RE: Sorbanes Oxley for dummies? -- more questions

  • From: "Powell, Mark D" <mark.powell@xxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Fri, 14 Jan 2005 10:48:45 -0500

It is my reading of SOX that what is and is not acceptable is totally up to
the auditors. The provision (section 440?) of SOX that is causing all the
work is actually only one paragraph long and is not very specific.  As such
it is up to the courts to determine what it means.  That has yet to happen.
As such if the auditors say your books are OK and the CFO and CEO are
willing to put their names on the bottom line you could in fact do nothing

But after what happened to Andersen most auditors are in cover their behind
mode.  Some of the requirements being placed on companies are just not
practical or useful.  There is a court case saying that the government went
to far in their actions against Andersen.  Depending on how it comes out
there could be a major shift in where auditors put their emphasis.
Unfortunately for most of us auditors make money on the current process so
you can expect the worse.

What the act definitely requires is that a firm take steps to protect the
integrity of its data.  You must have written procedures for updating
production data and proof that you follow them (paper trail).  Right now
what constitutes valid procedures is whatever the auditor says.

IMHO -- Mark D Powell --

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Hemant K Chitale
Sent: Friday, January 14, 2005 9:49 AM
To: bdbafh@xxxxxxxxx; Michael.Kline@xxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: Re: Sorbanes Oxley for dummies? -- more questions 

Not having read the book , but I, too, have a number of questions.  My
employer, being NASDAQ listed, is also undergoing preparation for a SOX 
Audit in 2005.

1.  How do you handle Password Controls for "root" and "oracle" accounts ?
If you have 200 servers and 80 databases, how do you ensure that you do NOT
write down the passwords somewhere [other than the on the sheet of paper
in the IT Security department's safe] and yet remember the passwords ?
Some [un-named] persons I know use the *same* password on all the 20 or 50 
odd servers.
Would that be acceptable ?

2.  How do you Audit actions by DBAs ? Create seperate DBA accounts in the
Database ?  If you have 3 alternate DBAs supporting multiple databases,
each DBA have a named account in each database ?

3.  Should all your SOX controls implemented as part of IT General Controls 
[COBIT Framework]
apply to *all* your Servers and Databases, even those that are not Critical 
or Key systems
[ie those with no financial impact]   {assuming that a SOX Compliance Team 
only a certain set of 8 or 10 systems as Key Systems} ?
Can you selectively apply controls to non-Key Systems ?


Other related posts: