Different types of documentation serve different purposes. As the following list explains, some documentation is internally driven and some is externally driven. To prepare for the interview process for an information security position, you need to understand what types of internal security documentation the organization may have and what external security-related regulations the organization must comply with. Your understanding should include the differences between regulations, policy, procedures, legislation, and guidance, as follows:
Regulations: Regulations are requirements that can come in many forms. They may be industry specific regulations such as the Health Information Portability and Accountability Act (HIPAA), which addresses health care organizations. Regulations may also be wider in scope for example, the Federal Information Security Management Act (FISMA). Regulations are basically the formal requirements that an organization must follow. Regulations can be either internally or externally generated, monitored, and enforced (more…)
Popularity: 40% [?]
Some of disadvantage of Sarbanes Oxley that will make you confuse. Here is the list. The original list of 5 reason why implementing SOX is difficult can be found here.
1. Multi interpretation statement
SOX RCM Guidance is multi interpretation. If you hire a person from ABC audit firm to help you design RCM, than after a year we hire from DEF audit. I’m definitely sure that the result is will be different. Does it mean that the guy from ABC audit firm is smarter? No this is multi interpretation statement.
I’m definitely sure that a lot of question when designing SOX RCM, trust me, the multi interpretation statement is major source of a never ending meeting. (more…)
Popularity: 18% [?]
What is the purpose of Sarbanes Oxley Act? putting auditor department busy every day? or added many task for your operation departments? here some of purpose of the Sarbanes Oxley Act.
- Avoid financial fraud and misleading of financial reporting
- Increase company internal control
- Promotes standards and approaches for documentation, control design evaluation, and control effectiveness testing
- Establishes and applies a consistent internal control framework for assessing risks and formulating appropriate control objectives and activities (more…)
Popularity: 5% [?]
Sarbanes Oxley Act or people usually simplify as SOX, Sarbox or SOA is a US law enacted on July 30, 2002. The Act is designed to oversee the financial reporting landscape for finance professionals. However there are many definition of this law. Here is some of definition
The Sarbanes-Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted 2002-07-30), also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOx or Sarbox; is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of the affected companies collapsed, shook public confidence in the nation’s securities markets. Named after sponsors Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH) (more…)
Popularity: 56% [?]
During Sarbanes Oxley compliances the auditor should perform a walkthrough against internal control. So what is walkthrough? Michael Ramos in his book about SOX implementation said that basically a walkthrough is a procedure in which trace a transaction from its origination through the company’s information processing system, and all the way to its reporting in the financial statements. Although inquiries of company personnel are a major component, a walkthrough is more than just inquiry. Think of a walkthrough as
- Corroborative inquiry, in which auditor ask questions of client personnel and then obtain corroborating evidence to support their answers
- A test of one, in which auditor take a single transaction and perform detailed procedures to test the operating effectiveness of the controls for processing that transaction
The company is not required to perform walkthrough procedures; however, it is in management’s best interests to do so.
Sometimes, the company’s documentation of its information processing stream does not match the reality of what actually happens on a daily basis. Companies that perform tests of controls based only on what has been documented often run into testing exceptions when they discover that documentation of the information stream and related controls was not accurate.
The walkthrough procedure will allow auditor to confirm their understanding of key elements of the information processing stream and related controls before auditor begin detailed test work. The walkthrough can help auditor evaluate the effectiveness of the design of internal control for each major transaction. While performing the walkthrough, auditor also may obtain evidence about the operating effectiveness of controls.
Popularity: 41% [?]