Who interpreted this act for IT so poorly? 171



  • What all of you audit control happy people are missing is the way things were implemented prior to SOX compliance. A lot of these companies did things a certain way that worked for their means before SOX was around, none of which has anything to do with financial reporting. Hence, when a company has a developer who implemented code that people are using in production and they had to troubleshoot in production due to their being no prior means of code testing then you have disable the ability for IT resources to do their jobs affectively while destroying production time. A perfect example of this something I have to deal with now. I am a network admin/manager and I have a problem with users using Media Player to rip music to their computers. Before, I could implement a group policy to disable the use of Media Player on the PC. Now I have to fill out a change request form in order to create this group policy. So a job that used to take me under a minute now takes 1 day to 1 week to implement and creates a completely unnecessary paper trail. Now I ask you: What in the world do implementations like that have anything to do with truth in financial reporting? The bottom line is, section 404 is written so vaguely that it allows audit companies to go in any direction they feel like. According to the way it is written, technically you would need documentation and approval and a paper trail to tell someone to reboot their computer because it is a repeatable process. Anyone who has anything to do with technology that is in support of the way section 404 is intepretted has obviously never really had to support whole environements by themselves and dont really understand the way that technology systems work.



  • Denis and Yoda404 obviously do not have any experience in what it takes to support live systems.
    Right, apart from the systems development projects that I ran :roll:



  • Denis and Yoda404 obviously do not have any experience in what it takes to support live systems.
    No. I would say Denis and Yoda404 work for companies that obviously have an IT budget that allow them to handle their projects in this manner. We obviously work at smaller companies or at smaller divisions of bigger companies and do not have the IT or financial resources to put in place what is being stuffed down our throats.
    I will say this, due to the vagueness of the Act, no matter how much you prepare, no matter who audits you, no matter how ready you think you are, you could get nailed anyway if the SEC wants to nail you…



  • That’s a pretty good observation Guest
    As you get into smaller companies you do get real problems with the auditor/IT dynamic. This can be caused by inexperienced auditors not understanding the issues and IT staff who are inexperienced in dealing with auditors.
    I’m more than happy to help those having problems with their auditors. I know how they think :twisted:



  • I can only add to this tale of woe. I am part of a small overseas IT group of 3 people, and we are the Developers and Support/Heldesk for our region. We now have system functionality we are supposed to support that we can’t even access. I know this is all well intentioned, but I still have access to reset user passwords (because our 150 users regularly forget them) so hijacking a userid isn’t a problem if I wanted to do something fraudulent…and lets face it, if you are going to enter a bogus transaction are you going to do it under your own userid anyway?. All of this stuff is being interpreted and policy dictated to companies by people who haven’t got a clue how IT works. Separation of Duties is nice if you have a large central IT Dept, but we are now looking to add headcount.
    It just boggles the mind what governments are prepared to do for short term gain. The insanity of it all is that this ‘overkill’ legislation is intended to stop executive crooks from misleading investors for which entirely adequate legislation already existed. The irony is that the only people that are benefiting from SOX are the same ethically bankrupt Auditing/Accounting/Consulting organisations that, due to their own conflicts of interest, were complicit in the reasons why SOX got drafted in the first place. What was required was to enact tight legislation to protect the public from those cowboys.



  • It can’t be that the ext. Auditors tell you how to run your company or division. Especially by using SOX as an excuse. All SOX asks them to provide is an opinion about the controls over your financial statements and disclosures. If it turns out that you don’t have sufficient controls in some areas you need to implement and documents them. but in aereas where you already have functioning controls you don’t need new or additional one’s only to satisfy your ext. Auditor.
    So, in some cases you need to strongly argue against your ext. Auditor.
    You should be capable to show a functioning general IT control environment. Every addtional SOX effort within the IT environment should be focused on financial systems or systems having a significant/material impact on the financial statements.
    That’s still some workload.
    And from my experience - we were quite often successful in getting the ext. Auditor back in the line.



  • Who interpreted this act for IT so poorly? If blame is to enter into the discussion, it would be the myriad of professional services and products being manufactured/developed to bring companies into compliance. Those SOX/IT Experts, like myself, are the ones that have poorly defined it. The landscape of SOX compliance market is very unique.
    The directly effected market is listed companies and their subsitiaries with greater than USD75 Million in revenue or greater. Which effectively reduces that total market to a very small number. Yet the entrepranauerial investment in this market space is unparalleled. There are dozens, if not hundreds of companies attempting to ‘get a piece’ of a market that is still not juditously defined. The PCAOB inspection reports are not due yet, and enforcement of the auditing standards has yet to take place.
    So, everyone invested (in some way) in the SOX Compliance market is waiting for the first shoe to drop and then hope that their product/service is aligned with the results. There are too many follows of a poor intepretation. Compliance is here to stay, and it is the biggest thing since… (fill in the blank).
    It is also a win-win, as someone else eloquently responded that businesses that embrace Sarbanes-Oxley will win in efficency and in streamlining business overall, and we (Sox Experts) win because we get to flaunt our expertise for years to come.



