Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sarbanes-Oxley - How is it Affecting You?

Posted by Cliff on from the to-comply-or-not-comply dept.

Grant Barrett asks: "All I hear from IT directors is Sarbanes-Oxley, Sarbanes-Oxley, Sarbanes-Oxley. SOX, as they're calling it, is taxing manpower, swallowing time, and adding huge administrative headaches--not to mention incurring fees and salaries paid out to staff or third-party firms hired to ensure compliance--and that's just the IT department. How are you dealing? Did you make your compliance deadline even after the extension? Are you joining the the backlash?"

9 of 125 comments (clear)

  1. What is Sarbanes-Oxley? by Anonymous Coward · · Score: 3, Informative
    Would it have killed the poster to mention what Sarbanes-Oxley is?

    Oh well, since he can't be arsed, here's a quote from the second link:

    "The Sarbanes-Oxley Act is a sweeping piece of legislation that regulates, among other things, how companies report financial results and disclose executive compensation. What's more, the law holds both company executives and external auditors directly accountable for the accuracy of financial reports and seeks to protect employees who blow the whistle on suspected fraud."
    1. Re:What is Sarbanes-Oxley? by Anonymous Coward · · Score: 1, Informative

      Section 404 of the act essentially requires companies to prove that they have adequate internal controls to ensure that the financial statements are accurate. What this ends up doing is cascading a simple thing (Is the 10-K accurate?) into a giant list of things, including IT procedures, HR and Payroll proceedures, etc.

      We got dinged on a few minor things, like no documented policy on hardware service level agreements. K-P-M-G considered this a "Significant Deficiency" in internal controls, which is one step below having K-P-M-G say to the world that your financial reports cannot be trusted. They just had no sense of proportion or scale.

  2. More info... by Chris+Pimlott · · Score: 2, Informative
    I had no I idea what this act was either, so I recommend checking out the Wikipedia entry.

    The Sarbanes-Oxley Act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002), signed into law on 30 July 2002 by President Bush, is considered the most significant change to federal securities laws in the United States since the New Deal. ... The goal of the act was to protect investors by improving the accuracy and reliability of corporate disclosures. The act covers issues such as establishing a public company accounting oversight board, auditor independence, corporate responsibility and enhanced financial disclosure.
  3. fyi by oliana · · Score: 3, Informative

    Sarbanes-Oxley is a law that only applies to SEC firms (firms that are publicly traded in the US and must report financial statements to the SEC.)

    Prevents Accounting firms from doing non-Audit functions for SEC firm that they also perform SEC Audits for (except tax-work, and only if approved by the SEC, and for work that produces minimal income to the Audit firm. These must be disclosed in the Financial Statements of the firm audited.) This is important becase an audit firm in the past could be doing as much or more work for a company in consulting as they were for in audit. The leads to an impression that the auditor might not be independant of the firm.

    Increases the required independence of the Audit Committee of SEC Firms (Members of the Board of Directors who hire and oversee Independant Auditors). This is important because the Audit committee should not be biased towards the company if they are hiring the independant auditors and overseeing their work.

    Makes Management of companies more responsible for the assertions they have in their Financial Statements (and assertion may be along the lines of "Currents Assets: $1.3 Billion" or "In the following year we expect to open three more locations in ..."). This is important because, if the CEO signs a statement that states that he knows financial statements are reported fairly and without any material misstatements, he cannot say in court that "I had no idea that this was happening."

    Requires Management to asses the controls associated with preventing fraud, defalcation and errors that could lead to materially misstating their Financial Statements, and requires an independant Audit of this assesment. (This would be the part that affects the IT community the most.)

    It also created a required record retention for audits, more thourough peer reviews of audits and rotations of the Audit Partners associated with the audit. (Thank you, Arthur Andersen)

    How this affected me:
    Many more jobs in the Audit field, mine being one. Which allows me to be a techy on the side, which is a lot more fun that it being work.

    --
    In Soviet Russia, asses suck this joke.
  4. Re:SOX Sucks by Anonymous Coward · · Score: 1, Informative

    I have to agree. At my employer, SOX compliance has simply gotten out of hand. It has gone from detailing the procedures used to control financial data to deailing the procedures used to control any corporate asset, including software and code. As a result, we are undertaking all kinds of efforts to ensure what a reasonable configuration management policy should already take care of. And we're doing it in such a way that it takes an inordinate amount of time and signatures to get anything productive done.

    I love that we've passed legislation to protect individual investors and place personal liability on executives for fraud, but the section 404 rules have been too widely interpreted and as a result are overly burdensom.

    My anonymous $0.02.

  5. Re:How I'm affected by pbrammer · · Score: 2, Informative

    A system doesn't have to interact with financial data to fall under SOX. If a system is used to even influence financial data (making a financial decision based off of sales numbers, for instance) it falls under the SOX realm.

  6. Re:SOX Sucks by Anonymous Coward · · Score: 1, Informative

    25 years, and this goes way beyond a changelog. It involves getting and documenting approval from people who don't even understand what I do, and don't want to know, that's why they hired me in the first place. They'll sign whatever I put in front of them, and even if they didn't, I could still make whatever changes I want to make, they would just catch up with me at the next audit and I'd get fired (assuming I didn't go out of my way to hide what I did). It has had no effect on the accuracy of our financial statements, it has only burdened us with needless red tape.

  7. "compliance" by Anonymous Coward · · Score: 1, Informative

    Just a few things I've noticed here..

    Our blank check stock must be kept under lock and key. Great.. Well the key is just in a draw in the AP department.

    Control issue with AR not being able to recieve checks so in the event a check comes into our office instead of the lockbox it goes to AP. Well AP can't deposit the check without a customer # or Inv #. So they take the check to AR to get the info which generally means dropping it off and coming back later to get a stack of checks.

    Database security has been changed so that people have the correct access privs. Before when a person who transfer departments they were not strict at changing them. Well turns out are genius sys admin for the DB has an SQL server running that will allow any user to write/read to any DB file despite user privs in actual database application itself. But since SOX doesn't know about any SQL server it's not an issue.

    Basically everything you need to comply with is there for a good reason but in practice I find it to be for show and nothing more.

  8. Sarbanes-Oxley slowed OSS corporate involvement by Anonymous Coward · · Score: 1, Informative

    At the 2004 O'Reilly Open Source convention, r0ml Lefkowitz spoke about the impact of Sarbanes-Oxley on corporations and Open Source Software. This is the gist of what he said. Any corporate software products on the books are considered assets and are assessed at an arbitrary value for purposes of acquisition, etc. The accountants depreciate software system assets over a set number of years, often 3. So by the time the corporation has software of no more book value as an asset, that is when programmers think to ask management to open-source it. But the programmers time (usually salaried exempt) is an expense. Sarbanes-Oxley requires certain reporting of assets and expenses, such that a corporation will not be able to pay a programmer to roll up the source tree or zip it or hardly do anything. Expenses not spent in developing positive value assets are a red flag for auditors.

    Posting anonymous because it has been so long that I've forgotten my password. But then, my karma was never a positive value asset for long.