- What does Cisco have against Quebec?
- Attrition.org nails another nitwit
- Diary of a deliberately spammed housewife
- Seven cloud-computing security risks
- 20 great Windows open source projects
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Just the mention of a Sarbanes-Oxley audit provokes horror stories of inordinate time spent providing evidence; complying with written policies, procedures and guidelines; and attending countless meetings. Sorry to say, but life is not going to get easier until you make SOX a part of your daily routine and take an active role in the entire audit process.
In more than 70 IT security audits and three full-scale SOX engagements at Fortune 100, 500 and 1000 companies since 2002, I have witnessed both the best and worst practices and approaches to compliance. Why is it that so many educated, driven individuals seem unable to use the numerous, readily available sources of data to stand up and challenge the interpretations of SOX to which they are subjected? Instead, they blindly accept the mandates set forth by the very people who have a vested financial interest in how the SOX audit is run.
Some knowledgeable external auditors have eliminated many controls that had to be satisfied last year. They made these changes after realizing their understanding of SOX should change to be more closely in line with the intent of the law. Other auditors are unwilling to modify the audit controls they consider critical. Often there is a direct correlation between this inflexibility and lack of real-world, hands-on experience.
Unless you and your company's audit group have a full understanding of SOX, you won't be able to question the external auditors' template of what they expect. The Web sites of the Information Systems Audit and Control Association (www.isaca.org), Institute of Internal Auditors (www.iia.com) and Public Company Accounting Oversight Board (www.pcaob.com) offer a wealth of information about SOX.
There are six major SOX pitfalls you're likely to encounter:
Too many controls selected to meet compliance. You can reduce these by having an educated understanding of what the actual law asks for.
Lack of documented policies, procedures and guidelines; poorly drafted control activities and poorly documented test procedures.
Lack of an organized internal audit-team structure. Your company needs financial and IT auditors, or you face seeking out consultants on the fly without verifying their capabilities.
Failures discovered during the initial audit but not remedied. The additional time required to fix these problems increases audit costs.
Rss FeedRss Feed
superantispywarepro will clean that for you!- Anon
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Comments (1)
RE: Tips toward surviving a SOX auditBy shakil ahmad on July 30, 2007, 10:11 amThanks for your kind information.
Reply | Read entire comment
View all comments