Re: Sorbanes Oxley for dummies? -- more questions

  • From: Kip.Bryant@xxxxxxxxxx
  • To: jkstill@xxxxxxxxx
  • Date: Mon, 17 Jan 2005 11:21:32 -0800

Minor comment inline below...

|Comment inline

|On Sat, 15 Jan 2005 16:39:28 +0800, Hemant K Chitale
|<hkchital@xxxxxxxxxxxxxx> wrote:
|> >Auditors require personal accountability, which requires personal accounts.
|> >
|> That would then include Auditing every action by these accounts.

|Not necessarily.  Pleasing auditors so they will sign off on your
|financial accountability
|and doing the right thing are not the same thing.  Think Venn diagram.

|> >  Ours identified critical systems, and those are the systems that are
|> > audited.
|> Yes, I would expect that too.  However, somewhere along the line we have
|> got the impression that implementation of controls has to be the same across
|> all systems.

|Not for SarbOx compliance.

Except possibly where actions in development systems may have consequences in
production systems.  I've been told that I may be blocked from development
tools.  This will make it rather difficult to help applications staff.  Plus, 
as other people have said, a lot of this seems to be up to the individual
auditor's interpretation of SOX.  We've run into differences between auditors
at corporate vs. auditors at divisons (auditors working for the same company).

And by the way -- Jared made reference the other day to written change control
documentation.  We have workgroups in different locations around the world and
our process is wired together with email here and there (mostly just "you have
been assinged this" or "change xyz has reached status something".  In the past,
auditors were satisfied with a demonstration that emails would happen.  Now
they are asking for all such mail in a 20 day period 8 months ago.  And I had
the same question for emailed system alerts.  I'm not saying "don't use email"
but...I get a lot of mail.  Saving mail (which ones?) for a 1 year period would
be a real headache.

Kip Bryant

|Jared Still
|Certifiable Oracle DBA and Part Time Perl Evangelist

Other related posts: