What is really going on with this thing you call SOX 489



  • I am currently working for a publicly traded company. Over the past few weeks I have been inundated with e-mails that are justifying changes to my PC configuration based on what those in the know say are required by SOX. These include things like

    1. crazy password rules that are really very unsecure (change the password every few weeks, don’t use real words, must have numbers, =======> must write on a postit note next to the computer to remember it)
    2. crazy screen saver timeouts in seconds===> user winds up disabling it to get any work done.

    There are more examples… It seems to me that many people are using SOX as a way to impose their will on people and justify their own jobs.
    Is this a good thing for my shareholders, building an incredibly expensive SOX compliance bureaucracy, I think not…
    Is there anything an employee or shareholder can do if they think that a particular company policy is suspect. Is there a definitive list of things that actually fall under SOX requirements.?
    What things can an employee or shareholder do if they think a particular policy is being misused by somebody claiming it to be a SOX requirement when it is not?



  • Sarbanes-Oxley does not detail how to become compliant. This lack of detail has created some confusion as to what constitutes appropriate controls.
    It is true: Financial data rests on servers. Since IT systems are use to generate, change, house and transport financial data, we must build the controls that ensure information stands up to audit scrutiny.
    For years, IT departments have implored company executives to take security seriously, to little effect. But now that the law can fine companies for their security lapses, corporate leaders are paying better attention.
    It really happens: Some managers find SOx a golden opportunity to do everything they dreamed for years.
    George Lekatis
    lekatis_at_lekatis.com



  • I whole-heartedly agree with you but I also believe that the ambiguity or impreciseness is being used by people to push their own agenda and in certain cases to do things not unlike charlatans. I had another rush of e-mails today concerning company policies that are required by SOX, things like setting 5 second screen saver timeouts, having absurd password changing rules, updating my skills matrix on a weekly basis, and reporting to a coach as well as a manager. (I am exaggerating a bit, but not so much).
    Now I agree that some of this stuff is really good but I also know that it has nothing to do with SOX. It almost is starting to trivialize SOX. Employees may end up seeing SOX as another passing thing to ignore and circumvent because so many people are using it for things that are outside it’s real scope.

    I think we all need to be careful as to what we include in our SOX policies so as not to trivialize it. We need everybody’s support to make it work. We all need to all believe in it or else it is gonna become a big mess.
    I don’t think I am over reacting. You should hear what is being said down here in the trenches.



  • Guest,
    I agree with you. If employees end up seeing SOX as another passing thing to ignore and circumvent because so many people are using it for things that are outside it’s real scope, we are in trouble. Unfortunately, it is difficult to define exactly what is in SOX and what is in everyone’s own agenda.



  • I am surprised finding departments that charge totally non-applicable expenses to their Section 404 project.



  • trebortoe%0AWelcome to the club. There are so many of us asking exactly the same question, ‘how is this a good thing for the shareholders?’ We have exactkly the same problem with passwords (I’m a user). My passwords now change every 60 days, at different times to eash other, and so I have now had to resort to writing my passwords down. This is meant to increase security?%0AAs I see it the biggest problem is not the Act, but the way the Big 4 audit firms have interpreted the act. They are basically protecting themselves by insisting on petty controls for every little thing, so that there is no chance of them signing off on controls in a company that subsequently folds and is shown to have weak controls. Oh, and as a totally unconnected side-issue they are showing a 100% increase in revenue.



  • As I see it the biggest problem is not the Act, but the way the Big 4 audit firms have interpreted the act. They are basically protecting themselves by insisting on petty controls for every little thing, so that there is no chance of them signing off on controls in a company that subsequently folds and is shown to have weak controls.
    Who said you have to let the Big 4 auditor force the pace? If you let htem set the agenda then you’ll end up with the situation you describe - but they are reporting on management’s assertion therefore they need to be educated on how you have met that assertion.[/code]



  • Good point Dennis, it’s just that the effort required to convince the acctg firm that you’ve done appropriate work rivals the documentation and testing work you just did.
    Seriously, SOX 404 was ok, the PCAOB created a monster to justify their existance, then the big 4 in their eternal effort to cover their butts have taken the PCAOB AS2 to inappropriate lenghts.
    A good lesson we can take from this is to make sure the auditor is informed of all significant SOX decisions up front so that, when they balk at accepting your work, you can ‘steer them straight’.



  • Just an aside…
    Was not SOX designed to put the Company in Charge of their financial reporting so that A-moral or I-moral auditor firms or anybody else for that matter could not pull the wool over the eyes and ears of the Company shareholders?
    Isn’t putting the auditor firms in charge of SOX kinda like putting the FOX in charge of the hen house???
    Does not all of this SOX stuff give an unfair advantage to Privately held corporations that do not have to incur the cost of SOXifying their operations?
    Questions Questions…



  • Furthermore…
    I heard recently that some of what has been put into the ISO 17799 standard was actually done by people with a Hacking Background. I was told this at a cocktail party attended by some former Hackers that made this assertion.
    There justification for this was that everybody with an ounce of common sense knows that instituting a password policy that makes the users use long non dictionary text strings with numerics as passwords that expire on a frequent basis is fairly insecure because end users with lots of power in an organization such as CEO’s and CFO’s tend to use postit notes in close proximity to their office or home workstations to record their passwords. All a potential hacker or criminal needs to do to get control of a system is obtain a job as a night watchman or janitor to gain access to companies most sensative data.
    I personally believe that if a company is serious about security they should steer clear of these shams and use technology such as SecureID or some other saner approach to security.
    What do you all think?



  • Furthermore…
    I heard recently that some of what has been put into the ISO 17799 standard was actually done by people with a Hacking Background. I was told this at a cocktail party attended by some former Hackers that made this assertion.
    There justification for this was that everybody with an ounce of common sense knows that instituting a password policy that makes the users use long non dictionary text strings with numerics as passwords that expire on a frequent basis is fairly insecure because end users with lots of power in an organization such as CEO’s and CFO’s tend to use postit notes in close proximity to their office or home workstations to record their passwords. All a potential hacker or criminal needs to do to get control of a system is obtain a job as a night watchman or janitor to gain access to companies most sensative data.
    I personally believe that if a company is serious about security they should steer clear of these shams and use technology such as SecureID or some other saner approach to security.
    What do you all think?
    Nonsense. ISO17799 does not require you to do this.



  • Isn’t putting the auditor firms in charge of SOX kinda like putting the FOX in charge of the hen house???

    Yes, but the auditor should not be in charge. They are only in that position when management abdicates responsibility.



  • Trebortoe,
    You say:

    I heard recently that some of what has been put into the ISO 17799 >standard was actually done by people with a Hacking Background. I was >told this at a cocktail party attended by some former Hackers that made >this assertion.
    People with hacking background hate standards but love positions like Chief Hacking Officer(.), Penetration Tester, Risk Analyst etc. Companies do put the fox in charge of the hen house… not always… but it is really risky way to do business.



  • If you want to keep the foxes out of the hen house, you have to think like a fox yourself. And who does that better than reformed foxes?



  • Are there many reformed foxes?
    How can we recognize them? Afrer so many years trying to do that I still can not be sure.


Log in to reply