To prepare an organization for compliance of Section 404 of COBIT (Control Objectives for Information Technologies) within Sarbanes Oxley Act (SOX), I recommend that we generate two documents as follows:
1. General IT Controls
COSO or “control environment”component that sets the “tone at the top” is evaluated to determine whether entry-level IT-related controls are likely effective. Evidence may include documented policies and guidance within IT controls such as security administration, application change control management, data backup, recovery, and systems development life cycle (SDLC).
Guidance for the developers team:
Have the ability to initiate an application change.
Communicate the change through agreed-upon documentation to the IT organization.
Evaluate and document the impact of all proposed changes on the internal control environment.
Test the changes before they are moved into production. These should include procedures to validate the working of critical programmed controls (to ensure there are no unintended impacts on the control environment from the change). Testing applies to any emergency changes to applications, i.e., application and data owners should be notified in advance of emergency changes so they can evaluate them appropriately.
For each of the above, there should be adequate documentation to demonstrate the process is operating as intended, and that the interaction between the application and data owners and the IT organization is effective.
2. Application and Data-owners Controls
Manual controls, user access levels and security administration should be considered for any risk exposures. Accesses between conflicting duties such as setting up accounts and making payments should be segregated. ERP system supporting the procurement and payables subprocesses should be an automated which is less susceptible to human errors. Such setup should also include a three-way match manual human process intervention for finer controls. There must be periodic reviews of methods, how often and by whom critical transactions are accessed, colloquially known as “touch points.” In the case of outsourced software, agreements or SSAE 16 should be made available to auditors to evaluate the effectiveness of security administration, change management, data management and ownership rights.
I hope that the information above is useful for you to proceed with the next steps of integrating compliance with your business logic.