1

So the small company I work for was just acquired by a major corporation and now I am being slammed with changes to my entire infrastructure in order to become compliant with the Sarbanes Oxley Act.

Currently the biggest hurdle I need help with is all of the Documenting. Does anyone here have experience with SOX Burdens that can recommend a good program for documenting? I realize this is a completely broad question but I’m hoping someone knows of a good program that I can make entries to for my maintenance, server changes, keep tract of user access request forms, etc.

Like I said… Complete shot in the dark but I couldn’t be more curious.

6 Spice ups
2

Jonathan3056

I work for a financial software company and am the compliance manager for our IT auditing. It sounds like you may be confusing two different things. SOX (Sarbanes Oxley) and SOC (Service Organization Controls) Types 1, 2 and 3 are different things entirely. SOX has to do with transparency of financial accounting while SOCs are controls that your company establishes to ensure clients that data is protected in different ways.

SOX info: Sarbanes-Oxley (SOX) Audit Requirements

SOC (formerly SAS 70) (AKA SSAE 16): http://www.ssae-16.com/

If the company you have been acquired by is audited under either of these, you should acquire a copy of the last full report and familiarize your self with it. Both are broken down into sections that address things like Logical Security, Network Security, Physical etc.

Once you are familiar with the requirements, try to get some time with your auditors to see how they want the documentation to of compliance generated.

This can be a confusing field to jump into blind. It can be a full time job. There are tools and programs out there to help (see the link below), but as a start, I would make a spreadsheet to capture the following.

1 Control objective #

  1. Control wording

  2. Documentation required to satisfy the CO.

  3. Where/how to pull the documetaion.

  4. Who is responsible to pull.

  5. Date pulled

  6. Date accepted by internal/external

http://info.knowbe4.com/webcast-knowbe4-compliance-manager-kcm?utm_campaign=KCM+Intro&utm_source=hs_email&utm_medium=email&utm_content=13236743&_hsenc=p2ANqtz-8-wnB5OiyPec_l5Ddt0oUkw_vtF52XlSxzuM4YCnlkrXZqW9sbjBkCFy4y5ruH-apMkPa2cVrXN9p0OH5J2HaVxpQrpHexwpy-8Mk25jpBdwltzME&_hsmi=13236743

5 Spice ups
3

Thank you very much junderwood1! I really appreciate you taking time to type out all of this valuable information. You have provided me with a lot to look into and I’m going to dive right in. Thanks again!

4

Glad to do it. I was thrown into it unexpectedly a few years ago and am glad. It is challenging and stressful at times though. The biggest thing is to automate everything you can with regard to record keeping and compliance. Understanding what your auditors are looking for in terms of documentation is about 60% of your battle, the rest is gathering the documentation and providing it on time.

I tend to feel as if I’m responsible for a clean audit even though other people are responsible for working in a way that assures compliance. Don’t fall into that trap. You can only be responsible for what you do.

2 Spice ups