Download Free ITIL (Information Technology and Infrastructure Library) Maturity Assessment Report Templates. This Template could be used as part of your SOX/Sarbanes Oxley Assessment for IT Readiness
This ITIL Assessment Report focusing on ITIL area such as: Service Desk, Incident Management, Problem Management, Change Management, and Service Level Management. The result of this report which contain observation and finding result explained below, such as: (more…)
Popularity: 36% [?]
Everyone talks about Sarbanes-Oxley (SOX), but it’s certainly not the only law shaping governance today. Numerous countries have enacted legislation to improve governance. As with the United States, many of these countries have passed legislation in response to the outcry over corporate scandals. Although they differ by name, the laws passed by various countries have similarities, namely with regard to establishing internal controls and effecting improved financial reporting:
Japan: J-SOX:
On June 7, 2006, Japanese legislators passed the Financial Instruments and Exchange Law, part of which includes the so-called J-SOX requirements. The two main components of the J-SOX legislation are the “Evaluation of and Reporting on Internal Control for Financial Reports,” which forces management to assume responsibility for developing and operating internal controls, and the “Audit of Internal Control for Financial Reports,” in which a company’s external auditor, aside from its regular auditing duties, must conduct an audit of management’s evaluation of the effectiveness of internal control for financial reports. The J-SOX requirements took effect starting in April 2008.
Canada: Bill 198:
Bill 198, also known as CSOX, became effective on October 1, 2003. Its formal name is “Keeping the Promise for a strong Economy Act (Budget Measures), 2002.” This bill requires companies to “[create and] maintain a system (more…)
Popularity: 12% [?]
A fundamental element of internal control is the segregation of certain key duties. The basic idea underlying segregation of duties is that no employee or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated include:
- Custody of assets
- Authorization or approval of related transactions affecting those assets
- Recording or reporting of related transactions
- Execution of the transaction or transaction activity
Below sample SOX Segregation of duties matrix, download xls.
Popularity: 79% [?]
Since there is a lot of framework and methodology available, the company should choose the right framework and methodology that suitable for the company. Some guidance that could be used in these cases is the framework must:
1. Must be directed at the right target (more value from IT)
Since the target is for SOX compliance, the using COBIT for SOX sometimes more useful than using ISO 27001 for example. The management should measure the effectiveness using some of approach that based on the right target.
2. Must help to set the appropriate priorities,
Priority for SOX compliances are significant transactions. The chosen framework should be able to give more attention to significant transactions or activity. Selecting the appropriate priorities also would be confusing since there is a lot of interest between different departments.
3. Must be easy to use without requiring people to manipulate the system,
Framework must be easy to be understood by people from different department. Framework should also take to fulfill people aspiration to the IT. (more…)
Popularity: 20% [?]
Every company that would comply with Sarbanes Oxley compliances need to carefully design control regarding system log management. From COBIT for SOX published by ISACA we know that we can apply this control statement regarding this case: “System event data are sufficiently retained to provide chronological information and logs to enable the review, examination and reconstruction of system and data processing” However, the next question would be arise is how deep is sufficient enough? Regarding system log, access to system log only limited to read only and the access is only for system administrator. So others user doesn’t need to get read access, and of course write access. Some of application who comes with default user who has access to system log should be removed. For example, Oracle Database or Sun Solaris default user who has access to read/write system log should be removed. Basically removing all default user account is easier in this case. Access to system log should be very restricted. Some of company using write once disk to maintain the integrity of system log. This is considering very important, because if some one could change the system log then we cannot rely for system log evidence. Compensating control In some cases, removing access to system log is too difficult. Or if the system administrator account is shared –because somehow the company was very large and need more than one system administrator then the next step would be implementing compensating control, which in this case Log Activation Review, Log Review, Administrator account log review. This compensating control also would be advantage to be used when facing performance related issue if enabling the system log. So do you have any others experience regarding system log management? In the future the application developer will use better feature regarding system log management, so I hope no need to worry about this.
Popularity: 9% [?]