Professional Documents
Culture Documents
SOX & ISO 27001: Protect Your Data and Be Ready To Be Audited!!!
SOX & ISO 27001: Protect Your Data and Be Ready To Be Audited!!!
IT Controls
Certification timeline
Risk Assessment
1 of 17
SOX Compliance
2 of 17
SOX Compliance
System A
System B
Is the data
reliable?
Financial Data
4 of 17
IT Controls
Application
A Report
Application Controls
• Program Development
• Computer Operations
5 of 17
IT Control
Access to Programs & Data
Key Inputs:
– Password settings
– List of users/administrators with full/admin
access
- List of new hires/terminated/transferred users
Testing technique used:
Sampling
Outputs:
Control is effective
or
Not effective
Impact on Financials?
6 of 17
IT Control
Program Changes
Steps
Controls tested:
Changes are:
1. Tested 1. Test of Design
2. Approved 2. Test of Effectiveness
Key Inputs:
– Change Management Process
– List of system generated Database
changes
Impact on Financials?
7 of 17
Failure of SOX Controls (IT & Non-IT)
• Deficiency: A control breakdown prevents management or employees from preventing or detecting
financial misstatements within a reasonable time frame.
• Significant deficiency: An important control is not working and the organization's ability to initiate, record,
process, or report financial data to the public is compromised. In addition, a significant deficiency may
prevent compliance with generally accepted accounting principles (GAAP). A significant deficiency must be
reported to the audit committee of the board of directors.
• Material weakness: One or more control failures at this level will result in a 404 failure. A material
weakness represents, according to the AICPA, "more than a remote likelihood that a material
misstatement of the financials will not be prevented or detected." The control failure must be reported to
the audit committee of the board of directors as well as the investing public (via the 10K). Material
weaknesses usually, but not always, arise from business practices rather than IT control failures.
IT is expected to pass with few deficiencies, no significant deficiencies, and certainly no material weaknesses.
Source: http://www.ittoday.info
8 of 17
Key Points to remember…
For a successful SOX audit
Database Administrators
– You are responsible for security of the databases!
9 of 17
Next Topic
ISO 27001
2-3 minutes break before we proceed
10 of 17
Agenda
What is SOX Compliance?
IT Controls
Certification timeline
Risk Assessment
11 of 17
ISO 27001
12 of 17
Why be ISO 27001 compliant?
Some reasons may include:
• Be prepared to deal with changing threats with respect to new cloud based services
13 of 17
Certification Timeline
14 of 17
Security Domains + more
17 of 17