Sarbanes-Oxley - How is it Affecting You?

Grant Barrett asks: "All I hear from IT directors is Sarbanes-Oxley, Sarbanes-Oxley, Sarbanes-Oxley. SOX, as they're calling it, is taxing manpower, swallowing time, and adding huge administrative headaches--not to mention incurring fees and salaries paid out to staff or third-party firms hired to ensure compliance--and that's just the IT department. How are you dealing? Did you make your compliance deadline even after the extension? Are you joining the the backlash?"

World's smallest violin

[Profane+MuthaFucka]

OK, so the collapse of mega-corporations like Enron and Worldcom in accounting scandals cost the people of the country, particular investors, billions of dollars. Enron also defrauded California of billions of dollars.

MORE billions, in fact, than what the attacks on the World Trade Center cost us.

And now, they are saying that the burden of complying with a law that will help to prevent future abuses is too high? Boo Hoo.

I don't think it's too much to ask companies to prove they aren't ripping us off.

Re:World's smallest violin

[Usquebaugh]

How much does compliance cost? If you are basing your views on cost analysis you cannot omit one of the major data points?

Where is your proof that this new law will prevent future accounting mis-practice? where is your facts that this was the least costly way to go about it.

The truth of the matter is that this legislation was knee jerk reaction to a complex and deep issue. For instance compliance only applies to publicly listed companies. The legislation does not take into account how other countries audit companies. etc etc ad infinitum.

Lastly, whenever paperwork is introduced it never goes away. The correct answer was for _ALL_ companies trading in the US to publish complete annual accounts down to the transaction level. This would be easier for the company, would provide all the detail any investigator needed.

Re:World's smallest violin

[jbolden]

You can see from the above that I'm hugely in favor of this law. The World Trade Center bombing:

1) Killed thousands of highly productive people
2) Shut down a section of a major US city for days
3) Destroyed extremely expensive buildings which then required a very expensive clean up effort
4) Shut down a all foreign trade for days
5) Shut down a good chunk of the US transportation system for days
6) Resulted in large permanent increases in US airline ticket prices
7) Resulted in 2 wars
8) Resulted in an increase of oil prices from $20 barrel to about $40-50
9) May have increased cancer rates and other long term health costs for something on the order of 2 million people.

Depending on how you add this up you are talking $200b-600b in costs. I'd say Bin Ladin has Ebbers and Lay beat by about two orders of magnatide. I'd love to see Ebbers and Lay do 20 years and lose everything they own in fines. Bin Ladin is way beyond merely a criminal.

Re:World's smallest violin

[Profane+MuthaFucka]

Good response, Lots to think about.

How much does compliance cost?

Compliance will ultimately cost nothing. With better accounting and better accountability, we won't have the kinds of ethics problems that we have seen. Companies will also benefit from better accounting, because the CEO will have the right numbers in front of him. If we are to believe Worldcom Bernie, he didn't know nothin' bout accounting problems. This law will fix it, and make companies more efficient, better directed, and therefore stronger.

Where is your proof that this new law will prevent future accounting mis-practice? where is your facts that this was the least costly way to go about it.

Don't have any. But I do have proof that the old way cost us more than the terrorists cost us. This law probably isn't ideal from a lot of perspectives.

The truth of the matter is that this legislation was knee jerk reaction to a complex and deep issue. For instance compliance only applies to publicly listed companies. The legislation does not take into account how other countries audit companies. etc etc ad infinitum.

That's true. Other countries have even stricter rules that match transactions between corporate entities. It's hard to rip off someone and hide the data when all your suppliers provide enough information in their books that fraud in your books can be detected. Makes collecting taxes easier too. So, we're in complete agreement here, the law needs to be FAR more strict on companies, like other countries.

Re:World's smallest violin

[josecanuc]

Where is your proof that this new law will prevent future accounting mis-practice?

Just to note: Laws don't prevent anything from happening, they just provide legal footing for a response/recovery. Murder is illegal, but that doesn't stop people from murdering. It is, in some way, a deterrent to rational people who may contemplate murder.

In the same way, this law provides a framework for prosecution abilities. We will hope that the threat of being held responsible for a hurtful act will act as a deterrent to rational people contemplating such acts...

Re:World's smallest violin

[Profane+MuthaFucka]

It depends on how you measure it. The damage to the buildings and the economy directly was measured some time after the attack at $35 billion dollars, and that's what I had in mind.

If you're going to add all sorts of other things in there, you have to include them into the financial collapse too. How do you value in dollars the loss ordinary people suffer when they have to work extra to compensate for their lost retirement? What is the dollar cost to these people when their lost retirement prevents them from enjoying it as much as they would have otherwise?

