Sarbanes- Oxley

How do I go about learning if my organizaiton falls under Sarbanes-Oxley (or any other IT regulated requirements?)?  I have researched it online and it appears Sarbanes only impacts financial orgs, not government/non-profits.

Hi Mary(?)

The three main set of regulations most commonly known and applied are Sarbanes-Oxley or SarBox or even shorter "SOX" which applies to only public companies. If you are a health-care providing agency you may fall under HIPAA, or Health Insurance Portability and Accountability Act designed to ensure that data is stored based on a certain standard. If you perform credit card transactions you are also subject to PCI DSS, or Payment Card Industry Data Security Standard. Although SarBox doesn't apply to us, an IT manager for a larger nonprofit at our security session at NTC noted that resource permitting, he'd like to aspire to reach SOX compliance in terms of auditability and storage, should these regulations be extended to the sector in the future. There may be other regulations you are subject to depending on the type of work you do. If you elaborate more on your org maybe other users may have similar experiences?

best

-Kevin

Your auditor should also be a good resource of the parts of SOX that you need to be concerned about.  We are implementing some changes based on the auditors recommendations but do not have to comply with the full requirements.  There are several things that have come under scrutiny in the NPO world, but not to the degree as the commercial world.   Most of our changes were on the accounting side, not directly related to IT.

Dave

dwelp,

Unfortunately, I've found that in working with 3 auditors at 2 separate organizations, neither would provide analysis on SOX or PCI compliance. The auditors I am speaking about are reputable NPO auditors in the Chicago area. They would not provide any information nor opine in terms of a formal statement in the management letter. Obviously, this does not appear to be an issue with your auditors, but I was wondering if this was common-place with other NPO's and their respective auditing firms?

dcomber:

Unfortunately, I've found that in working with 3 auditors at 2 separate organizations, neither would provide analysis on SOX or PCI compliance

Was the denial from the upper management of the auditing firm or from the "junior" auditor assigned to the site doing their field work?  (most field auditors are recent graduates just starting out in their field and simply doing their assigned and trained tasks)

I can understand a field auditor giving this answer, but I would think anyone in management of the audit firm would see this as more revenue and would be pleased to undertake such a project.

Dave

SOX directly impacts publicly traded companies,

In some ways there are no hard and fast rules, and if you are working for a non-profit that is wholly funded by publicly traded companies you may well fall under SOX,

In some ways this is the wrong forum for such help.

• Ask the auditor and or the companies legal adviser.
  
• Get the answer in writing.
• Document that you have complied with the answer.

From a technology standpoint that is all there is to it.

Of course if you are concerned about your organizations mission, and are worried about the quality of advice you have a project a head of you, but that is in the realm of office politics.

You're getting good advice on this thread, Mary, and I hope it's helpful.

With SOX, you have to be a publicly-traded company. If you're private, you're not subject to SOX (although it's not a bad idea to go ahead and put together the documentation).

I know you didn't ask about PCI, but since there's some discussion around that here, it's pretty cut and dried. If you're in the business of collecting, storing or transmitting credit card data that contains customer indentifiable information, you're subject to PCI. If you accept payments over the web, you're subject to PCI. However, if you use a third-party's web app that accepts and processes the payments, then just sends you the funds, you can get out of it. PCI is very hot right now with identity theft being one of the top white collar crimes today.

There are a ton of remediation firms and PCI-certified auditors who will help you on both ends of the audit, but they will not do your documentation. This is where I put in a shameless plug for our company ... we do PCI and SOX documentation. :-)