Terry Simpkins, the IT manager at Measurement Specialties, used the HP 3000 newsgroup to announce a respite from some of the Sarbanes-Oxley strain. An SEC document at www.sec.gov/info/accountants/ stafficreporting.htm “says the ISIT ‘General Controls’ are not automatically part of section 404 testing. It’s buried in Section F of the [document], but the key phrase is, ‘For purposes of the Section 404 assessment, the staff would not expect testing of general IT controls that do not pertain to financial reporting.’ ”
Simpkins, whose March report to us chronicled 60-hour work weeks overwhelmed with SOX audit issues, added that “If you don’t know about section 404 testing, or are not involved in your company’s SOX testing, go home tonight and be very thankful.”
Simpkins has been sharing what he's learning as he pushes his organizations, which rely on HP 3000s and MANMAN ERP software, through SOX compliance. Auditors have wanted to know how companies handle the segregation of MANMAN programming functions (testing vs. production) to become Sarbanes-Oxley compliant. One- or two-person shops have been struggling to show auditors how this isn't a risk. Management review of high-level system manager capabilities is key, Simpkins says.
"SOX states that you have to be ‘in control’," he said, "and that can be defined lots of ways. What we have done is say that we are aware of the issue, but because of the small size of the staff, having ‘perfect’ segragation of duties just isn’t possible/practical."
"So I created a control that calls for a periodic review by the CFO of exactly who has the ‘sys mgr’ capabilities. I have created a ‘log’ of what users have access to the ‘sys mgr’ logon/capability, and I review this list with [the CFO] quarterly. He signs off on the list each quarter, as a record of the review."
SOX compliance has been slowing HP 3000 shops from migrating. In particular, shops that need to give broad access to a single administrator are struggling to maintain their processes in the face of SOX audits. One site manager said she's lost her AM and OP capabilities from production accounts, "so trying to get onto a restricted box to look at a problem is...um....er...not so nicely achieved. We've tried to explain what damage this can (and will) do," said Carol Darnell, an IT manager at a very large HP 3000 installation, "but compliance appears to be more critical than being able to support our customers."
Foreign companies and those with market caps of less than $75 million recently got an extension of one year to comply. Instead of meeting the requirements by next month, these "non-accelerated" companies now can work until July 15, 2006 — less than six months before HP turns off its 3000 and MPE/iX support business. An article at the IT Compliance Institute explains the extension. The site also has a useful summary white paper of the SOX requirements.