Information Technology : IT and Corporate Audits Cape Town South Africa.
Information Technology : IT and Corporate AuditsInformation Technology : IT and Corporate Audits Cape Town South Africa.
Fourspiral Technologies • Tel: +27 (0)21 - 4242957 • Fax: +27 (0)21 - 4242956 • E-mail:
secure your website NOW!
To Purchase Thawte certificates click above
Corporate Goverance is a fact of life, all corporate entities will legally have to comply sooner or later
Sarbanes-Oxley (SOx) 404 act & how it relates to IT within a company:
The following Price-Waterhouse-Coopers extract summaries well what an IT organization’s primary role is in complying to Sox 404 (quote taken from July 2004 Practical Guide for management, distributed to it’s clients and Friends):
‘The information technology organization will have two primary roles in the project:
  1. To document and self-assess its own significant processes (referred to as general computer controls) for(a) the information technology control environment, (b) the development and implementation of information technology (program development), (c) a change to existing information technology (program changes), (d)information security (access to programs and data), and (e) computer operations. These are pervasive
    controls since the effectiveness of all automated controls across the organization depends on them.
  2. To support personnel who are responsible for specific processes by helping those individuals document and assess their control activities. Because those individuals are accountable for the controls pertaining to the processes they oversee, they should be responsible for documenting and testing both manual and automated controls, even though automated controls often rely on or reside in information technology systems. It is important for personnel who are responsible for processes in their business units to understand all the controls for their processes, not simply the manual controls. To facilitate this understanding, the company should assign information technology liaisons to the control assessment teams.’
Control Process Analysis, documentation & recommendation
Fourspiral can apply its methodologies and experience to graphically demonstrate how process controls function, how they relate to one another and what the system and human dependencies (in these process workflows) are in a given a control chain.
In addition, where the control processes come up short, or show risks due to conflict of duty overlap these can be remodeled. This would be done after discussion with key stakeholders in your company in preparation prior to audit compliance.
Sox 404 and BC&DR compliance
There has been much discussion on whether Sox 404 contains a requirement to include BCP and DRP within the scope.
An Interesting discussion thread on this subject that is worth reading can be found at the following location: hyperlink
With on major proviso the general concensus is that BCP and DRP are excluded from the scope of SOx. The proviso is that a business can produce (in real time) up to date reports and records pertaining to financial positions and transactions. If you do not have a data recovery environment in place you will not be able to satisfy the requirement: if you lose your site and need to recover key transactions may not be available since last backup went to tape/disk media. Having hot secondary copies of key data/databases at a contingent location will allow you to meet the requirement. It’ll also allow your business to recover in a much, much accelerated timeframe.
Also it seems that the different major accounting firms can have different interpretations on whether DR is included or not.
The question a business must ask itself is: I am happy to comply at this level or do I consider DRP and BCP a core element of IT Control function
Involvement with SAS 70 and WEB Trust Audits certification:
Senior Manager at Thawte consulting (hyperlink) responsible for working closely with KPMG for the implementing all system and controls for the attainment of SAS70 (hyperlink) and Web Trust (hyperlink) audits contributing heavily towards Thawte consulting complying to strict requirements to trade as a (Digital) Certificate Authority.
This responsibility included oversee compliance to all logical and physical access controls, logical system and log file controls, software build segregation and strict change management implementation, staff adherence to control policies, Disaster Recovery and Business continuity.
What is the SAS 70 audit:
‘Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA)’
An excellent summary of understanding and preparing for a SAS 70 Audit is given below:
White Paper on SAS 70 Readiness
Author :Charles Denyer
Tidwell DeWitt
[Reproduced courtesy of Tidelldewitt company]
Tips for getting your organization ready for a SAS 70 audit. by Charles J. Denyer, Audit Assurance Manager, Tidwell Dewitt, LLC As organizations struggle to comply with ever-growing regulatory mandates imposed from the passage of various acts, such as Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA), another challenge looms just as large and complex: preparing for a SAS 70 audit.
Many organizations fail to understand the necessary steps that must be in place before an auditor can successfully begin field work for a SAS 70 engagement. Consequently, cost overruns and subsequent delays in issuing a “service auditor’s report” are far too common. By making yourself and your organization aware of the tasks involved with preparing and ultimately engaging in this type of audit, precious dollars and employee man hours will be saved. Communicate with your auditor. Many organizations are under the assumption that their SAS 70 auditors will simply arrive and begin field work on a predefined date, with little or no guidance needed from the organization. After all, they are the experts and know exactly what they are doing…right? Wrong. Effectively communicating with your auditor will allow you to have made inquiries into their processes, ultimately resulting in a better understanding of key deliverables, such as expected field work timeframe and issuance date for a “service auditor’s report”.
Necessary elements
A number of internal documents are used by auditors to assist in commencing with field work and in issuing a SAS 70 report. Being aware of what these specific documents and procedures are will save your organization time and money by having them in place when the auditors arrive. They include the following:
• Network Topography of your organization’s I.T. infrastructure
• Internal I.T. policy manual regarding computer operations, computer security and other related issues
· Documentation pertaining to the Systems Development Life Cycle (SDLC) regarding the platform (i.e., module, application) being examined for SAS 70 compliance
• Employee Handbook and related issues
• Business Continuity/Disaster Recovery policy and related issues
SAS 70 Readiness
While many organizations can answer “yes” to having the above procedures documented and in working order, a large number of institutions find themselves unable to furnish this vital material to their auditors, thus they cannot successfully begin a SAS 70 audit. Though this is a common occurrence, your organization can take a number of proactive steps in producing the documents and having in place the fundamental business processes and controls, ultimately ensuring that the engagement is carried out in an efficient, detailed, and cost effective manner.
Organizational Chart:
Review and update your company’s organizational chart, including current titles, reporting responsibilities and tenure at current position.
Information Technology Infrastructure:
Review and update your company’s I.T. policy manual, including rules and regulations governing all I.T. operations and I.T. security issues.
Systems/[Software] Development Life Cycle (SDLC):
After having identified the module or application being observed within a SAS 70 audit, steps should be taken to document the stages or cycles during the entire SDLC process.
Employee Issues:
Review and update all employee issues, such as hiring and termination policies, non-disclosure agreement documents, employee valuation guidelines, and any other information deemed vital.
Disaster Recovery:
Review and update all policies and procedures for disaster recovery, such as “hot site” and “cold site” locations, re-entering original premises, identification of disaster recovery internal team, and all other related issues.
If your organization does not have these documents or procedures in place, it’s time to engage in a pre-SAS 70 audit with a SAS 70 “Readiness” assessment. In doing so, you are ultimately saving time, money, and valuable resources within your company.

The Next Step
Communicate with your auditor immediately and notify them that there are deficiencies within your current business model. Identify these weaknesses and ask your auditor how they can assist in developing and putting in place structured processes and procedures. Demand an upfront fee for SAS 70 “Readiness” and inquire of the timeframe for completion.
Shown here on Fourspiral’s Web site courtesy of Tidwelldewitt,
Fourspiral can assist you in Africa for Preparation for undertaking SAS 70 Audit. Good preparatory work will significantly reduce the time it takes to successfully pass an audit of this nature.

'Plan, Plan, Plan – Train hard, expect the worst and you’ll be surprised at how you grow and what one's team can achieve.’
B. Mc Mahon
Official Thawte Referrer