Who interpreted this act for IT so poorly? 171



  • It can’t be that the ext. Auditors tell you how to run your company or division. Especially by using SOX as an excuse. All SOX asks them to provide is an opinion about the controls over your financial statements and disclosures. If it turns out that you don’t have sufficient controls in some areas you need to implement and documents them. but in aereas where you already have functioning controls you don’t need new or additional one’s only to satisfy your ext. Auditor.
    So, in some cases you need to strongly argue against your ext. Auditor.
    You should be capable to show a functioning general IT control environment. Every addtional SOX effort within the IT environment should be focused on financial systems or systems having a significant/material impact on the financial statements.
    That’s still some workload.
    And from my experience - we were quite often successful in getting the ext. Auditor back in the line.



  • Who interpreted this act for IT so poorly? If blame is to enter into the discussion, it would be the myriad of professional services and products being manufactured/developed to bring companies into compliance. Those SOX/IT Experts, like myself, are the ones that have poorly defined it. The landscape of SOX compliance market is very unique.
    The directly effected market is listed companies and their subsitiaries with greater than USD75 Million in revenue or greater. Which effectively reduces that total market to a very small number. Yet the entrepranauerial investment in this market space is unparalleled. There are dozens, if not hundreds of companies attempting to ‘get a piece’ of a market that is still not juditously defined. The PCAOB inspection reports are not due yet, and enforcement of the auditing standards has yet to take place.
    So, everyone invested (in some way) in the SOX Compliance market is waiting for the first shoe to drop and then hope that their product/service is aligned with the results. There are too many follows of a poor intepretation. Compliance is here to stay, and it is the biggest thing since… (fill in the blank).
    It is also a win-win, as someone else eloquently responded that businesses that embrace Sarbanes-Oxley will win in efficency and in streamlining business overall, and we (Sox Experts) win because we get to flaunt our expertise for years to come.



  • What do you do in a small IT environment when 2 (one and a backup) have full admin access, adn the other 2 do not, and the auditors say we can’t confirm who has access to the network.
    We have one ID they share and they change the password to strong passwords and we document the heck out of how gets authorization for what.
    But the silly accounting firm didn’t get a screen shot before 12/31/04 and now wants to ding us for not having proper controls. Our test plan stated ‘Inquiry and Observation’ and they signed off that it was sufficient.
    Now, one month later, no screen and therefore after 30 minutes they decide - nope, no general controls due to no screen print and we are outta here. I’ve not seen them since.
    Now we have to go back, re-establish financial controls based on IT systems in some other way. This is obsurd.
    The ERP system has at least 4 other layers outside the general network layer anyway. We DID test it, it passed they were just too ‘busy’ to come look for themselves - should businesses pay the price for this?



  • What do you do in a small IT environment when 2 (one and a backup) have full admin access, adn the other 2 do not, and the auditors say we can’t confirm who has access to the network.
    We have one ID they share and they change the password to strong passwords and we document the heck out of how gets authorization for what.
    But the silly accounting firm didn’t get a screen shot before 12/31/04 and now wants to ding us for not having proper controls. Our test plan stated ‘Inquiry and Observation’ and they signed off that it was sufficient.
    Now, one month later, no screen and therefore after 30 minutes they decide - nope, no general controls due to no screen print and we are outta here. I’ve not seen them since.
    Now we have to go back, re-establish financial controls based on IT systems in some other way. This is obsurd.
    The ERP system has at least 4 other layers outside the general network layer anyway. We DID test it, it passed they were just too ‘busy’ to come look for themselves - should businesses pay the price for this?
    Sounds like your auditors do not have a clue about what they should be looking for.
    What specifically is the issue here - that you have a shared password? Whilst this is not best practice it can actually be necessary in some systems/environments.
    Or is the issue that you didn’t take a screen dump of the access permissions at the time of testing? This is nuts as there is no requirement to that level of documentation. Suggest that they should read PCAOB Auditing Standard #2



  • _at_Denis: couldn’t have put it better… :lol:



  • I’m glad to see I’m not losing my mind. Yes - they left due to not having a screen shot proving our access level as of 12/31. They have done no other testing and in fact never even spoke to the CIO about this prior to leaving our site.
    My concern on another level is they stopped testing after this 30 minute time period - what are they not doing now? They didn’t ask for this level of detail before 12/31 - and now time is still fleeting.
    Will they come back on 3/16 and say ‘We needed this before 3/16 and you didn’t furnish it…’ because they left us solo again?
    I think this is the weasel guarding the hen house if you ask me. The auditors caused the problems - not reporting significant deficiencies at Enron/etc. And now they get to earn big bucks fixing it…makes Y2K look like a walk in the park.



