Audit Serve, Inc.

 

Technical Articles
Conferences
Audit Programs
Audit Serve Seminars
Consulting Services
Audit Vision Email Newsletter Free!
What's New
Contact Us

 

The Worldwide Connection for Audit, Security, Control and SOX Professionals

How IT Audits are Different from the 
SOX IT General Controls Project  
By: Mitchell H. Levine, CISA
Audit Serve, Inc.

           


HP NonStop Server Security and Encryption Solutions
www.xypro.com


   When SOX projects were initiated in 2004, the IT Audit profession was looked upon as the background required to establish and test the controls.  IT Auditors performing IT General Controls Audits traditional take the “issue oriented” approach.  The issue oriented approach involved identifying specific issues which relate to potential system vulnerabilities.  For instance they perform extracts of system security parameters to identify settings which are set to values which increase the risk of unauthorized actions.  For instance, checking the primary domain account policies/password policies to ensure that a Minimum Password Length is set to less than 6 would be a typical “gotch-ya” type of audit issue.

 

   This IT Audit approach is not the approach taken in an IT General Controls SOX Project.  Sarbanes Oxley is the assessment of controls over financial reporting. It assumes that controls would provide assurance of accurate financial reporting.  SOX does not validate the accuracy of financial statements.  This is the objective of the Financial Statement Audit.

 

   In regards to security parameter settings, SOX Control Activities need to be designed to provide assurance that the security parameters would always be set correctly.  It is not a one time validation of the parameter which would be the approach of a traditional IT Audit.

 

The control objective for the example discussed previously would be

 

“Logon Security parameters are defined and are continuously monitored to ensure they are to set to prevent an unauthorized takeover of IDs”

 

The control activities would include the following:

 

- OS Configuration checklist are established which specify key security related system configuration requirements

- OS Configuration checklist are completed prior to the rollout of new production domains

- Audit Trails are enables and a review process occurs which would detect changes to security parameters

- Annual validation to ensure compliance with configuration checklists occurs for sample number of servers

 

   When designing the SOX tests for all of these control activities, none of the tests would consist of checking the value of the security parameter which would be the case for a traditional IT General controls audit.  Even the test for the annual validation to ensure compliance with configuration checklists would only assess whether the validation process occurred but not validate the results of the review.

   In conclusion, SOX Controls and testing focuses on the establishing control activities to ensure a desired value where IT Audits would check the value.  SOX requires IT Auditors to reorient their approach when establishing and testing SOX controls

For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.

 

Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US

This website has been optimized for Netscape and Internet Explorer 4.0 and above.  Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000  All rights reserved.  27 Pine Street, Suite 700, New Canaan, CT 06840 USA.