Sarbanes-Oxley - Procedures for compliance of IT processes in a public company

[w_grunfeld]

Does anyone have experience writing procedures for compliance of IT processes in a public company with the Sarbanes-Oxley act ? Should SOX procedures be separate from the ISO9001 QMS or given that there are many commonalities with the QMS, should they be integrated ?
Which approach is better?
Does anyone have examples , checklists, or any other reference material that might be helpful?
Willy

 

[Marc]

A couple of related threads to consider:

Sarbanes-Oxley integration with existing QMS (Quality Management System)
Should I be concerned about Sarbanes-Oxley requirements effecting my ISO9001:2000 QMS

 

[w_grunfeld]

Thanks Mark,
That makes 3 of us asking questions...does anyone have answers/opinions/experience?

 

[RoxaneB]

Going through very similiar situation. We are a public company in the manufacturing sector. We do have an IT department...or so their name tag says.

This is how we're treating SOX...the same as we have with ISO 9001, ISO 14001, ISRS and OHSAS 18001.....

These requirements, these standards, these methodologies are all part of one thing...our Business Management System. The day you keep them as separate entities is the day that you run the risk of:

• Parallel systems
• Resource drains (multiple resources used to similar processes)
• Redundancy and duplication
• Higher probabilitiy of error (i.e., if information has to jump from system to system, it's kind of like the game "telephone" we used to play as kids...at the end of the line, nothing quite looks like the way it began)

If there is no easy fit into existing documentation, then by all means develop a new standard that is suitable but use the same process for developing, maintaining, controlling, etc. that you use for ISO 9001.

If you're worried about audits and the scope of audits, all you need to do is clearly state the scope ahead of time and the parameters of your audit will be well established.