• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

IT SOX Compliance...

N

NathanBWF

Golden Member
So I get hired as an IT Manager for this publically traded company about a month ago, and now have the lovely task of making sure we're SOX compliant (which I believe we need to meet by the end of this year?).

Anyway, the 'SOX Person' that we have here has no idea what she's doing. I myself am also new to SOX and don't really know what exactly we need to do as far as my department is concerned to make sure we 'comply'.

I've been trying to find online information, as well as a list of requirements as far as IT goes that need to be met. Unfortunately, nothing I've found is really straight forward.

Have any other of you IT Managers gone through SOX recently? Recommendations? Basically, I'm looking to create an action plan to attack this but don't really know where to start...
 
we have to comply here where i work, but my boss does all the dirty work...so sorry, can't help...heres a free bump though 🙂
 
I don't envy you one bit. I believe there are auditing consultants that you could use to help you setup controls within your company to make yourself SOX compliant.
 
Originally posted by: KLin
I don't envy you one bit. I believe there are auditing consultants that you could use to help you setup controls within your company to make yourself SOX compliant.
Click to expand...

Yeah we have one here, she works part time. Unfortunately, she's 100% useless and every time I ask her for help or recommendations, the best I get is a blank stare. 🙁
 
Originally posted by: NathanBWF
Originally posted by: KLin
I don't envy you one bit. I believe there are auditing consultants that you could use to help you setup controls within your company to make yourself SOX compliant.
Click to expand...

Yeah we have one here, she works part time. Unfortunately, she's 100% useless and every time I ask her for help or recommendations, the best I get is a blank stare. 🙁
Click to expand...

Then you're going to have to go to your boss about it. If you don't get it done, it's going to be your ass on the chopping block. You need to get a competent consultant in there.
 
Originally posted by: BigJ
Originally posted by: NathanBWF
Originally posted by: KLin
I don't envy you one bit. I believe there are auditing consultants that you could use to help you setup controls within your company to make yourself SOX compliant.
Click to expand...

Yeah we have one here, she works part time. Unfortunately, she's 100% useless and every time I ask her for help or recommendations, the best I get is a blank stare. 🙁
Click to expand...

Then you're going to have to go to your boss about it. If you don't get it done, it's going to be your ass on the chopping block. You need to get a competent consultant in there.
Click to expand...


Agree. Don't play around with it, SOX can be a nasty beast.
 
Originally posted by: JulesMaximus
You think it's bad for IT...I work in Accounting. I hate SOX.
Click to expand...

Apparently, Europe is going to get its own version of SOX and it is supposedly worse than ours.

 
Originally posted by: BigJ
Then you're going to have to go to your boss about it. If you don't get it done, it's going to be your ass on the chopping block. You need to get a competent consultant in there.
Click to expand...

Agreed.

You have to get a competent person/auditor to do it for you. It isn't something you can just "pick up".

 
ummm hire an IT SOX consulting firm to set it up for you...what kind of incompetent people do they hire at this public company/
 
One point I wanted to make about consulting companies. Be careful how much you depend on them, because they are good at making inroads into your company and they are hard to employ for short periods of time unless that is specifically outlined in your contract. They are very good, but also hella expensive.
 
Why would a publicly traded company hire someone for something as serious as SOX compliance who has no experience with SOX? 😕
 
Is your company a foreign filer? Otherwise you are way too late for SOx... 😛
As a Auditor and Consultant (also for SOx) I would suggest starting with This one or the revised edition (still under review) here.
IMHO gives a good overview with IT impact...
 
Also, as supporting docs I recommend:
- COSO enterprise risk management framework
- PCAOB auditing standard No. 2
- Protiviti guide to SOx here
- Other Protiviti stuff published on their website under publications
 
I work for a financial institution (bank for the laymen), and my boss takes care of all of our compliance paperwork. I do know that we have VERY restrictive policies to ensure our compliance with state and federal regulations. Have fun with that.

Edit: I work IT for a bank.
 
Call a few of the big vendors and get them to do some sales consulting.

http://www.zantaz.com/
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=322
http://www.quest.com/compliance/
http://www-306.ibm.com/software/data/commonstore/

My point: While the above products may not be needed, the vendors above (and others) certainly want to sell you stuff to help in this effort, so, give them a ring and have them come out and give you some advice as to what they can do.

You also need to have your legal group available to answer policy based questions that will come up.



 
Don't you have an audit department or auditor to tell you what exactly you need for SOX compliance? In the end, it is those auditor who is gonna have the final word on if you are SOX compliant or not, so it's probably a good idea to work with them instead of going off on your own.

In our company, each department has it's own requirement. For our department, which is application development, we developed migration procedures to make sure no body can touch production data, application without authorization, and all application changes are documented.
 
hahaha. That is funny. Sounds like someone isn't fully qualified for their position and now is mad because no one is there to cover for them. CYOA.....FTW!
 
SOX audits are not fun. Nor are they an easy change. What they will accept and what they won't is almost splitting hairs. Where I work what they used to do with the backups is, backup person makes sure the backups run and send the IT manager an email saying they are done or letting him know about any problems.

That wasn't enough. They wanted each and every backup job to be signed off on by the person doing the backup and given in writing to the IT manager. Then the manager has to keep all those for several years. It's to the degree of paranoia.

You may not have to do that, auditors are different, but the key is to get an internal sox auditor to help you prepare.
 
Originally posted by: brandonbull
hahaha. That is funny. Sounds like someone isn't fully qualified for their position and now is mad because no one is there to cover for them. CYOA.....FTW!
Click to expand...

Please, have you tried to do this? Reading through the regulations is very cryptic and not entirely clear on everything. A lot of it is also unsettled law and has to be modified and will be modified soon to make things more clear.

On top of that, we are IT people, not effing lawyers or compliance specialists.
Network down, I am on it, fixed. Read NASD rule 3010 and tell us how we have to comply with it from an IT standpoint. Um ok.....
 
Originally posted by: Genx87
Originally posted by: brandonbull
hahaha. That is funny. Sounds like someone isn't fully qualified for their position and now is mad because no one is there to cover for them. CYOA.....FTW!
Click to expand...

Please, have you tried to do this? Reading through the regulations is very cryptic and not entirely clear on everything. A lot of it is also unsettled law and has to be modified and will be modified soon to make things more clear.

On top of that, we are IT people, not effing lawyers or compliance specialists.
Network down, I am on it, fixed. Read NASD rule 3010 and tell us how we have to comply with it from an IT standpoint. Um ok.....
Click to expand...

The point is the OP is throwing one of his part-time coworkers/reports under the "bus" for not knowing SOx but his job is to manage IT and to know SOx.

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top