Sarbanes-Oxley Act: Steps toward coming into compliance

By Anne Saita, News Writer 05 Oct 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

There's plenty of available advice on how to bring an organization into Sarbanes-Oxley compliance, including the prickly Section 404 that deals with information security. Though that portion of the omnibus law is short in wording, it's big on impact -- both for the company and the IT department -- since it demands a level of documentation that typically hasn't been in place before. IT security processes will come under sharper scrutiny by auditors who don't want to be caught letting a violation slip by, either.

Marc Masnik, senior IT manager for business software maker TIBCO, has some kernels of wisdom to impart on those public companies filing SEC reports after the Nov. 15 deadline. He speaks not just as a consultant for TIBCO clients facing SOX compliance, but as someone whose own company must meet the same stringent requirements just days after the deadline.

More information EXPERT ADVICE: Choosing an outside auditor for SOX compliance Whether it's for ISO/IEC 17799, SAS70, or regulatory compliance, there are six key points to keep in mind when selecting an IT auditor.

1. Start early. TIBCO began the process a full year ago, and still underestimated the amount of time, money and manpower it would take to ensure data controls were in place. Those behind on coming into compliance should anticipate dropping other projects in the short term. "If it's already too late, then anticipate more intrusive impact on ongoing projects than you thought," Masnik advises. "Expect people who didn't anticipate being involved on the IT team to be involved, particularly those people in operations and networking."

2. Anticipate bringing in well-qualified outside resources to mirror what an auditor will do during the audit process. "Do not assume that you can be your own check and balance," he said. Hire someone familiar with the audit process to double-check your work. Auditors for SEC filings cannot do that since they're forbidden from scrutinizing their own work product.

3. Make sure the executive team and senior IT management team promote SOX mandates as a positive movement towards better processes for the organization. "If not positioned properly within the IT organization, it will be fought hand, tooth and nail," warns Masnik. Instead, emphasize that, yes, this is going require a lot of hard work, but in the long run it will make the company and IT department better.

4. Understand there's room for compromise with an audit partner. Don't assume that just because the auditor says you have to document every single thing in the organization that you can't push back occasionally. "They are going to treat this in the most conservative vein; you need to treat this in the most realistic vein."

Tags: Sarbanes-Oxley Act,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Sarbanes-Oxley Act Information security book excerpts and reviews SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary