For companies looking to strengthen internal controls or stay compliant with applicable statutes, the best approach would be ensure that all new software that is being purchased by your company’s IT deparment is already ‘Statute (SOX, HIPAA,etc) compliant’. Products don’t have to come with a certificate that says ‘Our product is SOX compliant’. Even if none of these laws are applicable (lucky you!) it is in your best interests to ensure that basic principles such as Confidentiality, Integrity and Availability are the key cornerstones of every product that you seek to install in your IT or business environment.
Any product that
• truly enforces segregation of duties thereby avoiding conflicting responsibilities,
• has proper authorizations/workflow management in place
• Adequate management reporting capabilities
• Audit log capabilities
can be considered a compliant product.
Obviously, there are other internal control considerations. In addition, the many principles set down in COBIT or any other industry standard can be studied and applied to these products in greater detail. Besides this, the company’s control environment and risk appetite will also determine how many compliance features the product should ideally be ‘loaded’ with.
Any product that
• truly enforces segregation of duties thereby avoiding conflicting responsibilities,
• has proper authorizations/workflow management in place
• Adequate management reporting capabilities
• Audit log capabilities
can be considered a compliant product.
Obviously, there are other internal control considerations. In addition, the many principles set down in COBIT or any other industry standard can be studied and applied to these products in greater detail. Besides this, the company’s control environment and risk appetite will also determine how many compliance features the product should ideally be ‘loaded’ with.
Look for my next post on compliance and “must-have” internal control features for product companies.
