Advice 1463

  • Greetings
    Several months ago my employer presented its staff with a document to sign relating to conditions of the SOA. (I personaly did not sign, as I advised my employer that I wanted my lawyer to read it first; I was advised that I did not have to sign). Yesterday, however, the announcement was made that mobile phones, mp3 players, pda’s, data storage devices etc were henceforth banned from the building, pursuant to the SOA. I am wondering whether this ‘policy’ is in the ‘spirit of the act’, so to speak. My research leads me to believe that the act is primarily for accounting transparency and legitamacy (sorry about my definition, I am not an accountant, lawyer etc) I realize there are serious privacy issues and the client has an interest in data protection, but I also see that the individuals who allegedly perpetrated frauduant acts within certain corporations were not committed by low level employees, but by corporate executives. So the question is, is this a correct demand pursuant to the act or a bludgeon used by someone who thinks we are all criminals, too ignorant to know the difference?
    Just some background. I work in a call center in Canada for an American company that is an outsourcer for another American company, that does not have any interests in Canada.

  • The Sarbanes-Oxley Act of 2002 makes no reference to acceptable/non-acceptable use of personal technology at the workplace. This decision is solely at discretion of the employer.
    In a similar analogy, cell phones are banned from use onboard commercial airplanes while inflight–the objective is to reduce or eliminate risk of interference with the aircraft’s navigation equipment. However, the reality is that studies have shown no correlation between use of cell phones and impact on the plane’s navigation equipment. The ‘bouncing’ affect of cell phones jumping from network to network quickly as a result of the phone being used on a plane inflight disturbs the operational performance of the cell phone network on the ground–no connection to the equipment onboard the plane.
    In short, if SOX is being used by the employer as a club to squelch the use of cell phones, PDA’s, etc., at the office, the justification is unfounded in the letter AND spirit of the Act.
    My USD0.02.

  • Your organization may well instead disable outbound communicationt to Cell phones, PDAs and USB devices by disabling them on your desktops. This could be one way of securing the data. :idea:
    If the mgmt perceives that data can be read out to some outsider through cell phones, the same can be done thru landlines or by noting down on papers. 😛
    I firmly believe that we are in the 21st century and not otherwise 😎 . If technlogy can help fraudsters, it can be made to work against them as well.

  • Yesterday, however, the announcement was made that mobile phones, mp3 players, pda’s, data storage devices etc were henceforth banned from the building, pursuant to the SOA … I am wondering whether this ‘policy’ is in the ‘spirit of the act’, so to speak.
    Hi Trevor and welcome to the forums 🙂 I can see at least some indirect associations of personal items like this in a call center that could be theoretically used to copy data. I know in our company, we have strict security guidelines on what we can and cannot do with business equipment owned by the company.
    The SOX 404 requirements are written in a general sense and are highly subject to interpretation. These are related to IT best practices in security and workflow controls. The SOX 404 standards can be interpreted in many different ways, ranging from just protecting financial data to ratcheting up security in a much more stricter fashion for the entire organization.
    Yes, SOX requirments could even be used as ‘an excuse’ to gain better controls on items that your employer may not want in the work environment. However, it’s still most likely in the interests of better security.
    On banning portable recording/storage devices, here are some ideas:

    1. MP3 players or USB flash drives might contain files coming in from the outside that might be infected with viruses. That might not be true in your case, but it can provide some of the rationale on why management may want to keep them outside the workplace.
    2. Also, these devices are very convenient for copying data as well, so information could be lifted from the organization, if someone were spying on the corporation. Thus, this type of policy is in a lot of companies today.
    3. To me, banning mobile phones might be going a little too far. It may be that your employer wants absolute assurances that call center information isn’t accidently overheard.
      Still if your employer requires this, you probably either have a choice of compliance or finding another firm to work for. Unfortunately whether these are truly SOX required controls or not, employers can mandate these types of requirements (at least in the USA).

  • I strongly agree with harrywaldron. The main problem, in my point of view, of the SOX 404 implementation is that it’s highly subjective, so if your auditors/employers or whoever thinks that some stupid measure must be implemented for a strong internal control over financial reporting you cannot assure that they are wrong. Our auditors (a Big Four Firm) told us once to control the way in which operational employees were hired. They told us that if they had, for example, personal problems they were exposed to commit fraud (what a silly way of reasoning). I think this real example is in line with one topic I’ve seen in this forum about the lack of experience in the big four firms that all of us are suffering since SOX appearance.

  • Just wanted to kindly share one more thought with Trevor on signing SOA forms …%0AEach year, our company does the same thing, related to company and security policies. Personally, I’ve always signed these for the following reasons:%0A1. You have to abide by company rules anyway, so refusing to sign the form won’t make a lot of difference as everyone must follow the same guidelines. As an example, on our form it states that an employee who might misuse the Internet would be subject to discplinary actions by their manager. And thus, if you misuse the Internet you’re going to be displined whether you sign or not. %0A2. If the company were downsizing in the future and there was a choice between two good performers (one who signed and one who didn’t), I’ve personally always been concerned in that regard.%0AStill, I agree 100% that you must read and understand what you’re signing. In fact, I personally respect the decision not to sign anything you don’t feel comfortable with. What happened for us in our 2005 agreements, was that some folks shared concerns and changes were made in favor of the employees (that may not always work though).%0A The annual signing of the form in our company mainly states that ‘you are aware of the rules’ and in our case, you’re really not signing any rights away. However, signing documents from company to company can differ, so you should carefully read and understand what you’re signing. If you don’t feel comfortable, then sometimes you gotta do what you gotta do in taking a stand 🙂

  • would just like to thank everyone who replied (or will reply) to my inquiry. Thanks very much, all your advice is most helpful.
    One thing I would like to point out is that I (we) are Canadian, working for an American outsourcer who’s client is a large American telecommunications company. I guess what I am asking is am I bound by an American Act (SOX)? In my reseach on the act it seems to have some bearing on foreign corporations doing business in the USA, but in this case both companies are American doing buisness in a foreign country. Personally, I think it is just a convienent vehicle to force employees to abide by a new policy that should have been presented as such in the first place.
    Anyway, thanks again to all

  • Hi,
    I am not an attorney, but believe that the local employment laws in Canada apply to you in terms of abiding by Company rules and regulations. As an expat, there might be other ramifications.
    On the whole, lack of compliance with the SOX Act and actions from the US Regulatory bodies (SEC and PCAOB) do not extend beyond the borders of the USA. The long arm of the law ends at the water…in your case, the woods that separate Canada and the US. At most, enforcement action due to lack of compliance can lead to delisting on the financial exchange, civil and/or criminal penalties to US Employees (Officers) of the Company.
    Again, I am not an attorney, but this is my take on it.

  • Trevor
    I have an understanding that SOX is similar to Bill 198 in Canada. Why don’t you correlate and infer on the legitimacy of your employer’s SOA coupled with linking proscription imposed to the extent security of confidential information being affected
    After drawing a protracted inference, you may try to change the system or leave the system.
    All the best.

Log in to reply