Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Sorbanes Oxley for dummies? -- more questions

RE: Sorbanes Oxley for dummies? -- more questions

From: Powell, Mark D <mark.powell_at_eds.com>
Date: Fri, 14 Jan 2005 10:48:45 -0500
Message-ID: <5A14AF34CFF8AD44A44891F7C9FF410511E728@usahm236.amer.corp.eds.com> 





It is my reading of SOX that what is and is not acceptable is totally up to
the auditors. The provision (section 440?) of SOX that is causing all the
work is actually only one paragraph long and is not very specific.  As such
it is up to the courts to determine what it means.  That has yet to happen.
As such if the auditors say your books are OK and the CFO and CEO are
willing to put their names on the bottom line you could in fact do nothing
new.



But after what happened to Andersen most auditors are in cover their behind
mode.  Some of the requirements being placed on companies are just not
practical or useful.  There is a court case saying that the government went
to far in their actions against Andersen.  Depending on how it comes out
there could be a major shift in where auditors put their emphasis.
Unfortunately for most of us auditors make money on the current process so
you can expect the worse.



What the act definitely requires is that a firm take steps to protect the
integrity of its data.  You must have written procedures for updating
production data and proof that you follow them (paper trail).  Right now
what constitutes valid procedures is whatever the auditor says.



IMHO -- Mark D Powell --




-----Original Message-----


From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org]On Behalf Of Hemant K Chitale

Sent: Friday, January 14, 2005 9:49 AM


To: bdbafh_at_gmail.com; Michael.Kline_at_suntrust.com; oracle-l_at_freelists.org
Subject: Re: Sorbanes Oxley for dummies? -- more questions 





Not having read the book , but I, too, have a number of questions.  My
current


employer, being NASDAQ listed, is also undergoing preparation for a SOX 
Audit in 2005.



    
  
  1.   How do you handle Password Controls for "root" and "oracle" accounts ?
If you have 200 servers and 80 databases, how do you ensure that you do NOT
write down the passwords somewhere [other than the on the sheet of paper
in the IT Security department's safe] and yet remember the passwords ?
Some [un-named] persons I know use the *same* password on all the 20 or 50 
odd servers.
Would that be acceptable ?

  
  2.   How do you Audit actions by DBAs ? Create seperate DBA accounts in the
Database ?  If you have 3 alternate DBAs supporting multiple databases,
should
each DBA have a named account in each database ?

  
  3.   Should all your SOX controls implemented as part of IT General Controls 

    
[COBIT Framework]
    
apply to *all* your Servers and Databases, even those that are not Critical 
or Key systems

    
[ie those with no financial impact]   {assuming that a SOX Compliance Team 
    
identifies
only a certain set of 8 or 10 systems as Key Systems} ?
Can you selectively apply controls to non-Key Systems ?






--
http://www.freelists.org/webpage/oracle-l


Received on Fri Jan 14 2005 - 09:45:46 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US