Computerworld - In an incredible delivery point this year, my team came through. Recently, at an office get-together, we had the opportunity to catch up on the year and some of the Sarbanes-Oxley Act initiatives that we will never forget.
We laughed about the late nights in the data center auditing the systems administrators, flying across the country to place boot-time passwords on critical systems and just making the best of a government mandate when there seemed to be so little information out there for interpreting this topic.
It became evident that the lessons learned from 2004's Sarbanes-Oxley initiatives could be broken down into three areas: clarity, planning and a repeatable process.
Clarity
It was critical early on that we needed to be clear on which systems were to be included in the Sarbanes-Oxley audit. While we used a Big Four accounting firm as a trusted adviser, the scope (the systems to be included in the compliance audit) was best defined by the internal data protection manager and a third-party organization that helped us prepare for our Sarbanes-Oxley testing. It was a powerful advantage that the definition of systems as being in scope and identified for testing was a combined effort of our IT audit company, the internal operations teams and the accounting team.
Having a definition of what was in scope and then communicating it through all levels of the organization was another milestone for our team. We were faced with how to best communicate and coordinate to the stakeholders and the employees what schedules and expectations were going to move forward with this initiative.
We assigned different tasks to the team members. For example, we assigned internal audit to an IT representative, our information and data protection manager. This was key in translating the "geekspeak" into business and internal audit control requirements. This combination proved to be invaluable, since the manager's background is in technology and auditing. He also improved the usefulness of e-mail messages by including status reports and Microsoft Project and Excel documents that needed to be updated.
Our team held meetings every Monday at 9 a.m. to set goals for the week. We'd also have a recap on Friday afternoons to review how we did with our goals from the Monday meeting. This proved to be productive because we would roll up our weekly goals into summary documents, which helped the internal audit and IT departments gauge where we needed additional assistance.
I was assigned to research and development. My task was to find the best tools
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
