DBA Guide to Understanding Sarbanes Oxley Presentation
25
DBA Guide to Understanding Sarbanes-Oxley Stephen Kost Integrigy Corporation Copyright © 2006 Integrigy Corporation
-
Upload
deanne-van-wemmer -
Category
Documents
-
view
80 -
download
1
Transcript of DBA Guide to Understanding Sarbanes Oxley Presentation
DB
A G
uid
e t
o U
nd
ers
tan
din
g
Sa
rba
ne
s-O
xle
y
Ste
ph
en
Ko
st
Inte
gri
gy
Co
rpo
rati
on Cop
yright ©
2006 Inte
grig
y C
orp
ora
tion
Agenda
•W
ha
t is
Sa
rba
ne
s-O
xle
y?
•S
arb
an
es-O
xle
y C
om
plia
nce
•O
racle
Ap
plic
atio
ns S
OX
Co
mp
lian
ce
Mo
de
l
•S
ecu
rity
•A
ud
itin
g
•C
ha
ng
e M
an
ag
em
en
t
Sarb
anes-O
xle
y A
ct
of
2002
•S
ecti
on
302
requires the C
hie
f E
xecutive O
ffic
er
and C
hie
f
Fin
ancia
l O
ffic
er
on a
periodic
basis
to h
ave –
•“d
esig
ned inte
rnal contr
ols
”over
financia
l re
port
ing
•“e
valu
ate
d the e
ffectiveness”
of such inte
rnal contr
ols
•S
ecti
on
404
requires a
corp
ora
tion’s
annual re
port
to c
onta
in a
n
inte
rnal contr
ol re
port
that sta
tes –
•“t
he r
esponsib
ility
of m
anagem
ent fo
r esta
blis
hin
g a
nd m
ain
tain
ing
an a
dequate
inte
rnal contr
ol str
uctu
re a
nd p
rocedure
s”
•m
anagem
ent has p
erf
orm
ed “
an a
ssessm
ent of th
e e
ffectiveness o
f
the inte
rnal contr
ol str
uctu
re a
nd p
rocedure
s for
financia
l re
port
ing”
SE
C R
ule
s a
nd
CO
SO
•T
he
actu
al S
OX
ru
les a
re im
ple
me
nte
d b
y th
e S
EC
•T
he
SE
C f
ina
l ru
les r
eq
uire
co
rpora
tions to u
se a
recogniz
ed
inte
rnal contr
ols
fra
mew
ork
•T
he
Sp
on
so
rin
g O
rga
niz
atio
ns o
f th
e T
readw
ay
Com
mis
sio
n
(CO
SO
) in
tern
al contr
ols
fra
me
wo
rk is s
pe
cific
ally
me
ntio
ne
d
•C
OS
O p
rovid
es a
fra
me
wo
rk f
or
de
fin
ing
an
d
eva
lua
tin
g in
tern
al co
ntr
ols
•O
nly
addre
sses I
T c
ontr
ols
in a
very
genera
l m
anner
•C
OS
O s
uggests
usin
g a
n IT
contr
ols
fra
me
wo
rk,
like
CO
BIT
PC
AO
B
•T
he
Pu
blic
Co
mp
an
y A
cco
un
tin
g O
ve
rsig
ht B
oa
rd
(PC
AO
B)
de
ve
lop
s th
e r
ule
s fo
r e
xte
rna
l a
ud
ito
rs a
nd
rele
ase
d “
Au
ditin
g S
tan
da
rd #
2”
•E
mphasiz
es the im
port
ance o
f IT
contr
ols
•D
oe
s n
ot
pro
vid
e a
ny d
eta
ils o
n w
hat
IT c
ontr
ols
are
required –
each c
orp
ora
tion t
o d
evelo
p IT
contr
ols
that
support
their inte
rnal contr
ol pro
gra
m
•M
ost
audit f
irm
s h
ave a
dopte
d C
OB
IT a
s the s
tandard
IT
Co
ntr
ols
Fra
me
wo
rk
Sarb
anes-
Oxle
y A
ct o
f 2002
SEC R
ule
sPCAO
B S
tandard
s
CO
SO
Fra
mew
ork
CO
BIT
SEC D
efines
Rule
sfo
r Corp
ora
tions
PCAO
B D
efine S
tandard
sfo
r Auditors
Suggest
s CO
SO
Suggest
s IT
Fra
mew
ork
Suggest
s IT
Fra
mew
ork
CO
BIT
•C
OB
IT is a
contr
ols
fra
mew
ork
for
IT g
overn
ance for
the
en
tire
org
an
iza
tio
n a
nd
pro
vid
es h
igh
-le
ve
l co
ntr
ol
ob
jective
