In many ways, there is nothing new about the requirements that Sarbanes-Oxley imposes on technology audits. There is a need for internal controls, including segregation of duties. "The biggest issue I see is that IT people are not very good at IT controls," says Jan Koster, a principal with the 80-person Technology Assurance Advisory Services Group of UHY Advisors, a unit that is responsible for technology risk management services.
Koster's group performs general controls and application reviews, along with penetration studies by themselves and as part of regulatory reviews under laws that include Sarbanes-Oxley and Graham-Leach-Bliley.
One of the problems with IT departments in mid-market companies is that many simply do not have enough personnel to handle many of the requirements of the recent legislation.
Advertisement
"The last thing they want to do is document their processes or put the monitoring procedures into place. They don't have the manpower to do it," says Koster.
For organizations lacking sufficient staff, UHY recommends more monitoring and controls, instead of real-time, hands-on work. "We are looking for reports on a monthly or bi-weekly basis."
|
IT Security Controls: A Shopping List The requirements of Sarbanes-Oxley span a wide range of financial systems, information security, and physical system controls. Here is a list of the areas to be reviewed in the area of IT controls as outlined by Secnap Network Security, a Boca Raton, Fla.-based company that provides managed network services. * Critical IT infrastructure controls, system change management, database security, operating system integrity, and network security. * Technical policies and procedures for access control. * "Need to know" and super-user access to financial systems. procedures for monitoring log-in attempts and reporting discrepancies. current password management policies. policies and procedures that address security incidents. * Data back-up and disaster recovery plans to restore loss of data. * Current system monitoring to prevent, detect, contain, and correct security breaches. * Policies for identifying and tracking user identity, authentication alternatives, and authorization controls. * Emergency access procedures. * Policies and procedures for automatic log off. * Assess technical security measures guarding against unauthorized access to electronically transmitted information. * Encryption policies for transactions. * Real-time disclosure event reporting on material changes in financial conditions or operations. |
If SOX has been a blessing for many accounting firms, as the Big Four firms shed work that is being picked up by small organizations, the new era of regulation is also benefiting IT groups, including those at accounting firms and software reselling and consulting firms.
A number of control issues revolve around how accounting software functions. And it's often the case that the very simple things are not taken care of.
