Re: IT Audit?

[PaulMmn <PaulMmn@xxxxxxxxxxxxx>]

> Is that something similar to ISO 9000 stuff?

Only worse.  As I understand an ISO audit, it's to make sure you 
follow the procedures you created.

A SOX audit is to find out why you don't have procedures to control 
access, changes, manipulations, etc. to -anything- that might affect 
the financial results of the company.

They wanted to know if we sent out notices to the entire company that 
we're applying PTFs to the operating system.  We said, no, it doesn't 
affect financial results; it's not something we wrote, and they said 
OK...

If you do have procedures in place, you have to prove that you follow 
them, and that there's no way to cheat.

If you hold a meeting you need to be able to prove it was held and 
that you attended (ie everyone signs the attendance sheet).

They also look at procedural issues where one person wears enough 
hats to be able to enter orders, approve the shipment, mark the 
invoice paid, and sell the merchandise at the flea market.

It's somewhat of a pain in the neck, but in our case some of the 
procedures were a bit lax, and this prompted us to tighten them up.


Oh--  a SOX audit is not a one-time event--  they'll be back when you 
least expect them!   (:


Big Brother is coming!

--Paul E Musselman
PaulMmn@xxxxxxxxxxxxxxxxxxxx