Re:World's smallest violin

[jbolden]

I don't have a clue what you mean by complex I don't see anything complex about high ranking executives committing fraud. It a simple scam, no different than shipping empty boxes and having your own trucks hijacked (which was a business technique in the 20s and 30s). These guys got paid for generating profits, they deliberately overstated the profits their company's made.

As for your idea, transaction data is worthless to investors. That's data not information.

The purpose of the act is to create a paper trail so that when senior executives commit fraud it will be easier to prove. We used to have a culture of law enforcement where fraud at high levels was simply impossible because low level people involved in fraud knew that while they wouldn't be rewarded there was a high likelihood they would go to jail. We don't have that anymore and recreating it would require broad societal changes. The hope is that this is successful in reducing fraud, not prevent all of it just some of it. I think Congress would have been very open to all sorts of techniques to reduce criminal executive behavior, during the hearings what they kept finding was that senior had plausible deniability about misrepresenting their financial status. I think it is safe to say this act will make it much harder for these executives to have this sort of deniability. It may force them to engage in more explicit criminal behavior (which is easier to prosecute) or maybe just not commit the crimes at all (which is good for everyone) no way to know in advance. Or maybe it isn't nearly enough and accounting in public companies needs to be nationalized. I don't know we will have to find out.

Finally, generally in a private company the high executives and the owners are the same people. So high executives would just be stealing from themselves in this case and thus its not nearly as much a matter of public interest.

Re:World's smallest violin

[jbolden]

Even if I grant the $35b figure (which btw doesn't include things like the cleanup) I still don't see how Ebbers and Lay came close to doing this much damage. They shifted money around a pocketed some of it. They caused some friction in the economy as a result of people having to do things like change cell companies. I don't see how you get to $35b from that.

Re:World's smallest violin

[jbolden]

Oil prices toped out in mid '00 at about $35 a barrel. They were down 40% right before the 9/11. They have gone up since then to set record highs. 9/11 is literally a vertex in the price graph. I can't think of anything else that would cause the derivitive of the price function to go from $-12/year to $+5/year

Re:World's smallest violin

[aaarrrgggh]

How much does compliance cost?

Well, the audit trail for a $1 transaction can easily cost $0.20. ($0.12 is a best-case number that the credit card companies used to use.) Small component costs can kill your margin quite quickly!

Much of what is required by the act is "good." However, the end-run for many businesses will be to force them to offshore (audit) work in an effort to drive down that extra overhead by 50-60% and make themselves remain competitive.

It's a boon to my business... as long as we aren't publicly traded! It adds work and helps us provide lower cost solutions than our listed competitors.

Re:World's smallest violin

[Usquebaugh]

'Compliance will ultimately cost nothing...' Completely disagree with this drivel. It's costing us time and money now, it will cost us time and money in the future. CEOs/CFOs already have enough information in front of them to make decisions. If they don't they're removed and the next CEO/CFO makes his first task to have this information. Every succesful company knows their figures.

'Don't have any...' So we're spending all this money with no idea if it's going to bring a net return? Ludicrous. What if it's costing more than all the fraud etc. was before? I also seriously doubt you are able to prove that financial fraud costs less or more than terrorism to the US on an annual basis.

Re:World's smallest violin

[Fig,+formerly+A.C.]

What if it's costing more than all the fraud etc. was before?

It is, if you look at the costs spread out over ALL the publicly held companies in the US. SOX is a money sinkhole, a bit of knee-jerk feel-good legislation that is going to hurt far more than it helps. Yay....

Re:World's smallest violin

[Profane+MuthaFucka]

Here's Brookings saying that the first year cost of Worldcom and Enron was $35 billion dollars. And that doesn't include the billions that Enron screwed out of California and other states:

http://www.brookings.edu/comm/policybriefs/pb106.h tm

Forbes reports that Enron owed $67 billion dollars (Worldcom owed TWICE as much), and the creditors were going to get less than 20 cents on the dollar. Turns out that they only had $12 billion to pay them.

http://www.forbes.com/business/2003/07/11/cx_da_07 11topnews.html

Also, you seem to forget that many people lost their entire retirements. All of it. Lots of funds also had money invested in Enron. Wikipedia has a big list of them.

And you also forget that Andersen also went down because of Enron.

Some of the losses were because results were fraudulently overstated, making the stocks look better than they were. Investors lost their money when Worldcom overstated results by 11 billion dollars. These amounts don't show up in bankruptcy, because investors are not the same as creditors.

http://www.forbes.com/management/2005/03/15/cx_da_ 0315ebbersguilty.html

I don't think there's really any serious doubt in anyone's mind that the recent corporate scandals cost more than the world trade center attacks. With the articles above I've shown that Enron and Worldcom alone were over $100 billion dollars lost. People and companies screwed out of their money. When you say "shifting money around" you make it seem like it was just put in the wrong bucket. Not even close.

