399
Appendix:
Understanding the Sarbanes-Oxley Act
Similarly, you will need to document employee terminations. Of particular concern
to the auditors is account termination for people who had access to financial systems,
and assurance that their access to financial systems was terminated at the same time as
their employment was terminated.
System Maintenance
Regular system maintenance of the in-scope systems should be defined and documented.
The actual maintenance activities that are performed should be spelled out in a procedural
document. For example, a Windows-based server might have the following maintenance
activities defined:
Examine event logs and note any serious problems.
Save the event log.
Apply any pending Microsoft patches through Windows Update.
Examine disk space to ensure that adequate free space is available.
Examine the backup system logs to ensure that backups are being performed
properly and that there are no unresolved errors.
Restart the system and ensure proper functioning after it restarts.
The performance of these tasks should be documented whenever they are done.
Depending on the preferences of the company's auditors, this can be electronic or
through the use of a paper form developed for this purpose.
Change Control
A critical procedure to develop is one that governs how changes to any in-scope
systems are managed. This includes both changes to the in-scope software, such as
applying an update or upgrade to the application or modifying a program used by the
system, as well as changes to the operating system and hardware in a server that hosts
in-scope systems.
All changes to in-scope systems need to be documented, and where approvals are
required, they also need to be documented.
A general procedure for a routine change might be a request from a person in
the accounting department to modify a financial report to make it more useful, or to
develop a new report that will help the employees do their job better. In such a case,
the requestor might complete a form describing the desired change, which is submitted
to the IT department. The IT department then assesses the change to determine how it
can be accomplished and what resources (time and money) are required to make the
change. The IT department should also propose a way to test the change to ensure it
is working as designed. The IT department then forwards the request, along with this
assessment, to either the company's controller or CFO, who must approve the change.
After the approval is granted, the IT department effects the change, performs the
testing, and usually has the original requestor also accept the result.