Dressing up your project compliance requirements – don’t forget your SOX.

Written By Michael Rosenberg

While working as an IT Plant Manager, when the SOX (Sarbanes – Oxley) federal act was implemented, my plant was selected to have an initial mock audit to gauge how the corporation would perform during the official audits planned for later in the year.

Due to the hard work of my team, we passed the audit with no findings. This was a great accomplishment for the team and added a new experience for me, as I was asked to head to White Plains, NY, and take part in the overall SOX training to become one of the Corporate IT auditors that were sent out to other plants to perform further mock audits and help the IT leads develop the standards and controls they needed to be SOX’s complaint.

Our training and audits focused on Sarbanes-Oxley GCC (General Computer Controls) and Application controls that addressed CAVR objectives (Completeness, Accuracy, Validity, and Restricted access.) This blog’s intent isn’t to be a full GCC nor Application control training, merely to provide a background for those developing plans and governance roles for Programs and Projects within the Life Science or other regulatory disciplines.

While people tend to put SOX requirements in a single focus dealing with financial applications and controls, there are critical aspects of both GCC and Application controls that I feel are appropriate for any application being considered for implementation; some of these are:

  • Program change controls, including system software acquisition and maintenance.

  • Focuses on Information security controls.

  • Help to ensure continued, ongoing, and proper operations of systems.

  • Requirements dealing with systems development and implementation.

The further expended points are from the perspective of implementing SaaS-based systems:

  • Program Change Controls – System Maintenance:

    • How are program changes requested to ensure they are appropriate and authorized?

    • What is the segregation of duties so that those who make the changes and those who authorize the move to production are not the same?

    • Has testing, at all required levels, occurred to ensure changes are accurate?

  • Information Security:

    • What are the password controls?

    • What are the security controls, and are they compliant with internal corporate policies?

    • What security monitoring is in place for their data centers, and if using 3rd party, has the SaaS Vendor performed audits and documented their findings?

  • Computer Ops:

    • What are the business continuity and disaster recovery plans?

    • How are their systems monitored?

    • What are their backup procedures?

  • Systems Development and Implementation:

    • As noted in Program Change Controls, have all levels of testing occurred?

      • Unit

      • System

      • User

      • Validation (if required)

    • Was there adequate training?

    • Are data integrity controls in place?

This is the tip of the iceberg of dealing with SOX, the General Computer Controls, and the relationship between GCC and the Application Controls for a business process. However, it provides some essential criteria for considering when completing your compliance outfit, including Title 21, ISO, Gamp5, etc. Remember, you’re not fully suited up until you add your SOX.

Want to discuss your SOX and other compliance needs during implementation, let's connect.

Michael Rosenberg
Previous

Importance of a Big Picture Program View for a Complex Effort
Next

The importance of cross-organizational PM meetings