1. Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner. This was the biggie. Most companies didn’t have processes in place to make sure that when people switched divisions, their access to applications changed to reflect their new responsibilities. The CIOs interviewed for this article all reported establishing manual controls to address this problem for the first audit. Even Microsoft.
2. Lack of proper oversight for making application changes. In most organizations, a system administrator was responsible for all the changes to an application. But in order to pass the IT audit, CIOs had to appoint a person to make a change and another to perform quality assurance on it. And it had to be demonstrated that this procedure was being followed.
3. Inadequate review of audit logs. Most CIOs assigned someone to review application audit logs to make sure that systems were running smoothly. But with Sarbanes-Oxley, just performing the check no longer cuts it; you have to prove that it was done. In other words, you have to create an audit log of your audit log.
4. Failure to identify abnormal transactions in a timely manner. This is a classic IT problem that can often be fixed by making changes to the application so that it notifies you when there is a transaction that doesn’t conform to preestablished rules.
5. Lack of understanding of key system configurations. It turned out that many IT departments weren’t as smart as they thought they were. The solution to this weakness is simple: better training.