Sarbanes Oxley and IT

Sarbanes Oxley control activities to prevent fraud include authorization, custody, record keeping and reconciliation. The segregation of duties in Sarbanes Oxley can be put to work in IT as well. While division of labor can seem inefficient, apply Sarbanes Oxley concepts to IT can improve IT security, reduce fraud, increase accountability and help find mistakes when they are correctible. In the long run, tighter controls and supervision will reduce problems and losses in an IT system.

Examples of applying Sarbanes Oxley principles in IT include:
* The individual who sets up user accounts should not be the same person who audits accounts for appropriate (or inappropriate) behavior. This mimics the division of financial tasks, with the person writing the checks being excluded from auditing the books.
* The individual who authorizes user role assignments should not be the same person who audits user roles for compliance with IT security. This prevents a manager who is granting access in violation of IT security policy from hiding their actions.
* The individual who maintains the inventory of IT assets should not be the same person who distributes them or assigns ownership. Hiding a stolen computer is easier if the same person assigns it to a false account and then checks off a form that it is still in the correct location.
* The individual who manages software license counts should not be the same person who pays for software licenses.
* The person who issues contracts for IT services should not be the same person who cuts the check to pay for services. This is the same division of roles as Sarbanes Oxley requires of financial groups. However, money is spent by IT, the division of responsibilities may not flow down to the IT financial decision makers.
* The group that purchases IT assets like hardware should not be the same group that manages its inventory.
* Auditors who reconcile the location of assets, license usage, user counts, IT department expenses and contracts should not work in the group they are auditing. For example, the auditor for the financial transactions of IT should not work in IT. Auditing of IT assets should not be done by someone in the inventory department.
* The individual responsible for IT security scans of the network should have a backup who is not their superior or subordinate. This reduces the risk of a security breach being hidden instead of properly reported if found.
* Access control limits to protect data security should be tested both negatively and positively when put in place. Access control limit (ACL) testing should not be limited to verifying that users can view what they should be allowed to view. ACL testing should also include thorough testing that users who should not be able to access data cannot view it.
* Those who define the IT security infrastructure should have others test it and audit it. Like any other product, suppliers and bids for IT services should be reviewed and vetted by someone other than the individual who submitted the purchase request for the IT product or service.