  • What do you do in a small IT environment when 2 (one and a backup) have full admin access, adn the other 2 do not, and the auditors say we can’t confirm who has access to the network.
    We have one ID they share and they change the password to strong passwords and we document the heck out of how gets authorization for what.
    But the silly accounting firm didn’t get a screen shot before 12/31/04 and now wants to ding us for not having proper controls. Our test plan stated ‘Inquiry and Observation’ and they signed off that it was sufficient.
    Now, one month later, no screen and therefore after 30 minutes they decide - nope, no general controls due to no screen print and we are outta here. I’ve not seen them since.
    Now we have to go back, re-establish financial controls based on IT systems in some other way. This is obsurd.
    The ERP system has at least 4 other layers outside the general network layer anyway. We DID test it, it passed they were just too ‘busy’ to come look for themselves - should businesses pay the price for this?



  • What do you do in a small IT environment when 2 (one and a backup) have full admin access, adn the other 2 do not, and the auditors say we can’t confirm who has access to the network.
    We have one ID they share and they change the password to strong passwords and we document the heck out of how gets authorization for what.
    But the silly accounting firm didn’t get a screen shot before 12/31/04 and now wants to ding us for not having proper controls. Our test plan stated ‘Inquiry and Observation’ and they signed off that it was sufficient.
    Now, one month later, no screen and therefore after 30 minutes they decide - nope, no general controls due to no screen print and we are outta here. I’ve not seen them since.
    Now we have to go back, re-establish financial controls based on IT systems in some other way. This is obsurd.
    The ERP system has at least 4 other layers outside the general network layer anyway. We DID test it, it passed they were just too ‘busy’ to come look for themselves - should businesses pay the price for this?
    Sounds like your auditors do not have a clue about what they should be looking for.
    What specifically is the issue here - that you have a shared password? Whilst this is not best practice it can actually be necessary in some systems/environments.
    Or is the issue that you didn’t take a screen dump of the access permissions at the time of testing? This is nuts as there is no requirement to that level of documentation. Suggest that they should read PCAOB Auditing Standard #2



  • _at_Denis: couldn’t have put it better… :lol:



  • I’m glad to see I’m not losing my mind. Yes - they left due to not having a screen shot proving our access level as of 12/31. They have done no other testing and in fact never even spoke to the CIO about this prior to leaving our site.
    My concern on another level is they stopped testing after this 30 minute time period - what are they not doing now? They didn’t ask for this level of detail before 12/31 - and now time is still fleeting.
    Will they come back on 3/16 and say ‘We needed this before 3/16 and you didn’t furnish it…’ because they left us solo again?
    I think this is the weasel guarding the hen house if you ask me. The auditors caused the problems - not reporting significant deficiencies at Enron/etc. And now they get to earn big bucks fixing it…makes Y2K look like a walk in the park.



  • What all of you audit control happy people are missing is the way things were implemented prior to SOX compliance. A lot of these companies did things a certain way that worked for their means before SOX was around, none of which has anything to do with financial reporting. Hence, when a company has a developer who implemented code that people are using in production and they had to troubleshoot in production due to their being no prior means of code testing then you have disable the ability for IT resources to do their jobs affectively while destroying production time. A perfect example of this something I have to deal with now. I am a network admin/manager and I have a problem with users using Media Player to rip music to their computers. Before, I could implement a group policy to disable the use of Media Player on the PC. Now I have to fill out a change request form in order to create this group policy. So a job that used to take me under a minute now takes 1 day to 1 week to implement and creates a completely unnecessary paper trail. Now I ask you: What in the world do implementations like that have anything to do with truth in financial reporting? The bottom line is, section 404 is written so vaguely that it allows audit companies to go in any direction they feel like. According to the way it is written, technically you would need documentation and approval and a paper trail to tell someone to reboot their computer because it is a repeatable process. Anyone who has anything to do with technology that is in support of the way section 404 is intepretted has obviously never really had to support whole environements by themselves and dont really understand the way that technology systems work.
    It’s no wonder that auditors refer to SOX as the ‘Auditors full employment Act’.



  • This was posted. ‘I am sure there are numerous statistics around to show that most frauds occur from WITHIN the organisation and not outside. So i am sorry to all you support people but i would NEVER give you full assess to everything all the time.’
    Wow, I know the name of numerous EXECUTIVES that defrauded stockholers, but I don’t know the name of a single IT person. I wonder why that is? Put law breakers in jail, don’t handcuff innocent people.



  • Spider, I like your point of view, but in real world (out of our systems) it can not work. They can not understand us.%0AAs a security person I know that over 60% of frauds occur from WITHIN the organisation and not outside. But, I also know some ‘bad guys’ inside the IT (with admin priviledges). Security is not an IT word…it is law that defines what is security, what is allowed and what is not…Unfortunately for both of us.%0ATo err is human; to really foul things up requires a computer.



  • _at_spider - think you’re kidding yourself mate.
    I’ve seen several examples of fraud committed by IT, here’s two:

    1. Post-implementation of a major ERP the IT manager realised that invoices of a certain exact value did not need to be authorised (only those above and below the value) and used this to defraud a lrage sum.
    2. The electronic payments file generated by AP sat on the server for an hour or so before being transmitted to the bank. In the meantime one of the IT staff changed bank account numbers on the file to divert funds to their own account.
      The reality is that IT frauds tend not to make the headlines so often.


  • Although I believe that SOX has allowed the external auditing companies to make a fortune, I also believe that standards have slipped over the years. I started as a Computer Auditor and most of what SOX is looking for is what was the norm in my Computer Audit days and the IT Management was fully supportive in correcting any control weaknesses. I am now finding some basic control requirements e.g separation of duties, incident logging and reporting as alien to the IT people. There appears to have been a serious decline in any knowledge about controls and their worth by IT managers who are more focussed on cutting costs.



  • I have to agree that standards are and have fallen over the course of the last 15 to 20 years. I believe that this is as a direct consequence of the introduction of PC’s on peoples desktops. The flexibility offered by these boxes to the individual was never available from the monolithic mainframes or medium sized minis, however this flexibility is now the norm.
    Although I work now and have worked in extremely large banking organisations with budgets that look like telephone numbers for people on Mars, the problems that end user computing causes from a SOX point of view is horendous. Couple this with the RAD standards that were used extensively throughout the 90’s, (due almost directly to the introduction of PC’s), to create the core systems used in the organisation and the problems of attaining SOX compliance are multiplied a 1000 fold if not more.
    Unfortunately it would appear that IT gave the key to the asylum to the lunatics and it’s only now that we are having to try and put them back where they belong.
    I would never advocate a return to a centralised computing environment such as the mainframe era, however in order that we should have efficient, value for money systems that do not pose a threat to the integrity of a business we need a lot more control. I believe that SOX will facilitate this control.
    Pete.



  • a lot of the problems come from people that have no experience in IT at all. A lot of times they don’t know what to do and get their information from a knoledge base of their auditing organisations without understanding any of it. There have always been controls in IT just because it makes sence and makes the development of systems more organized and method-driven. Now, pople seem to be making more controls that don’t make sence. how can accountants and the like effectively audit IT when they try to apply their background to a different field.



  • Hi,
    ‘accountants will held held accountable’ …
    Doesn’t SOX place part of the responsibility for compliance on the auditor who certifies the controls as SOX compliant? Doesn’t that put the auditor under an immense amount of pressure resulting in him rather erring on the ‘safe’ side, ie implementing more strict measures to ensure the quality and reliability of control data at the cost of IT people?
    Aren’t we missing a link between an auditor and the recipients of his measures? That link needs to translate the auditors fears (=requirements) into appropriate IT measures based on sound experience in the IT environment. We need an intermediate step that takes on part of that responsibility and mediates between these obviously conflicting parties (check this thread for an example ;)). SOX is intended to stop cheating, not business. Compliance and the documentation thereof is a compromise with ITs flexibility, much like IT-Security is often a compromise. Both are neccessary, either extreme is irresponsible.
    Cheers



  • A perfect example of this something I have to deal with now. I am a network admin/manager and I have a problem with users using Media Player to rip music to their computers. Before, I could implement a group policy to disable the use of Media Player on the PC. Now I have to fill out a change request form in order to create this group policy. So a job that used to take me under a minute now takes 1 day to 1 week to implement and creates a completely unnecessary paper trail. Now I ask you: What in the world do implementations like that have anything to do with truth in financial reporting?
    This is not a specific SOX issue, but your comment raises some issues to consider outside of SOX. Consider the issue you raise. Basically, your users are conducting illegal activities at your workplace. If the authorities come knocking, isn’t it reassuring to know that there is now documentation in place that shows you took the steps to prevent the illegal activity? Documentation can be a pain, but in the right circumstances, you’ll be glad you have it to back you up.


Log in to reply