What is really going on with this thing you call SOX 489



  • Guest,
    I agree with you. If employees end up seeing SOX as another passing thing to ignore and circumvent because so many people are using it for things that are outside it’s real scope, we are in trouble. Unfortunately, it is difficult to define exactly what is in SOX and what is in everyone’s own agenda.



  • I am surprised finding departments that charge totally non-applicable expenses to their Section 404 project.



  • trebortoe%0AWelcome to the club. There are so many of us asking exactly the same question, ‘how is this a good thing for the shareholders?’ We have exactkly the same problem with passwords (I’m a user). My passwords now change every 60 days, at different times to eash other, and so I have now had to resort to writing my passwords down. This is meant to increase security?%0AAs I see it the biggest problem is not the Act, but the way the Big 4 audit firms have interpreted the act. They are basically protecting themselves by insisting on petty controls for every little thing, so that there is no chance of them signing off on controls in a company that subsequently folds and is shown to have weak controls. Oh, and as a totally unconnected side-issue they are showing a 100% increase in revenue.



  • As I see it the biggest problem is not the Act, but the way the Big 4 audit firms have interpreted the act. They are basically protecting themselves by insisting on petty controls for every little thing, so that there is no chance of them signing off on controls in a company that subsequently folds and is shown to have weak controls.
    Who said you have to let the Big 4 auditor force the pace? If you let htem set the agenda then you’ll end up with the situation you describe - but they are reporting on management’s assertion therefore they need to be educated on how you have met that assertion.[/code]



  • Good point Dennis, it’s just that the effort required to convince the acctg firm that you’ve done appropriate work rivals the documentation and testing work you just did.
    Seriously, SOX 404 was ok, the PCAOB created a monster to justify their existance, then the big 4 in their eternal effort to cover their butts have taken the PCAOB AS2 to inappropriate lenghts.
    A good lesson we can take from this is to make sure the auditor is informed of all significant SOX decisions up front so that, when they balk at accepting your work, you can ‘steer them straight’.



  • Just an aside…
    Was not SOX designed to put the Company in Charge of their financial reporting so that A-moral or I-moral auditor firms or anybody else for that matter could not pull the wool over the eyes and ears of the Company shareholders?
    Isn’t putting the auditor firms in charge of SOX kinda like putting the FOX in charge of the hen house???
    Does not all of this SOX stuff give an unfair advantage to Privately held corporations that do not have to incur the cost of SOXifying their operations?
    Questions Questions…



  • Furthermore…
    I heard recently that some of what has been put into the ISO 17799 standard was actually done by people with a Hacking Background. I was told this at a cocktail party attended by some former Hackers that made this assertion.
    There justification for this was that everybody with an ounce of common sense knows that instituting a password policy that makes the users use long non dictionary text strings with numerics as passwords that expire on a frequent basis is fairly insecure because end users with lots of power in an organization such as CEO’s and CFO’s tend to use postit notes in close proximity to their office or home workstations to record their passwords. All a potential hacker or criminal needs to do to get control of a system is obtain a job as a night watchman or janitor to gain access to companies most sensative data.
    I personally believe that if a company is serious about security they should steer clear of these shams and use technology such as SecureID or some other saner approach to security.
    What do you all think?



  • Furthermore…
    I heard recently that some of what has been put into the ISO 17799 standard was actually done by people with a Hacking Background. I was told this at a cocktail party attended by some former Hackers that made this assertion.
    There justification for this was that everybody with an ounce of common sense knows that instituting a password policy that makes the users use long non dictionary text strings with numerics as passwords that expire on a frequent basis is fairly insecure because end users with lots of power in an organization such as CEO’s and CFO’s tend to use postit notes in close proximity to their office or home workstations to record their passwords. All a potential hacker or criminal needs to do to get control of a system is obtain a job as a night watchman or janitor to gain access to companies most sensative data.
    I personally believe that if a company is serious about security they should steer clear of these shams and use technology such as SecureID or some other saner approach to security.
    What do you all think?
    Nonsense. ISO17799 does not require you to do this.



  • Isn’t putting the auditor firms in charge of SOX kinda like putting the FOX in charge of the hen house???

    Yes, but the auditor should not be in charge. They are only in that position when management abdicates responsibility.



  • Trebortoe,
    You say:

    I heard recently that some of what has been put into the ISO 17799 >standard was actually done by people with a Hacking Background. I was >told this at a cocktail party attended by some former Hackers that made >this assertion.
    People with hacking background hate standards but love positions like Chief Hacking Officer(.), Penetration Tester, Risk Analyst etc. Companies do put the fox in charge of the hen house… not always… but it is really risky way to do business.



  • If you want to keep the foxes out of the hen house, you have to think like a fox yourself. And who does that better than reformed foxes?



  • Are there many reformed foxes?
    How can we recognize them? Afrer so many years trying to do that I still can not be sure.


Log in to reply