Who interpreted this act for IT so poorly? 171



  • Spider, I like your point of view, but in real world (out of our systems) it can not work. They can not understand us.%0AAs a security person I know that over 60% of frauds occur from WITHIN the organisation and not outside. But, I also know some ‘bad guys’ inside the IT (with admin priviledges). Security is not an IT word…it is law that defines what is security, what is allowed and what is not…Unfortunately for both of us.%0ATo err is human; to really foul things up requires a computer.



  • _at_spider - think you’re kidding yourself mate.
    I’ve seen several examples of fraud committed by IT, here’s two:

    1. Post-implementation of a major ERP the IT manager realised that invoices of a certain exact value did not need to be authorised (only those above and below the value) and used this to defraud a lrage sum.
    2. The electronic payments file generated by AP sat on the server for an hour or so before being transmitted to the bank. In the meantime one of the IT staff changed bank account numbers on the file to divert funds to their own account.
      The reality is that IT frauds tend not to make the headlines so often.


  • Although I believe that SOX has allowed the external auditing companies to make a fortune, I also believe that standards have slipped over the years. I started as a Computer Auditor and most of what SOX is looking for is what was the norm in my Computer Audit days and the IT Management was fully supportive in correcting any control weaknesses. I am now finding some basic control requirements e.g separation of duties, incident logging and reporting as alien to the IT people. There appears to have been a serious decline in any knowledge about controls and their worth by IT managers who are more focussed on cutting costs.



  • I have to agree that standards are and have fallen over the course of the last 15 to 20 years. I believe that this is as a direct consequence of the introduction of PC’s on peoples desktops. The flexibility offered by these boxes to the individual was never available from the monolithic mainframes or medium sized minis, however this flexibility is now the norm.
    Although I work now and have worked in extremely large banking organisations with budgets that look like telephone numbers for people on Mars, the problems that end user computing causes from a SOX point of view is horendous. Couple this with the RAD standards that were used extensively throughout the 90’s, (due almost directly to the introduction of PC’s), to create the core systems used in the organisation and the problems of attaining SOX compliance are multiplied a 1000 fold if not more.
    Unfortunately it would appear that IT gave the key to the asylum to the lunatics and it’s only now that we are having to try and put them back where they belong.
    I would never advocate a return to a centralised computing environment such as the mainframe era, however in order that we should have efficient, value for money systems that do not pose a threat to the integrity of a business we need a lot more control. I believe that SOX will facilitate this control.
    Pete.



  • a lot of the problems come from people that have no experience in IT at all. A lot of times they don’t know what to do and get their information from a knoledge base of their auditing organisations without understanding any of it. There have always been controls in IT just because it makes sence and makes the development of systems more organized and method-driven. Now, pople seem to be making more controls that don’t make sence. how can accountants and the like effectively audit IT when they try to apply their background to a different field.



  • Hi,
    ‘accountants will held held accountable’ …
    Doesn’t SOX place part of the responsibility for compliance on the auditor who certifies the controls as SOX compliant? Doesn’t that put the auditor under an immense amount of pressure resulting in him rather erring on the ‘safe’ side, ie implementing more strict measures to ensure the quality and reliability of control data at the cost of IT people?
    Aren’t we missing a link between an auditor and the recipients of his measures? That link needs to translate the auditors fears (=requirements) into appropriate IT measures based on sound experience in the IT environment. We need an intermediate step that takes on part of that responsibility and mediates between these obviously conflicting parties (check this thread for an example ;)). SOX is intended to stop cheating, not business. Compliance and the documentation thereof is a compromise with ITs flexibility, much like IT-Security is often a compromise. Both are neccessary, either extreme is irresponsible.
    Cheers



  • A perfect example of this something I have to deal with now. I am a network admin/manager and I have a problem with users using Media Player to rip music to their computers. Before, I could implement a group policy to disable the use of Media Player on the PC. Now I have to fill out a change request form in order to create this group policy. So a job that used to take me under a minute now takes 1 day to 1 week to implement and creates a completely unnecessary paper trail. Now I ask you: What in the world do implementations like that have anything to do with truth in financial reporting?
    This is not a specific SOX issue, but your comment raises some issues to consider outside of SOX. Consider the issue you raise. Basically, your users are conducting illegal activities at your workplace. If the authorities come knocking, isn’t it reassuring to know that there is now documentation in place that shows you took the steps to prevent the illegal activity? Documentation can be a pain, but in the right circumstances, you’ll be glad you have it to back you up.



  • I will have to agree with the poster who said that some of the controls that we are talking about now have been there for ages. As another poster said, we lost a lot of good practices from the main-frame world. Having been on both IT and Audit side, some of the new IT people have no clue about what they are doing. I have seen places where the IT people write the code and pass it onto QA without Unit testing their code. I am not saying all IT developers are like that. No use of IT blaming the audits. Both will have to work together and IT people will have to learn to implement controls and Audit will have to understand the complexity involved in IT departments. I would rather see IT internal audit as an extension of IT departments rather than a separate one.