s f
or
ap
plic
atio
ns a
nd
in
fra
str
uctu
re
•T
he c
ontr
ol obje
ctives a
re n
ot to
a level th
at can b
e
imm
ed
iate
ly im
ple
me
nte
d b
y a
DB
A o
r syste
m a
dm
inis
trato
r
•T
he
co
ntr
ol o
bje
ctive
s p
rovid
e h
igh-level chara
cte
ristics for
wh
at
the
im
ple
me
nte
d in
tern
al co
ntr
ol sh
ou
ld in
clu
de
•IS
AC
A’s
“IT
Co
ntr
ol O
bje
ctive
s f
or
Sa
rba
ne
s-O
xle
y”
ma
ps C
OB
IT to
Sa
rba
ne
s-O
xle
y c
om
plia
nce
Sa
rba
ne
s-O
xle
y C
om
plia
nc
e
•T
he
re is n
o s
ing
le p
oin
t o
f re
fere
nce
or
co
mp
reh
en
siv
e g
uid
elin
es fo
r S
OX
co
mp
lian
ce
•T
he
de
fin
itio
n o
f S
OX
co
mp
lian
ce
is d
efin
ed
by th
e
co
rpo
ratio
n r
efe
ren
cin
g a
se
t o
f in
tern
al co
ntr
ols
fra
me
wo
rks
•B
eca
use
eve
ry b
usin
ess a
sse
sse
s r
isks d
iffe
ren
tly,
the
co
ntr
ols
ea
ch
bu
sin
ess r
eq
uire
s w
ill b
e d
iffe
ren
t
Sa
rba
ne
s-O
xle
y C
om
plia
nc
e
•S
OX
co
mp
lian
ce
is a
bo
ut risk
•In
tern
al contr
ols
are
about co
ntr
olli
ng
an
d r
ed
ucin
g r
isk
•S
OX
co
mp
lian
ce
sh
ou
ld b
e d
on
e in
th
e c
on
text fo
r a
n
en
terp
rise
-wid
e S
OX
in
itia
tive
•O
racle
Ap
plic
atio
ns is o
fte
n th
e fin
an
cia
l syste
m o
f re
co
rd•
Th
e f
ina
ncia
l syste
m w
ill m
ost
like
ly g
arn
er
clo
se
scru
tin
y
•O
ften r
equired to m
eet a h
igher
sta
ndard
of
SO
X c
om
plia
nce
than the r
est of th
e IT
depart
ment
Lookin
g a
t S
OX
Com
pliance
•C
orp
ora
te o
ffic
ers
(C
EO
, C
FO
, …
)
•M
ust attest to
the c
orp
ora
tions inte
rnal contr
ols
•R
ely
on
in
tern
al a
ud
it a
nd
SO
X c
om
plia
nce
te
am
s t
o
dete
rmin
e if
inte
rnal contr
ols
are
in p
lace
•E
xte
rna
l A
ud
ito
rs
•A
sse
ss t
he
effective
ne
ss o
f su
ch
in
tern
al co
ntr
ols
•M
ust
unders
tand t
he f
low
of tr
ansactions thro
ugh the
corp
ora
tion a
nd I
T s
yste
ms
SO
X i
s a
WR
ITE
Eve
nt
•S
OX
is p
rim
arily
fo
cu
se
d o
n w
rite
eve
nts
•S
OX
is m
ost
concern
ed w
ith a
ny a
nd a
ll changes t
o t
he
financia
l data
and the p
rocessin
g o
f th
e fin
ancia
l data
•T
he p
rocessin
g o
f financia
l data
inclu
des the p
rogra
ms,
report
s, and c
onfigura
tion s
ettin
gs that m
ay a
ffect how
the
data
is p
rocessed o
r re
port
ed
•U
na
uth
orize
d q
ue
ryin
g o
r vie
win
g o
f d
ata
ma
y b
e a
n
issue in term
s o
f H
IPA
A, G
LB
A, U
S a
nd E
uro
pean
priva
cy la
ws, a
nd
SE
C r
ule
s
What
are
Inte
rnal C
ontr
ols
•In
tern
al co
ntr
ol is
a p
roce
ss d
esig
ne
d to
pro
vid
e
rea
so
na
ble
assu
ran
ce
re
ga
rdin
g t
he
ach
ieve
me
nt
of
ob
jective
s
•P
reve
nta
tive
or
De
tective
•P
reventa
tive =
dis
coura
ge e
rrors
and irr
egula
rities f
rom
occu
rrin
g
•D
ete
ctive =
fin
d e
rrors
and irr
egula
rities a
fter
they h
ave
occurr
ed
•A
uto
ma
ted
or
Ma
nu
al
Ora
cle
Ap
pli
ca
tio
ns
Data
base
Op
era
tin
g S
ys
tem
1.