  • What all of you audit control happy people are missing is the way things were implemented prior to SOX compliance. A lot of these companies did things a certain way that worked for their means before SOX was around, none of which has anything to do with financial reporting. Hence, when a company has a developer who implemented code that people are using in production and they had to troubleshoot in production due to their being no prior means of code testing then you have disable the ability for IT resources to do their jobs affectively while destroying production time. A perfect example of this something I have to deal with now. I am a network admin/manager and I have a problem with users using Media Player to rip music to their computers. Before, I could implement a group policy to disable the use of Media Player on the PC. Now I have to fill out a change request form in order to create this group policy. So a job that used to take me under a minute now takes 1 day to 1 week to implement and creates a completely unnecessary paper trail. Now I ask you: What in the world do implementations like that have anything to do with truth in financial reporting? The bottom line is, section 404 is written so vaguely that it allows audit companies to go in any direction they feel like. According to the way it is written, technically you would need documentation and approval and a paper trail to tell someone to reboot their computer because it is a repeatable process. Anyone who has anything to do with technology that is in support of the way section 404 is intepretted has obviously never really had to support whole environements by themselves and dont really understand the way that technology systems work.
    It’s no wonder that auditors refer to SOX as the ‘Auditors full employment Act’.



  • This was posted. ‘I am sure there are numerous statistics around to show that most frauds occur from WITHIN the organisation and not outside. So i am sorry to all you support people but i would NEVER give you full assess to everything all the time.’
    Wow, I know the name of numerous EXECUTIVES that defrauded stockholers, but I don’t know the name of a single IT person. I wonder why that is? Put law breakers in jail, don’t handcuff innocent people.



  • Spider, I like your point of view, but in real world (out of our systems) it can not work. They can not understand us.%0AAs a security person I know that over 60% of frauds occur from WITHIN the organisation and not outside. But, I also know some ‘bad guys’ inside the IT (with admin priviledges). Security is not an IT word…it is law that defines what is security, what is allowed and what is not…Unfortunately for both of us.%0ATo err is human; to really foul things up requires a computer.



  • _at_spider - think you’re kidding yourself mate.
    I’ve seen several examples of fraud committed by IT, here’s two:

    1. Post-implementation of a major ERP the IT manager realised that invoices of a certain exact value did not need to be authorised (only those above and below the value) and used this to defraud a lrage sum.
    2. The electronic payments file generated by AP sat on the server for an hour or so before being transmitted to the bank. In the meantime one of the IT staff changed bank account numbers on the file to divert funds to their own account.
      The reality is that IT frauds tend not to make the headlines so often.


  • Although I believe that SOX has allowed the external auditing companies to make a fortune, I also believe that standards have slipped over the years. I started as a Computer Auditor and most of what SOX is looking for is what was the norm in my Computer Audit days and the IT Management was fully supportive in correcting any control weaknesses. I am now finding some basic control requirements e.g separation of duties, incident logging and reporting as alien to the IT people. There appears to have been a serious decline in any knowledge about controls and their worth by IT managers who are more focussed on cutting costs.



  • I have to agree that standards are and have fallen over the course of the last 15 to 20 years. I believe that this is as a direct consequence of the introduction of PC’s on peoples desktops. The flexibility offered by these boxes to the individual was never available from the monolithic mainframes or medium sized minis, however this flexibility is now the norm.
    Although I work now and have worked in extremely large banking organisations with budgets that look like telephone numbers for people on Mars, the problems that end user computing causes from a SOX point of view is horendous. Couple this with the RAD standards that were used extensively throughout the 90’s, (due almost directly to the introduction of PC’s), to create the core systems used in the organisation and the problems of attaining SOX compliance are multiplied a 1000 fold if not more.
    Unfortunately it would appear that IT gave the key to the asylum to the lunatics and it’s only now that we are having to try and put them back where they belong.
    I would never advocate a return to a centralised computing environment such as the mainframe era, however in order that we should have efficient, value for money systems that do not pose a threat to the integrity of a business we need a lot more control. I believe that SOX will facilitate this control.
    Pete.



