Thursday, September 23, 2004

Sarbanes-Oxley: Accountants Setting IT Policy?

Will your accountant be setting corporate IT policy sometime soon? My recent articles about using SQL Server Profiler during application development raised a lot of interest in and debate about how to give developers controlled access to Profiler (and the requisite sa password) in production and quality assurance (QA) environments without giving away the keys to the kingdom. And some readers said they're particularly concerned about how the U.S. Public Company Accounting Reform and Investor Protection Act of 2002, aka the Sarbanes-Oxley Act, will affect their IT environments. Although Sarbanes-Oxley doesn't regulate information technology, IT is the foundation for the financial processes that the law regulates.

Do you have any idea what Sarbanes-Oxley legislation means to your IT department? The above comment came from a reader whose organization's IT security policy is being set by a team of auditors who, quite frankly, aren't trained to implement proper security measures. I spoke off the record with a colleague who has a fair amount of experience helping companies design Sarbanes-Oxley compliance plans. He said that some internal and external auditor groups are being overly aggressive in their interpretation of certain sections of Sarbanes-Oxley. These different interpretations can lead to inconsistencies where one group of auditors tells a company, "Yes, Bob can have the sa password," and another set of auditors tells the company, "Heck no, Bob can't have the sa password."

Sarbanes-Oxley: Accountants Setting IT Policy?

Send to a friend:

0 Comments: