OpenSkillIndex← back to search
legal

Vibeship-spawner-skills sox-compliance

id: sox-compliance

install
source · Clone the upstream repo
git clone https://github.com/vibeforge1111/vibeship-spawner-skills
manifest: legal/sox-compliance/skill.yaml
tags
#sox-compliance#coso-framework#it-general-controls#audit-trails#segregation-of-duties#risk-assessment
source content

id: sox-compliance name: SOX Compliance category: legal description: Use when implementing Sarbanes-Oxley compliance, internal controls, audit trails, segregation of duties, or continuous monitoring - covers COSO framework and IT general controls

patterns: golden_rules: - rule: "Tone at the top" reason: "Control environment starts with leadership" - rule: "Segregation of duties" reason: "No single person controls entire process" - rule: "Evidence everything" reason: "If it's not documented, it didn't happen" - rule: "Continuous monitoring" reason: "Point-in-time testing misses issues" - rule: "Risk-based approach" reason: "Focus controls on material risks"

coso_framework: control_environment: - "Integrity and ethical values" - "Board independence and oversight" - "Organizational structure" - "Commitment to competence" - "Accountability" risk_assessment: - "Specify objectives" - "Identify and analyze risks" - "Assess fraud risk" - "Identify significant changes" control_activities: - "Select and develop controls" - "Select and develop technology controls" - "Deploy through policies and procedures" information_communication: - "Use relevant quality information" - "Communicate internally" - "Communicate externally" monitoring: - "Conduct ongoing evaluations" - "Evaluate and communicate deficiencies"

itgc_controls: access_controls: - "User provisioning and deprovisioning" - "Privileged access management" - "Password policies" - "Access reviews (quarterly)" change_management: - "Change request documentation" - "Testing and approval" - "Segregation of duties" - "Emergency change procedures" backup_recovery: - "Backup procedures and schedules" - "Restoration testing" - "Offsite storage" - "Business continuity plans" operations: - "Job scheduling" - "Incident management" - "Problem resolution" - "Batch processing controls"

deficiency_levels: deficiency: definition: "Control doesn't operate as designed" impact: "Document and remediate" significant_deficiency: definition: "More than remote likelihood of material misstatement" impact: "Report to audit committee" material_weakness: definition: "Reasonable possibility of material misstatement" impact: "Public disclosure required"

anti_patterns:

  • pattern: "Shared credentials" problem: "No individual accountability" solution: "Unique user IDs, no shared accounts"
  • pattern: "Admin access for developers" problem: "No segregation of duties" solution: "Separate dev, test, prod access"
  • pattern: "Manual spreadsheet controls" problem: "Error prone, no audit trail" solution: "Automate controls with logging"
  • pattern: "Point-in-time testing" problem: "Misses control failures between tests" solution: "Continuous monitoring"
  • pattern: "Undocumented exceptions" problem: "No audit trail for deviations" solution: "Formal exception process with approval"

implementation_checklist: risk_assessment: - "Identify significant accounts" - "Map business processes to accounts" - "Assess inherent risk" - "Identify key controls" control_documentation: - "Document control objectives" - "Define control activities" - "Assign control owners" - "Create testing procedures" itgc_implementation: - "Access control matrix" - "Change management process" - "Backup and recovery procedures" - "Operations monitoring" testing: - "Develop test plans" - "Execute control testing" - "Document results" - "Remediate deficiencies" reporting: - "Aggregate control results" - "Classify deficiencies" - "Report to audit committee" - "Support external audit"

handoffs:

  • skill: gdpr-privacy trigger: "privacy controls"
  • skill: contract-analysis trigger: "audit provisions in contracts"

ecosystem: grc_platforms: - "ServiceNow GRC" - "SAP GRC" - "Workiva" - "AuditBoard" monitoring: - "Splunk" - "Sumo Logic" - "ELK Stack" access: - "Okta" - "SailPoint" - "CyberArk"

sources: regulations: - "Sarbanes-Oxley Act Section 404" - "PCAOB AS 2201" - "COSO Framework 2013" guidance: - "ISACA COBIT" - "SEC Guidance on ICFR"