Terry Simpkins, the IT manager at
Measurement Specialties, used the HP 3000 newsgroup to announce a
respite from some of the Sarbanes-Oxley strain. An SEC document at www.sec.gov/info/accountants/
stafficreporting.htm "says the ISIT 'General Controls' are
not automatically part of section 404 testing. It's buried in Section
F of the [document], but the key phrase is, 'For purposes of the
Section 404 assessment, the staff would not expect testing of general
IT controls that do not pertain to financial reporting.' "
Simpkins, whose March report to us
chronicled 60-hour work weeks overwhelmed with SOX audit issues,
added that "If you don't know about section 404 testing, or are
not involved in your company's SOX testing, go home tonight and be
very thankful."
Simpkins has been sharing what he's learning as he pushes his
organizations, which rely on HP 3000s and MANMAN ERP software,
through SOX compliance. Auditors have wanted to know how companies
handle the segregation of MANMAN programming functions (testing vs.
production) to become Sarbanes-Oxley compliant. One- or
two-person shops have been struggling to show auditors how this isn't
a risk. Management review of high-level system manager capabilities
is key, Simpkins says.
"SOX states that you have to be 'in control'," he said,
"and that can be defined lots of ways. What we have done is say
that we are aware of the issue, but because of the small size of the
staff, having 'perfect' segragation of duties just isn't
possible/practical."
"So I created a control that calls for a periodic review by
the CFO of exactly who has the 'sys mgr' capabilities. I have created
a 'log' of what users have access to the 'sys mgr' logon/capability,
and I review this list with [the CFO] quarterly. He signs off on the
list each quarter, as a record of the review."
SOX compliance has been slowing HP 3000 shops from migrating. In
particular, shops that need to give broad access to a single
administrator are struggling to maintain their processes in the face
of SOX audits. One site manager said she's lost her AM and OP
capabilities from production accounts, "so trying to get onto a
restricted box to look at a problem is...um....er...not so nicely
achieved. We've tried to explain what damage this can (and will)
do," said Carol Darnell, an IT manager at a very large HP 3000
installation, "but compliance appears to be more critical than
being able to support our customers."
Foreign companies and those with market caps of less than $75
million recently got an extension of one year to comply. Instead of
meeting the requirements by next month, these
"non-accelerated" companies now can work until July 15,
2006 - less than six months before HP turns off its 3000 and MPE/iX
support business. An article at the
IT Compliance Institute explains the extension. The site also has
a useful summary white paper of the SOX requirements.