Sarbanes Oxley

So basically what is the simplest approach for ITGC? do we should check every changes and modification in our application and infrastructure? or do we should only focus to significant one? The simplest approach is by using minimum requirement by the government/regulation. So here is some scope of ITGC based on Sarbanes Oxley Section 404

Program Development Program Change
Acquire or develop application software The organization's system development life cycle (SDLC) includes security, availability and processing integrity requirements of the organization.

Acquire or develop application software An adequate SDLC methodology has been established to serve as a basis for controlling development and maintenance activities, and the SDLC methodology is consistent with business and end-user strategies and objectives.

Logical Access
Ensure systems security An information security policy exists and has been approved by an appropriate level of executive management.

Cobit for SOX compliance control template is simple excel tools that help you gain understanding about Sarbanes Oxley section 404 requirement versus Cobit (Control Objective of Information and Related Technologies)
Download

1. Has the organization established an IT-specific internal control framework to guide its section 404 compliance activities with respect to IT?

An IT-specific internal control framework provides vital structure to an organization's effort to develop and maintain effective internal control in its IT environment. Failure to identify such a framework may indicate that the organization has failed to examine IT controls as systematically or as deeply as required to support section 404 compliance. One possible IT-specific control framework to build upon is the CobiT framework, described by the IT Governance Institute in its 2000 publication, "Control Objectives for Information and Related Technology." While the full CobiT framework goes far beyond section 404 compliance requirements, companies seeking guidance regarding IT controls would be well advised to customize the applicable portions of CobiT for their own particular section 404 compliance needs.

Sox compliance is very expensive. I agree, and it’s become more expensive if you put wrong approach in to. Here is an example how much people pay for Sarbanes Oxley Act Compliance. It remind me during early implementation of ERP (Enterprise Resources Planning), the fact said that only several number of implementation that success.

According to Warren Buffett, the CEO of Berkshire-Hathaway spent $24 million on auditing this year; a figure he says would have been closer to $10 million without SOX. (DealBreaker . A Wallstreet Tabloid, March 2007)

Investors are taking companies private at a record pace. On Monday, it was Sallie Mae, the mammoth school-loan company, in a $25 billion deal. Do private equity firms know something the rest of us don’t? (Investors Business Daily, April 2007)

Confuse about a lot of Sarbanes Oxley (SOX) version? here is a simple comparison between Sarbanes Oxley (SOX), Japanese SOX and Canadian SOX

Sarbanes Oxley Act enacted on July 2002, and after that many version released in every regional trying to comply this standard. One of the versions of SOX is J-SOX or Japanese version of Sarbanes Oxley Act, and also not forgets to mention other version such as European SOX.

The Big difference:
The big difference between SOX and J-SOX is fact that the J-SOX is wider than SOX in this case are:

For the latest two year, I have been working with Sarbanes Oxley section 404 especially in IT general control. I have been working both in design Risk Control Matrices (RCM) or performing testing thorough the control. And after hundred hours of discussion with auditee, hundred days of never ending meeting or checking document, I have a conclusion that implementing SOX is very-very difficult and sometimes not effective. Here is the reason:

1. Multi interpretation statement
IT Auditee: "Your significant level is different than mine"
SOX Auditor: "My interpretation in this matter is more specific than you do"
IT Auditee: "I understand but in here, this process is could not be performed"

SOX RCM Guidance is multi interpretation. If you hire a person from ABC audit firm to help you design RCM, than after a year we hire from DEF audit. I'm definitely sure that the result is will be different. Does it mean that the guy from ABC audit firm is smarter? No this is multi interpretation statement.

Just take a look at this: list of significant application. The rule is simple, every application that impact the financial statement. But how this could be explained more detail? Does firewall and router include as significant application? Or does a gateway application which pass the data without any parameter will be included? Or simple one, a big and integrated module is considering an application or not? What if the vendors who develop the module are different than the core vendor?

I'm definitely sure that a lot of question when designing SOX RCM, trust me, the multi interpretation statement is major source of a never ending meeting.