Hardcopy daily initials required instead of email? 1766



  • At my work they are insisting its a SOX requirement that each shift initial each item in a list. (below) This method in my opinion doesn’t hold a candle to electronic communication (email) There is no day/time/person stamp on these chicken-scratch lists. There is no way of confirming who made the initials, when they were made, etc. There is nothing keeping us from pre-filling these forms or keeping them in our cubbies until ready to add to binder, or covering for one another if missed.
    Is this hardcopy, bathroom-janitor style checklist really stipulated in SOX? If email was used to establish accountability in Tyco / Enron etc, why is it deemed not as good as hardcopy chickenscratches?
    Does anyone know the SOX section that requires this on hardcopy?
    …Task… Initials…
    Refresh monitors
    Check troubleticket queue
    Verify Symposium Phone system
    Check for VMs on all phones
    Post metrics
    Conduct shift passdown



  • Is this hardcopy, bathroom-janitor style checklist really stipulated in SOX?
    Not at all, but your Internal Controls might. SOX only says you have to have them, it does not specify which ones you need.
    The fact that you might think these are unneseccary or not working properly, is something different.



  • Hi and welcome to the forums 🙂 I agree with your observations, as well as IrquiM’s good comments.
    If this is a required SOX control, the way it was implemented may need to be improved . The use of a change management or another software approach (e.g., even email) might provide efficienies and a better audit trail that would be less subject to falsification, (e.g., time stamps can’t be easily manipulated).



  • Thank You Both for your insight. I still find it odd that nobody really knows if its a SOX control at all. I was hoping someone would just say: 'Oh yes. that satisfies section umpty-ump of subsection blah, of Sarbanes-Oxley act.
    I want to read it for myself. I am wondering if its a SOX control at all, or rather some ‘best recommended’ practice a bunch of auditors made up.



  • Hi – The need to capture or document ‘shift turnover’ information might be an indirect SOX related control ?
    SOX as a whole is more focused on financial workflows and system controls, but the SOX 404 IT based controls play a major part in this as well. For example, as part of the IT security or workflow improvements, there are needs to capture better change management documentation. Thus, I can see an indirect relationship.
    SOX is subject to interpretration as it must be somewhat vague in it’s wording to cover a wide range of industries, IT platforms, software, and other requirements. It’s also for the most part a self-regulatory approach with checks by external audit certifications and potentially SEC based audits or investigations.
    As a bottom line, what you’re doing in this process is exactly named as a SOX requirement, esp. the 'chicken scratch part 😉 However, there might be a need to capture ‘turnover to production’ info, and thus this daily signed document is being used as a control.
    Manual documents will work but as I shared earlier, doing this electronically with timestamps seems to be a better method of implementation (e.g., so folks can’t sign after the fact, etc)



  • Thar’s right.
    SOx is much dependent of people’s interpretation.
    For instance: Actually, we have working around people from 3 of the Big 4 and each one interpreted parts of the Act in a different way, however at the end all agreed that a risk control methodology and framework is needed, but we had some differents in the way it must be implemented.



  • As a bottom line, what you’re doing in this process is exactly named as a SOX requirement, esp. the 'chicken scratch part 😉 However, there might be a need to capture ‘turnover to production’ info, and thus this daily signed document is being used as a control. Manual documents will work but as I shared earlier, doing this electronically with timestamps seems to be a better method of implementation (e.g., so folks can’t sign after the fact, etc)
    So to summerize: ‘Yes, handwritten initials are required by SOX’ AND ‘This is a poor implementation of SOX controls.’
    Hmmm interesting…
    It sounds like though electronic form would be 10 times more robust, reliable, and tamper-proof…Tough-luck. We use old-fashioned, easy-to-blowoff method instead…
    Twice the work and 3 times more suceptible to circumvention. This, I’m sure is exactly what Uncle Pauly and Uncle Mikey had in mind when they signed their Sarbanes and Oxley to it…



  • So to summerize: ‘Yes, handwritten initials are required by SOX’ AND ‘This is a poor implementation of SOX controls.’
    NO.
    It is required by your own companys internal controls.
    But the company is required to have internal controls by SOX, how they define their controls is not defined by SOX.



  • It sounds like though electronic form would be 10 times more robust, reliable, and tamper-proof…Tough-luck. We use old-fashioned, easy-to-blowoff method instead … Twice the work and 3 times more suceptible to circumvention. %0AI’ve worked for two different organizations since the advent of SOX … The 1st company was very paper intensive and we definitively felt the impact of these controls. Thankfully my current employer uses the more electronic approach. %0ASOX offers the flexibility and choice. There’s no reason later based on constructive feedback why you guys can’t move to a more efficient and effective paperless control system. %0AWhile SOX controls can even help a firm, as we debated – it still adds to the business costs and overhead. When you implement any controls inefficiently, it’s a drag on your workflow and costs you real and unnecessary dollars. %0A Improper implementations or over-zealous controls are reasons why some folks are claiming those 20-30% SOX overheads , rather than the more minimal 0-10% range (e.g., in a company with very well definied finanical controls, some folks are claiming almost nil impact). %0A This, I’m sure is exactly what Uncle Pauly and Uncle Mikey had in mind when they signed their Sarbanes and Oxley to it… %0AThanks for good morning laugh 😉 🙂


Log in to reply