Se
cu
rity
2.
Au
dit
ing
3.
Ch
an
ge
Man
ag
em
en
t
5.
Av
ail
ab
ilit
y
1.1
User
Man
ag
em
en
t
1.3
Data
bas
e S
ecu
rity
5.1
Ap
plicati
on
5.2
Data
bas
e
2.1
Ap
pli
cati
on
Au
dit
ing
3.1
Ob
ject
Mig
rati
on
s
3.3
Ap
plicati
on
Patc
hes
2.2
Data
bas
e A
ud
itin
g
3.4
Sch
em
a C
han
ges
3.6
Data
bas
e P
atc
hes
1.2
Seg
reg
ati
on
of
Du
ties
3.2
Ap
pli
cati
on
Co
nfi
gu
rati
on
3.5
Data
bas
e C
on
fig
ura
tio
n
4.
Mo
nit
ori
ng
an
d
Tro
ub
lesh
oo
tin
g4.1
Ap
plicati
on
4.2
Data
bas
e
Access Changes Operations
1.4
OS
Secu
rity
5.3
Op
era
tin
g S
yste
m
2.3
OS
Au
dit
ing
3.7
Ch
an
ge C
on
tro
l
3.8
OS
Patc
hes
4.3
Op
era
tin
g S
yste
m
Ora
cle
Ap
pli
ca
tio
ns
Tech
nic
al
Co
mp
on
en
ts
1. S
ec
uri
ty
•S
ecu
rity
mu
st b
e a
dd
resse
d a
t th
e a
pp
lica
tio
n,
da
tab
ase
, a
nd
op
era
tin
g s
yste
m le
ve
ls
•In
div
idu
al a
cco
un
ts f
or
acco
un
tab
ility
•M
ust m
ap g
eneric a
ccounts
to indiv
iduals
(e.g
., A
PP
S)
•P
erio
dic
re
vie
w o
f a
cce
ss p
rivile
ge
s
•P
assw
ord
ma
na
ge
me
nt
•M
ust
meet
ente
rprise-w
ide p
assw
ord
polic
y,
not
som
e o
ther
sta
nd
ard
1.1
User
Managem
ent
•U
se
of
na
me
d a
nd
un
iqu
e a
cco
un
ts f
or
all
use
rs
•A
dh
ere
nce
to
th
e e
nte
rprise
se
cu
rity
po
licy fo
r
pa
ssw
ord
s f
or
all
ap
plic
atio
n a
cco
un
ts (
len
gth
,
co
mp
lexity, fa
ilure
lo
ck-o
ut,
etc
.)
•M
ay r
equire u
se o
f custo
m p
assw
ord
valid
ation
•N
ew
acco
un
ts s
ho
uld
be
cre
ate
d w
ith
a u
niq
ue
pa
ssw
ord
an
d r
eq
uire
th
e p
assw
ord
to
be
ch
an
ge
d
up
on
first
log
in
1.2
Segre
gati
on o
f D
uti
es
•D
o n
ot u
se
SY
SA
DM
IN
•S
yste
m a
dm
inis
tra
tors
an
d d
eve
lop
ers
sh
ou
ld h
ave
in
qu
iry-o
nly
fu
nctio
na
l re
sp
on
sib
ilitie
s
•D
eve
lop
ers
an
d o
the
r su
pp
ort
sta
ff s
ho
uld
ha
ve
no
a
cce
ss to
pro
du
ctio
n to
re
gis
ter
pro
gra
ms, ch
an
ge
p
rofile
op
tio
ns v
alu
es,
etc
.
