CHAPTER26

Those Pesky Sarbanes-Oxley (SOX) Audits

If you work for any publicly traded company registered with the United States Securities and Exchange Commission (SEC), you have either already had an IT audit, or you are preparing for an upcoming IT audit. You can thank the Sarbanes-Oxley (SOX) act of 2002 for this extra headache. The SOX act was a result of the corporate financial scandals of Enron and the like. The purpose of SOX is to require the chief executive officer (CEO) and the chief financial officer (CFO) of all publicly traded companies to personally validate the accuracy of its financial records, and to ensure there are internal controls in place to protect all financial data. That last part is where all the IT staff entered the picture. You have probably noticed that the system change-request process has become burdensome with all the detailed plans for any system change and the back-out plans if something goes wrong. This is a good thing to do, but some organizations have gone overboard with the amount of detail required. As Systems Administrators, it falls on us to try to make sense of the new rules and to comply with the auditors. I am not going to cover the law, but rather tactics for UNIX Administrators to be prepared for an audit. Just remember that we are not the only department that will have to pass the audits. The Mainframe Team, the DBA Team, the Win-Tel Team, and the Network Team also have to pass the audits. So, be prepared to work with all these teams ...