  • :lol:
    looks like SOX has brought about the culture of Soxumentation. All of us Talk about SDLC, a well structured SDLC should anyway contain strong documentation. As far as authority and responsibilities go, no developer is a fool to do anything that hes not ought to do, so a structured matrix would have been insisted upon in the ORG.
    One serious question is, given the above, the company would be a CMM level 5 company, and auditors , by audit guidelines, can rely on the work of other auditors. Will the statutory auditors place reliance on the work done by the CMM auditors and vouch for the financial accuracy???
    any thoughts on this Soxers 😉 :?:



  • One serious question is, given the above, the company would be a CMM level 5 company, and auditors , by audit guidelines, can rely on the work of other auditors. Will the statutory auditors place reliance on the work done by the CMM auditors and vouch for the financial accuracy??? %0A %0AIndeed auditors can rely on the work of others, but within certain constraints:%0A1) As per paragraph 108 of Auditing Standard #2: ‘In all audits of internal control over financial reporting, the auditor must perform enough of the testing himself or herself so that the auditor’s own work provides the principal evidence for the auditor’s opinion.’ What this means is that an auditor can leverage the work of others to a certain extent. In other words, they have to do enough of their own work. How much is enough? If all controls were weighted equally (which they are not) it would be 50%. Given the subjective nature of what constitutes principal evidence, the auditor is going to perform enough work to give them comfort knowing they will have to answer to the PCAOB (and if you think being examined by an IT auditor is tough, try dealing with the PCAOB). I quote AS2: ‘Because the amount of work related to obtaining sufficient evidence to support an opinion about the effectiveness of controls is not susceptible to precise measurement, the auditor’s judgment about whether he or she has obtained the principal evidence for the opinion will be qualitative as well as quantitative. For example, the auditor might give more weight to work he or she performed on pervasive controls and in areas such as the control environment than on other controls, such as controls over low-risk, routine transactions.’%0A2) The auditor has to ascertain the competency and objectivity of the individuals performing the work. While the folks performing a CMM assessment are most likely competent, they may not be considered objective if they were hired by IT management and reported to IT management. Auditors would expect them to report to Internal Audit or the equivalent. Therefore, it would behoove a company to demonstrate the objectivity and competence of contract resources if they would like the external auditor to leverage the work. %0A3) As per paragraph 123, external auditors will need to test the work of others to make sure they can rely on it. Typically this involves a walkthrough (test of design) with subsequent reliance on the work of others for test of effectiveness. %0A4) Auditors have to exercise a lot of judgement, and auditing is more of an art than a science. Therefore, auditors will modify their work based on the attitude of management (i.e. tone at the top). For example, if the auditor senses that IT management believes SOX is a load of garbage and allows the attitude to permeate the organization, he/she will ajust their approach. On the other hand, if IT management engages in an open dialogue with auditors and stresses the importance of compliance within their organization (they check their personal feelings at the door) things will go much smoother. %0A5) Bottom line: IT management needs to work with their auditors and avoid a confrontational mentality (and AS2 and the May 2005 PCAOB guidance stress this). Take SOD issues for example. While a company should make every effort to resolve SOD issues, in some cases they cannot be avoided. There are compensating controls (IT and/or financial) that can be evaluated in light of SOD issues, and this evaluation is facilitated through open dialogue between IT management and the auditor. Without this dialogue, the auditor has no choice but to adopt a conservative approach and write up these issues as deficiencies and report them to the audit committee.%0AHope that helps,%0AEd



  • This is not a specific SOX issue, but your comment raises some issues to consider outside of SOX. Consider the issue you raise. Basically, your users are conducting illegal activities at your workplace. If the authorities come knocking, isn’t it reassuring to know that there is now documentation in place that shows you took the steps to prevent the illegal activity? Documentation can be a pain, but in the right circumstances, you’ll be glad you have it to back you up.
    Excellent points 🙂 … SOX is not the end-all and cure-all on controlling all inappropriate IT behaviors within an organization, as it focuses mostly on financial controls.
    If anyone is downloading mp3s from a P2P facility, there’s a greater exposure to worms, viruses, spyware, etc. 😞 Even from a financial standpoint, there are RIAA/DCMA exposures associated with copying intellectual property, as companies will have ‘deeper pockets’ than a home user.
    Having standards and even technical filters in the firewall that disallow mp3s to be downloaded is a good thing. Also, there’s a Sony DRM rootkit that could be installed on certain musical CDs being ripped as well.
    I’d recommend security standards are up-to-date on things outside of SOX compliancy and esp. for this specific issue. After finalizing this, a short ‘all employees’ email might be useful in ensuring everyone is aware and that violations are subject to managerial discretion.



  • I have to agree that standards are and have fallen over the course of the last 15 to 20 years. I believe that this is as a direct consequence of the introduction of PC’s on peoples desktops. The flexibility offered by these boxes to the individual was never available from the monolithic mainframes or medium sized minis, however this flexibility is now the norm. I have sure seen that happening.
    When the PC was first being used as real business tools, the PC department were real mavericks compared to us mainframe programmers. They used tools that were totally innapropriate, because that is what they were familiar with. Those were the days when we usually had to wait a couple of hours or maybe overnight to get just one execution of a program in the mainframe. Having access to production data was nearly impossible and therefore rarely necessary.


Log in to reply