him know about any problems.

That wasn't enough. They wanted each and every backup job to be signed off on by the person doing the backup and given in writing to the IT manager. Then the manager has to keep all those for several years. It's to the degree of paranoia.

You may not have to do that, auditors are different, but the key is to get an internal sox auditor to help you prepare.

Genx87 · Aug 8, 2006

I just got done doing this but also had to deal with the NASD and SEC regulations. I dont know if this applies totally to SOX, but this gives you an idea of what you have to keep and how long to keep it.

http://i.cmpnet.com/nc/1323/graphics/1323ws1b.gif

Genx87 · Aug 8, 2006

Originally posted by: brandonbull
hahaha. That is funny. Sounds like someone isn't fully qualified for their position and now is mad because no one is there to cover for them. CYOA.....FTW!

Please, have you tried to do this? Reading through the regulations is very cryptic and not entirely clear on everything. A lot of it is also unsettled law and has to be modified and will be modified soon to make things more clear.

On top of that, we are IT people, not effing lawyers or compliance specialists.
Network down, I am on it, fixed. Read NASD rule 3010 and tell us how we have to comply with it from an IT standpoint. Um ok.....

brandonbull · Aug 8, 2006

Originally posted by: Genx87

Originally posted by: brandonbull
hahaha. That is funny. Sounds like someone isn't fully qualified for their position and now is mad because no one is there to cover for them. CYOA.....FTW!

Click to expand...

Please, have you tried to do this? Reading through the regulations is very cryptic and not entirely clear on everything. A lot of it is also unsettled law and has to be modified and will be modified soon to make things more clear.

On top of that, we are IT people, not effing lawyers or compliance specialists.
Network down, I am on it, fixed. Read NASD rule 3010 and tell us how we have to comply with it from an IT standpoint. Um ok.....

The point is the OP is throwing one of his part-time coworkers/reports under the "bus" for not knowing SOx but his job is to manage IT and to know SOx.

IT SOX Compliance...

Golden Member

Diamond Member

Lifer

Lifer

Golden Member

Golden Member

Lifer

Lifer

Lifer

No Lifer

Lifer

No Lifer

Lifer

Lifer

Lifer

Golden Member

Golden Member

Senior member

Diamond Member

Diamond Member

Diamond Member

Golden Member

Lifer

Lifer

Diamond Member