•C
usto
m s
yste
m a
dm
inis
tra
tio
n r
esp
on
sib
ilitie
s s
ho
uld
b
e c
rea
ted
fo
r IT
an
d lim
ite
d t
o o
nly
ne
ce
ssa
ry
functions
1.3
Data
base S
ecuri
ty
•A
PP
S a
cco
un
t o
nly
use
d f
or
ma
inte
na
nce
•A
ll u
sa
ge
re
qu
ire
s a
ch
an
ge
tic
ke
t
•A
cce
ss lim
ite
d t
o a
sm
all
gro
up
of
DB
As
•D
BA
sa
nd
su
pp
ort
sta
ff h
ave
na
me
d,
rea
d-o
nly
da
tab
ase
acco
un
ts
•C
rea
te a
n “
AP
PS
IF”
da
tab
ase
acco
un
t w
ith
in
se
rt,
up
da
te,
an
d d
ele
te p
rivile
ge
s t
o in
terf
ace
ta
ble
s
•A
ll u
sa
ge
re
qu
ire
s a
ch
an
ge
tic
ke
t
1.4
Op
era
tin
g S
yste
m S
ec
uri
ty
•oracle
an
dapplmgr
sh
ou
ld b
e c
on
tro
lled
an
d t
he
ap
pro
pria
te lo
gs m
ain
tain
ed
to
id
en
tify
th
e in
div
idu
al
acce
ssin
g t
he
se
sh
are
d a
cco
un
ts
•U
se s
udo
or
Pow
erB
roker
to c
ontr
ol and log a
ccess
•A
ll a
cce
ss to
in
terf
ace
acco
un
ts s
ho
uld
be
co
ntr
olle
d
an
d t
he
ap
pro
pria
te lo
gs m
ain
tain
ed
an
d m
on
ito
red
to
en
su
re o
nly
au
tho
rize
d p
roce
sse
s a
nd
use
rs a
re
tra
nsm
ittin
g in
terf
ace
file
s
2. A
ud
itin
g
•T
he
Ora
cle
Da
tab
ase
an
d O
racle
Ap
plic
atio
ns a
re n
ot
com
plia
nt w
ith S
OX
out of th
e b
ox
•N
o d
efa
ult a
ud
itin
g e
na
ble
d
•O
racle
Ap
plic
atio
ns o
nly
ha
s c
reate
d b
y a
nd last update
d b
y
•P
erf
orm
an
ce
is a
sig
nific
an
t co
nce
rn w
ith
au
ditin
g•
On
ly a
ud
it n
on
-tra
nsa
ctio
na
l ta
ble
s
•E
na
blin
g a
ud
itin
g is th
e e
asy p
art
•N
eed t
o d
evelo
p p
rocedure
s,
scripts
, and r
eport
s to a
rchiv
e,
purg
e,
ale
rt, and r
eport
on t
he a
udit d
ata
2.1
Applicati
on A
udit
ing
•O
racle
Ap
plic
atio
ns A
ud
itT
rails
use
s d
ata
ba
se
trig
ge
rs a
nd
sh
ad
ow
ta
ble
s
•N
ee
d t
o a
ud
it a
nd
ma
inta
in a
his
tory
of
ch
an
ge
s t
o
use
rs, re
sp
on
sib
ility
assig
nm
en
ts,
an
d s
ecu
rity
se
tup
(menus, fu
nctions, etc
.)
