Solved

Sample SOX and audit reports?

Posted on 2004-09-16
3
1,079 Views
Last Modified: 2012-05-05
Does anybody know where I could grab some sample SOX and audit reports? If not, could you point me to a link that better explains how my application or work adheres to SOX?
0
Comment
Question by:drakkarnoir
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 1

Accepted Solution

by:
dommurray earned 500 total points
ID: 12085019
When you say sample audit reports, do you mean what an auditor checks for during an audit or a saple of what they might find?
Either way I don't think you'll have much luck there. The best way to approach what you may need for SOX from an IT (especially security) point of view is:

Does a control which I am in charge of work correctly to achieve what it is supposed to:

Take a simplae example:

SOX (amongst other things) is about accountability & control, especially over financial information. You will have to understand where that crossover is for your specific company.

If you have an NT enviroment for example, NT login may be the way that a person get's access to an accounting application or spreadsheet, either through user or group security settings. An auditor will want to see which users have access to that group & should they have access, what controls are in place to ensure that if a user role changes or a user leaves the company, is there a process in place to make the changes? The auditor will want to see proof that it has been done according to your procedure also.
An auditor for example may ask for proof that a person that has left your company has had any accounts disabled or deleted (depending on what your policy is).

Basically if you say "we do this" you'll have to prove it, especially where it involves access to your company's financial information (payroll, accounts, customer info etc) SOX does dot specify however what the "this" is, it's not like ISO or BS where it's a little more clear.
For me the best guidelines are:
"what do I need to control where the finances of my company are concerned(from an IT Security perspective of course)"
"how do I control it"
Document the control and how it is done (policy & procedure, both are important)
"have I implemented it correctly"
"can I prove that I have implemented and am executing the control"

I know this is all still a little vague but then again so is SOX. It's new to everyone still and from my experience so far even the auditors find some areas of IT control a litle "grey" on what they need to ans should be checking. Also remember that SOX is still new, it's been around for 2 years byt the actual process of companys being audited has only started recently.

However if you want some categories, the following may be a start:

virus protection
password policy
e-mail use
internet use
instant messaging!! use
remote access
application administration (a specific application may have financial info in it and have it's own independant secutiy controls)
3rd party access
data classification (if you don't let people know something is confidential, how do they know they shouldn't pass it on to anyone who shouldn't have it!)
security administration (NT, AD etc etc)
Exceptions policy (example: if you have a password policy that can't be applied to a specific application, you need to state that it is an exception and you need a rule on how to govern this, exception can be used in a situation where there may be different laws in different countries where your comapny has offices, that may affect e-mail use and internet surfing (especially privacy laws))


This is not an absolute list and some of it may not be appropriate for you company but these will show that you are maintaining controls.

But sorry, I don't know any places where there are specific types of SOX documents, but I hope the rest helps.
There is the official SOX site, but if you read the part that refers to IT controls it won't help you much, there's not much too it.

Anyway best of luck, I know of some of the pain you are about to go through.

DJM
0
 
LVL 1

Expert Comment

by:dommurray
ID: 12085038
Sorry about some of my spelling & grammar but I was in a hurry!
0
 

Author Comment

by:drakkarnoir
ID: 12089160
Excellent, thanks.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question