Good evening, I just want to share with PLUG my experience in SOX 404 testing, since I am a financial/IT auditor and an information security consultant by profession. I copied some text from SOX itself, and capitalized some keywords.
SOX covers all U.S. public company boards, management, and public accounting firms (including my firm). For compliance with SOX 404 - Assessment of internal control, management and the external auditor will report on the adequacy of the company's INTERNAL CONTROL over FINANCIAL REPORTING. Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. It basically means that, the controls are already IDENTIFIED before hand by management, which will be tested by the external auditor for its design and operating effectiveness (in audit, we call it FULL testing). If auditing/monitoring of the Samba server is identified as a "KEY CONTROL", perhaps, because the Samba server is holding financial information that is used in financial reporting, then, the said controls for monitoring should be in place (like an auditing facility that records access to the server and its data), and that the controls are working effectively. If monitoring of the samba server is not identified by management as a "KEY CONTROL", it doesn't really matter though in the context of that engagement. The result of the internal controls assessment of the external auditor and management will be an input to the internal control report as required by SOX 302, Internal control certifications. It is understood that the controls for monitoring is not limited to features of the Samba server (if supported by the version). You can acquire other software that can meet the control objective. The important point is, management identified that there is monitoring control for the server, and that control is in place, and that control is working effectively. Note: External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. Happy new year, everyone! Cris Masancay On Dec 28, 2007 4:42 PM, Kenneth P. Oncinian <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Ambrosio Berdijo wrote: > > 2 posts regarding on audits in this month, its getting to look > > like..... Sarbanes-Oxley (SOX) compliance for FOSS !! > > > > > > Sadly, Yes. > If samba can't provide a proper audit tool, it can't be used by any > company that needs to comply with SOX. > > > > > regards, > Kenneth > > > > > > > */plug bert <[EMAIL PROTECTED]>/* wrote: > > > > Hello All, > > > > Just wanna ask: is there any way to track the changes made to a > > certain file on a samba share? e.g. > > > > Dec. 1 -- file.txt created by user .... Dec. 2 -- file.txt read by > > user .... : Dec. 10 -- file.txt modified by user .... : Dec. 30 -- > > file.txt deleted by user ... > > > > > > Is there some sort of parser that can analyze the samba logs, and > > come up with a report like this? > > > > tia > > > > > > > > ____________________________________________________________________________________ > > Never miss a thing. Make Yahoo your home page. > > http://www.yahoo.com/r/hs > > _________________________________________________ Philippine Linux > > Users' Group (PLUG) Mailing List [email protected] (#PLUG @ > > irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists > > Searchable Archives: http://archives.free.net.ph > > > > > > Never miss a thing. Make Yahoo your homepage. > > <http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs> > > > > ---------------------------------------------------------------------- > > > > > > _________________________________________________ Philippine Linux > > Users' Group (PLUG) Mailing List [email protected] (#PLUG @ > > irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists > > Searchable Archives: http://archives.free.net.ph > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFHdLcEvnUh5TOaOvgRAgvvAKCzQ5vKT0IJkUjLM4XDP41Wv2205ACghwLV > S7L/KLO2ZdTlibgNbikGT+o= > =g5GN > -----END PGP SIGNATURE----- > > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) > Read the Guidelines: http://linux.org.ph/lists > Searchable Archives: http://archives.free.net.ph > -- Christian Masancay _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