  • a lot of the problems come from people that have no experience in IT at all. A lot of times they don’t know what to do and get their information from a knoledge base of their auditing organisations without understanding any of it. There have always been controls in IT just because it makes sence and makes the development of systems more organized and method-driven. Now, pople seem to be making more controls that don’t make sence. how can accountants and the like effectively audit IT when they try to apply their background to a different field.



  • Hi,
    ‘accountants will held held accountable’ …
    Doesn’t SOX place part of the responsibility for compliance on the auditor who certifies the controls as SOX compliant? Doesn’t that put the auditor under an immense amount of pressure resulting in him rather erring on the ‘safe’ side, ie implementing more strict measures to ensure the quality and reliability of control data at the cost of IT people?
    Aren’t we missing a link between an auditor and the recipients of his measures? That link needs to translate the auditors fears (=requirements) into appropriate IT measures based on sound experience in the IT environment. We need an intermediate step that takes on part of that responsibility and mediates between these obviously conflicting parties (check this thread for an example ;)). SOX is intended to stop cheating, not business. Compliance and the documentation thereof is a compromise with ITs flexibility, much like IT-Security is often a compromise. Both are neccessary, either extreme is irresponsible.
    Cheers



  • A perfect example of this something I have to deal with now. I am a network admin/manager and I have a problem with users using Media Player to rip music to their computers. Before, I could implement a group policy to disable the use of Media Player on the PC. Now I have to fill out a change request form in order to create this group policy. So a job that used to take me under a minute now takes 1 day to 1 week to implement and creates a completely unnecessary paper trail. Now I ask you: What in the world do implementations like that have anything to do with truth in financial reporting?
    This is not a specific SOX issue, but your comment raises some issues to consider outside of SOX. Consider the issue you raise. Basically, your users are conducting illegal activities at your workplace. If the authorities come knocking, isn’t it reassuring to know that there is now documentation in place that shows you took the steps to prevent the illegal activity? Documentation can be a pain, but in the right circumstances, you’ll be glad you have it to back you up.



  • I will have to agree with the poster who said that some of the controls that we are talking about now have been there for ages. As another poster said, we lost a lot of good practices from the main-frame world. Having been on both IT and Audit side, some of the new IT people have no clue about what they are doing. I have seen places where the IT people write the code and pass it onto QA without Unit testing their code. I am not saying all IT developers are like that. No use of IT blaming the audits. Both will have to work together and IT people will have to learn to implement controls and Audit will have to understand the complexity involved in IT departments. I would rather see IT internal audit as an extension of IT departments rather than a separate one.



  • :lol:
    looks like SOX has brought about the culture of Soxumentation. All of us Talk about SDLC, a well structured SDLC should anyway contain strong documentation. As far as authority and responsibilities go, no developer is a fool to do anything that hes not ought to do, so a structured matrix would have been insisted upon in the ORG.
    One serious question is, given the above, the company would be a CMM level 5 company, and auditors , by audit guidelines, can rely on the work of other auditors. Will the statutory auditors place reliance on the work done by the CMM auditors and vouch for the financial accuracy???
    any thoughts on this Soxers 😉 :?:



