The Cost of Compliance • Chapter 5
Walk the Talk Table 5.1 is an example of the type of policy NuStuff Electronics might use in its activities to comply with the Sarbanes-Oxley Act, and although NuStuff Electronics is fictional, the procedure and the areas it defines are not. At first glance, the policy appears to be a standard procedure that would have been used by any IT organization prior to Sarbanes-Oxley, so what the big deal? If the Sarbanes-Oxley Act was never drafted, your IT organization would be audited based on traditional audit practices and guidelines. The auditors would give this policy a cursory review, at best, more to ensure that you have a documented procedure than anything else. Now, here is the big deal, aside from being an actual policy used to obtain Sarbanes-Oxley compliance, it contains two very important areas that were added to make the procedure acceptable for Sarbanes-Oxley compliance—5.0 Review and 6.0 Enforcement. Although it is important that you adhere to what you state in your policy, be particularly cautious about what you stipulate in Review; if you can’t or won’t adhere to it, don’t state it. Whether during initial testing after the remediation phase or during a subsequent compliance audit, the auditor will want to see evidence of the effectiveness of the control. As stated previously in this book, COBIT is merely a detailed set of “Best Known Methods” for IT. Therefore, there is no need to discuss this particular policy’s password parameters (password length, password age, etc.); those would need to be tailored to fit your environment. However, we would like to make note of some of the particular areas in the policy to which you must pay special attention: ■
Scope: If your company has other locations, whether domestic or international, it is critical that you define what location your policy affects and which it does not.
■
Review: There are two concerns that you must define well regarding the “Review”:
■
The frequency of review: If the interval between reviews is too long, the auditor will perceive the control as ineffective.
■
Connect the review of evidence to the CFO: Although the IT manager may perform a review monthly, the CFO will perform a review of the effectiveness of the control and evidence on a quarterly basis.
■
Enforcement: You may not have to define consequences in all policies, but if you do, you want to ensure that Human Resources review them before formalizing and publishing your modified or new policy. Generally speaking, it is a good idea to have information readily available to all employees, using whatever mechanism works best in your environment. Moreover, the employment packet for a new hire should contain a document (that the new employee will sign) stating that he or she has read and understands the corporate policies.
133