SOX Compliance

natepiano · 2015-04-11T14:48:38.000Z

Hey all, I’m looking into what it would take to make my company SOX compliance. Has anyone been down that road before and has tips or tricks? Thanks.

sergeadam2359 · 2015-04-11T16:01:50.000Z

Not easy, trivial or cheap. First question is: are you required to be SOX compliant? If not, just move along.

It’s been a while since I’ve gone through it but it involves data retention policies and full operational documentation, including software behavior, as in, expected error messages for validated fields and such. It also requires that any document used for financial forecasting be documented, audited and subject to change management, tat includes spreadsheets that may be used to make decisions.

georgejurcan · 2015-04-11T16:54:26.000Z

Avoid it if you can.

Data retention policies state something like keep yearly backups for up to 20 years, monthly back ups for up to 3 years, weekly back ups for something like 3 months and daily incrementals for something like 4 weeks. And that’s just for backups/data retention.

Anything that has to do with financial data, ERP systems, etc, have to be throughly documented and changes to access have to have a process in place to be tracked. Accountability for certain failures, for example, if a backup fails, I have to document why (doesn’t matter that it fails but has to be documented). Employee terminations/new hires have to be documented via a process indicating which access they need, etc.

Physical access to server rooms restricted and documented, badge access documented including removal/activation and deactivation of personnel needing access to your building, etc.

There’s a lot that goes into it. My company is required to be SOX compliant but I only deal with a small portion of it (namely what I’m responsible for mentioned above).

Generally SOX compliance is only required for publicly traded companies, so I’m not sure why’d you’d want to go down this road if you don’t need to.

natepiano · 2015-04-11T21:21:03.000Z

For various reasons, SOX is going to become mandatory.

Thanks for the info so far.

brianwhelton · 2015-04-12T09:06:45.000Z

Never heard of this one before, so I did a bit of a search and whilst some of it seems sensible, some of it (as with most compliance acts) seems to be composed by people with absolutely no knowledge of IT systems.

Anyway, here’s the best explanation I found for the impact it will have for UK companies SOX: what does it mean for UK companies?

And I do think that the irony has been missed (or maybe it was intention for the section that states you must be able to (find) provide documentation and attest to operational effectiveness, Section 404!

michael-netwrix · 2015-04-13T06:34:47.000Z

If you need to be SOX compliant you can check Netwrix Auditor solutions

@Netwrix

kevinkerrigan · 2015-04-13T12:39:18.000Z

We got two clients through implementation and certification. Not easy, but once you commit, its just money.

anil-lepide · 2015-04-14T05:14:34.000Z

You may also be interested using LepideAuditor suite that would be an appropriate solution to resolve your purpose.