•S
ign
on
:Au
dit
sh
ou
ld b
e s
et to
FO
RM
•T
his
can a
ctu
ally
be v
ery
usefu
l if a
segre
gation o
f duties
issu
e a
rise
s
2.2
Data
base A
udit
ing
•D
ata
ba
se
se
ssio
n a
ud
itin
g s
ho
uld
be
en
ab
led
•
Monitor
for
access to A
PP
LS
YS
PU
B n
ot
fro
m a
pp
se
rve
rs
•R
evie
w a
ll a
cce
ss t
o A
PP
S n
ot fr
om
app o
r D
B s
erv
ers
•S
et A
UD
IT_S
YS
_O
PE
RA
TIO
NS
= T
RU
E to a
udit
•N
ee
d t
o c
rea
te c
usto
m a
ud
it t
rig
ge
rs o
n
FN
D_P
RO
FIL
E_O
PT
ION
S a
nd
FN
D_P
RO
FIL
E_O
PT
ION
_V
ALU
ES
•N
ot
au
dita
ble
by O
racle
Ap
plic
atio
ns A
ud
itT
rails
•A
udit U
SE
R, P
RO
FIL
E, and S
YS
TE
M A
UD
IT
3. C
hange M
anagem
ent
•C
ha
ng
e m
an
ag
em
en
t is
critica
l to
SO
X c
om
plia
nce
•A
ud
ito
rs m
ay r
evie
w c
ha
ng
ed o
bje
cts
and tra
ce the p
aper
tra
il
•M
ust in
clu
de
all
ch
an
ge
s to
th
e a
pp
lica
tio
n, d
ata
ba
se
,
ap
plic
atio
n s
erv
ers
, o
pe
ratin
g s
yste
m, a
nd
ha
rdw
are
•O
fte
n c
ha
ng
es to
Pro
file
Op
tio
ns a
re n
ot in
clu
de
d in
the
ch
an
ge
ma
na
ge
me
nt
pro
ce
ss
•P
rofile
op
tio
ns c
ha
ng
e th
e c
on
figura
tion o
f th
e a
pplic
ation
and p
rocessin
g o
f financia
l data
Work
ing w
ith t
he A
udit
ors
•A
ud
ito
rs r
ole
is to
asse
ss e
ffe
ctive
ne
ss o
f th
e in
tern
al
co
ntr
ols
an
d t
o id
en
tify
we
akn
esse
s o
r d
eficie
ncie
s•
Audits o
ften p
erf
orm
ed b
y a
ud
it g
en
era
lists
•M
ay h
ave
lim
ite
d o
r n
o k
no
wle
dg
e o
f O
racle
Ap
plic
atio
ns
•F
indin
gs m
ay b
e n
ot
be c
orr
ecta
ble
in
Ora
cle
Ap
plic
atio
ns
•M
an
ua
l co
ntr
ols
an
d a
cce
pta
nce
of
risk b
y
ma
na
ge
me
nt a
re p
ossib
le s
olu
tio
ns to
au
dit fin
din
gs
•U
nsupport
ed b
y O
racle
is a
valid
managem
ent
response
•M
ay n
eed t
o p
ut
in p
lace c
om
pensating c
ontr
ols
Conclu
sio
n
•N
o d
efin
itiv
e r
efe
ren
ce
s,
rule
s, or
guid
elin
es e
xis
t fo
r S
OX
co
mp
lian
ce
•S
OX
com
plia
nce is b
ased o
n the c
orp
ora
tion’s
assessm
ent of risk
and a
dopte
d c
ontr
ols
fra
mew
ork
•S
OX
is p
rim
arily
a W
rite
event
•D
BA
sm
ust th
ink a
bout th
e c
ontr
ols
rela
ted to e
very
way fin
ancia
l
data
and p
rocesses m
ay b
e c
hanged
•M
ost
SO
X c
om
plia
nce
re
qu
ire
me
nts
ca
n b
e r
ea
dily
im
ple
me
nte
d
•C
ontr
ol of th
e A
PP
S a
ccount and o
ther
privile
ged u
sers
can b
e
challe
ngin
g d
ue to the d
esig
n o
f O
racle
Applic
ations
Conta
ct
Info
rmati
on
Cop
yright ©
2006 Inte
grig
y C
orp
ora
tion
. A
ll ri
gh
ts r
eserv
ed
.
Inte
gri
gy C
orp
ora
tio
n
P.O
. B
ox 8
1545
Ch
icag
o, Illin
ois
60681
888/5
42-4
802
Web
sit
e:
ww
w.in
teg
rig
y.c
om
Sale
s:
sale
s@
inte
gri
gy.c
om
Develo
pm
en
t:d
ev
elo
pm
en
t@in
teg
rig
y.c
om
Su
pp
ort
:su
pp
ort
@in
teg
rig
y.c
om
Se
cu
rity
Ale
rts
: ale
rts@
inte
gri
gy.c
om
