So, you are now or will soon be SOX-compliant: what’s next? Congratulations, you are on your way to or you just completed your 404!!! Internal auditors, Business, IT, everyone is breathing better and everyone should definitely be proud of it!
So, what’s next?
You probably hate this, but it’s now time to think about next quarter’s 302… Indeed, SOX is here to stay and it is time to include SOX in the ‘normal’ functioning mode of your company and IT Department. Until now, you have put projects on hold to reallocate resources (Business and IT) to the various domains of SOX testing and remediation. Or you have hired high-dollar contractors to help you get the job done. In any case, this is not a sustainable model. And you are still facing quarterly repeats…
Ongoing, What will be the impact, the cost and how can you make SOX a part of your organization?
By now you know that the software-based answers to SOX will hardly help you: this software will not improve your Business processes, your next-level management reviews and sign-offs, the accuracy of your transactions among systems, your Release Management processes. Nor will it help to ensure that your Development and Support groups do not have update/delete access to your beta test and production systems, etc.
What were the main factors influencing the volume and pain of your SOX action?
Very likely, two key factors were very likely:
(1) the number of applications
(2) the lack of standardized processes around these applications
You are so ready for applications consolidation!
One ERP-style, consolidated application ultimately means:
From a SOX standpoint, you may not be interested in a ‘journalisation’ type of security tracking (= who changed which data when and how?) such as the Oracle Fine Grained Auditing support. However chance is that you need a system that helps you to easily track data such as:
– who can do what?
– who has responsibilities representing segregation of duties conflicts?
– who are your gatekeepers?
– send them early reminders for regular reviews
– audit their actions in adding/removing accesses to the system
– generate workflow-based emails to get next-level approvals
– generate an audit trail of these regular or ad-hoc reviews for your SOX auditors’ review
– etc…
Deploying such tools also very positively impacts your SOX Testing activities as they relate to these domains:
– only tested and signed off code goes to production
– keep and audit trail of the required sign-offs
– ensure that developers are not testers and code promoters (segregation of duties)
– are your servers all in a safe data center?
– etc.
– How many architecture diagrams did you have to produce?
– How many vulnerability matrices?
– How many tables for roles, responsibilities and application functions
– How much time between producing a version of this document and its being outdated?
Bottom line
Bruno Loubiere is a seasoned IT Professional. Currently responsible for
the Sarbanes-Oxley Compliance of the ERP application for a large
computer manufacturer, his main area of expertise is project management
of large, complex projects, ERP deployment, upgrades and consolidation,
locally or globally. He can be contacted at b.loubiere@comcast.net