  • One serious question is, given the above, the company would be a CMM level 5 company, and auditors , by audit guidelines, can rely on the work of other auditors. Will the statutory auditors place reliance on the work done by the CMM auditors and vouch for the financial accuracy??? %0A %0AIndeed auditors can rely on the work of others, but within certain constraints:%0A1) As per paragraph 108 of Auditing Standard #2: ‘In all audits of internal control over financial reporting, the auditor must perform enough of the testing himself or herself so that the auditor’s own work provides the principal evidence for the auditor’s opinion.’ What this means is that an auditor can leverage the work of others to a certain extent. In other words, they have to do enough of their own work. How much is enough? If all controls were weighted equally (which they are not) it would be 50%. Given the subjective nature of what constitutes principal evidence, the auditor is going to perform enough work to give them comfort knowing they will have to answer to the PCAOB (and if you think being examined by an IT auditor is tough, try dealing with the PCAOB). I quote AS2: ‘Because the amount of work related to obtaining sufficient evidence to support an opinion about the effectiveness of controls is not susceptible to precise measurement, the auditor’s judgment about whether he or she has obtained the principal evidence for the opinion will be qualitative as well as quantitative. For example, the auditor might give more weight to work he or she performed on pervasive controls and in areas such as the control environment than on other controls, such as controls over low-risk, routine transactions.’%0A2) The auditor has to ascertain the competency and objectivity of the individuals performing the work. While the folks performing a CMM assessment are most likely competent, they may not be considered objective if they were hired by IT management and reported to IT management. Auditors would expect them to report to Internal Audit or the equivalent. Therefore, it would behoove a company to demonstrate the objectivity and competence of contract resources if they would like the external auditor to leverage the work. %0A3) As per paragraph 123, external auditors will need to test the work of others to make sure they can rely on it. Typically this involves a walkthrough (test of design) with subsequent reliance on the work of others for test of effectiveness. %0A4) Auditors have to exercise a lot of judgement, and auditing is more of an art than a science. Therefore, auditors will modify their work based on the attitude of management (i.e. tone at the top). For example, if the auditor senses that IT management believes SOX is a load of garbage and allows the attitude to permeate the organization, he/she will ajust their approach. On the other hand, if IT management engages in an open dialogue with auditors and stresses the importance of compliance within their organization (they check their personal feelings at the door) things will go much smoother. %0A5) Bottom line: IT management needs to work with their auditors and avoid a confrontational mentality (and AS2 and the May 2005 PCAOB guidance stress this). Take SOD issues for example. While a company should make every effort to resolve SOD issues, in some cases they cannot be avoided. There are compensating controls (IT and/or financial) that can be evaluated in light of SOD issues, and this evaluation is facilitated through open dialogue between IT management and the auditor. Without this dialogue, the auditor has no choice but to adopt a conservative approach and write up these issues as deficiencies and report them to the audit committee.%0AHope that helps,%0AEd



  • This is not a specific SOX issue, but your comment raises some issues to consider outside of SOX. Consider the issue you raise. Basically, your users are conducting illegal activities at your workplace. If the authorities come knocking, isn’t it reassuring to know that there is now documentation in place that shows you took the steps to prevent the illegal activity? Documentation can be a pain, but in the right circumstances, you’ll be glad you have it to back you up.
    Excellent points 🙂 … SOX is not the end-all and cure-all on controlling all inappropriate IT behaviors within an organization, as it focuses mostly on financial controls.
    If anyone is downloading mp3s from a P2P facility, there’s a greater exposure to worms, viruses, spyware, etc. 😞 Even from a financial standpoint, there are RIAA/DCMA exposures associated with copying intellectual property, as companies will have ‘deeper pockets’ than a home user.
    Having standards and even technical filters in the firewall that disallow mp3s to be downloaded is a good thing. Also, there’s a Sony DRM rootkit that could be installed on certain musical CDs being ripped as well.
    I’d recommend security standards are up-to-date on things outside of SOX compliancy and esp. for this specific issue. After finalizing this, a short ‘all employees’ email might be useful in ensuring everyone is aware and that violations are subject to managerial discretion.



  • I have to agree that standards are and have fallen over the course of the last 15 to 20 years. I believe that this is as a direct consequence of the introduction of PC’s on peoples desktops. The flexibility offered by these boxes to the individual was never available from the monolithic mainframes or medium sized minis, however this flexibility is now the norm. I have sure seen that happening.
    When the PC was first being used as real business tools, the PC department were real mavericks compared to us mainframe programmers. They used tools that were totally innapropriate, because that is what they were familiar with. Those were the days when we usually had to wait a couple of hours or maybe overnight to get just one execution of a program in the mainframe. Having access to production data was nearly impossible and therefore rarely necessary.


Log in to reply