TechWhirl (TECHWR-L) is a resource for technical writing and technical communications professionals of all experience levels and in all industries to share their experiences and acquire information.
For two decades, technical communicators have turned to TechWhirl to ask and answer questions about the always-changing world of technical communications, such as tools, skills, career paths, methodologies, and emerging industries. The TechWhirl Archives and magazine, created for, by and about technical writers, offer a wealth of knowledge to everyone with an interest in any aspect of technical communications.
Since January I've been working on Sarbanes-Oxley 404 documentation projects. Most have been at the business activity level and a bit at the entity level, but now I'm getting more involved on the IT side. The legislation declares that the company must adopt a framework against which to doument their controls. Several standards that have been adopted are:
1. COSO, for Business Activity processes (i.e., generation of financial transactions and related processes that affect the financial statements.)
2. COBIT, for IT General Application Controls. The Cobit standard has more than 300 items and is now generally considered too broad for SOX purposes. ISACA (www.isaca.org) has worked with the big four to whittle down the list and they have issued a document detailing a more focused list of controls. The ISACA web site has a whole section on Cobit.
3. External auditor's list of questions for entity level controls (i.e., the overall environment at the company, the "tone at the top.")
One of the big four I'm working with now has adopted its own 80-item standard for IT controls, which closely resembles, but is not identical to, the Cobit list. I think they did this out of self defense, as the ISACA standard had not been released yet and no one was quite sure what to do. One of the IT auditors I am working with at my company is approaching this from the CMM model of thinking, and deriving suggested best practices from that. I have noticed among clients that it does seem to be the accepted model. The processes must be documented, and then the testing is to ensure that they are followed. I have found that approach to be helpful, too.
I have a couple of questions. First, what other frameworks have others been working with? Has anyone been through a review of their documentation with the external auditors and gotten concrete feedback yet? It may be a bit early for this second one, as 10K audits have not started yet and I believe many firms are waiting until then to start their control assessment.
Just curious to see where others are at. I haven't had the benefit of seeing through a project from beginning to end yet, and not having much feedback from the final arbiter makes it difficult. Clients seem happy, though.
ROBOHELP X5: Featuring Word 2003 support, Content Management, Multi-Author
support, PDF and XML support and much more!
TRY IT TODAY at http://www.macromedia.com/go/techwrl
WEBWORKS FINALDRAFT: New! Document review system for Word and FrameMaker
authors. Automatic browser-based drafts with unlimited reviewers. Full
online discussions -- no Web server needed! http://www.webworks.com/techwr-l
---
You are currently subscribed to techwr-l as:
archiver -at- techwr-l -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- techwr-l -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit http://www.techwr-l.com/techwhirl/ for more resources and info.
