SarbanesOxleyFocus.com

The company processes a significant number of routine intercompany transactions on a monthly basis. Individual intercompany transactions are not material and primarily relate to balance sheet activity, for example, cash transfers between business units to finance normal operations.

A formal management policy requires monthly reconciliation of intercompany accounts and confirmation of balances between business units. However, there is not a process in place to ensure performance of these procedures. As a result, detailed reconciliations of intercompany accounts are not performed on a timely basis.

Management does perform monthly procedures to investigate selected large-dollar intercompany account differences. In addition, management prepares a detailed monthly variance analysis of operating expenses to assess their reasonableness. (more…)

Popularity: 13% [?]

Risk management follows a defined process that includes the following steps:
1. Develop a risk management team
2. Identify assets
3. Identify threats
4. Perform risk analysis
5. Perform risk mitigation
6. Monitor

The first step begins by developing a risk-management team, which is responsible for the risk assessment process. The risk-management team needs support and funding from senior management and should be led by someone with strong project-management skills. Once established, the team can begin work on the second step, the task of identifying assets. Companies must identify assets before moving on to the next step of the risk-management process. As an example, Coca-Cola surely has some value in the original formula for Coke and must protect it. (more…)

Popularity: 5% [?]

The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents. As with any assessment process, it is important to ensure that policies establish the direction management wants to go with regard to security

When reviewing policies, Thomas R. Peltier in his book about Managing a Network Vulnerability Assessment said that it will be necessary to remember that there are three general types of policies:

General or global policies.
These are high-level policy statements that define the intent of a specific topic and its scope within the (more…)

Popularity: 30% [?]

1. Do you have any security-related policies and standards
2. If so, do you want us to review them
3. Do you want us to perform a review of the physical security of your servers and network infrastructure
4. How many Internet domains do you have
5. How many Internet hosts do you have
6. Do you want us to map your Internet presence Otherwise, can you provide us with a detailed diagram of your Internet presence, including addresses, host OS types, and software in use on the hosts We will also need addresses in use on both sides of the hosts if they connect to both the Internet and the internal network. (more…)

   Popularity: 5% [?]

1. Can your tool collect and aggregate 100 percent of all log data from all inscope log sources on the network?
2. Are your logs transported and stored securely to satisfy the CIA (Confidentiality, Integrity, Availability) of log data?
3. Are there packaged reports that suit the needs of your Sarbanes Oxley projects stakeholders such as IT, auditors, maybe even Finance or Human Resources? Can you create the additional needed reports to organize collected log data quickly?
4. Can you set alerts on anything in the logs in order to satisfy the monitoring requirements? (more…)

   Popularity: 8% [?]