BTW, the $35 billion I referred to was not about the scandals, it was the damage to the World trade center and economic loss from the terrorist attacks.

Re:World's smallest violin

[Profane+MuthaFucka]

I also seriously doubt you are able to prove that financial fraud costs less or more than terrorism to the US on an annual basis.

I have up to the minute figures on all aspects of the economy, in my brain. Of course I can prove it.

Plus, I read the Wall Street Journal, Forbes, and many other journals. They agree with me.

Re:World's smallest violin

[node+3]

Items 6-9 are only as large as they are in magnitude because of the war in Iraq, which has nothing to do with bin Laden.

Re:World's smallest violin

[sideshow]

If I punch you in the face, you don't have the right or justication to use that as an excuse to go murder the family of your enemy who wasn't involved in the face punching in the first place.

Re:World's smallest violin

[hymie3]

Even if I grant the $35b figure ... I still don't see how Ebbers and Lay came close to doing this much damage.

Two words: rolling blackouts.

Re:World's smallest violin

[Bob_Robertson]

Compliance will ultimately cost nothing.

Hi, Profane. I see we're on opposite sides of an issue again.

Compliance has costs, right now. It's time and money spent NOT satisfying customers, NOT building business relationships, NOT producing product, NOT hiring more workers or NOT improving the conditions/pay/training of the employees.

There is something you don't seem to grasp, called the "Time Preference Of Money". It is why we earn interest on money we don't spend today, or pay interest on money we borrow to spend today. My $1,000 invested today turns into $1,100, or more or less, depending on how smart I am in investing.

My $1,000 paid on the principle of my mortgage today means I am not going to be paying many times that in interest over the life of the loan.

Businesses are no different.

The spending of $1,000 on redundant paperwork and red-tape accounting services today means that I do not have that money to invest where it will earn a return on my investment. You can argue till you're blue in the face that I'll get that money back "someday", but even if I get my $1,000 dollars back I have LOST money because of the lost investment opportunity.

This is the essence of the "broken window fallacy" in economics, as well as Adam Smith's "invisible hand". Freidric Hayak called it "That which is unseen."

This law doesn't fix anything. Enron failed because they had a business model based on buying and selling of GOVERNMENT pollution credits and other fabrications of government which failed to be legislated into existence. When the empty bubble that was Enron failed, it didn't matter that it had been making stuff up in its books, it would have failed anyway. It Had No Product.

The market worked. Their accounting firm was demonstrated to be corrupt and it failed too. This is what happens in a free market, bad companies fail. To call that a "bad thing" it to try to argue that corrupt, inefficient, or just plain badly run businesses should not fail. Such an effort in argument is beyond stupid.

Making the law more strict will simply mean less money left over for training, pay and facilities. Higher prices, too. After all, there is no source of money in a company than their customers. Every tax, every fee, every fine or payment comes from sales.

So you're arguing for less competition, higher prices and lower wages. No thank you.

Bob-

Re:World's smallest violin

[ageoffri]

As I'm heavily involved in SOX complaince at Big Blue I'm posting AC.

I see nothing wrong with asking companies to prove that they aren't ripping off stakeholders. I do see a huge problem when the solution is worse then the problem. We used to have 3 or 4 corporate, customer, Price Waterhouse audits a year. At this point I've been involved in about 10 audits for this year. I have one person dedicated full time to audit a large part of which is SOX related.

I fully expect to start seeing filing with the SEC that state a decrease in profit due to SOX compliance. I know it cost us and our customers millions last year and this year is looking to be more expensive.

Re:World's smallest violin

[gnovos]

You can see from the above that I'm hugely in favor of this law. The World Trade Center bombing:

1) Killed thousands of highly productive people
2) Shut down a section of a major US city for days
3) Destroyed extremely expensive buildings which then required a very expensive clean up effort
4) Shut down a all foreign trade for days
5) Shut down a good chunk of the US transportation system for days
6) Resulted in large permanent increases in US airline ticket prices
7) Resulted in 2 wars
8) Resulted in an increase of oil prices from $20 barrel to about $40-50
9) May have increased cancer rates and other long term health costs for something on the order of 2 million people.

Cars:

1) Kill 40,000 people a year in the USA alone.
2) Reduce the sum GDP by the amount that these peopel contribute to this, over the course of a normal life span...
3) Average person, let's say $30,000 a year.
4) Average working years... 50?
5) $60,000,000,000 ... a year in lost "potential". Caused because car manufacturers don't make cars that are next to impossible to crash or that can't go faster than X miles per hour (where X is some incredibly safe speed).

If we had enacted "super safe car" laws 30 years ago, we'd have, at minimu, 2 trillion dollars more, as a nation, to spend on whatever.

Basically, the point I'm trying to make is that, using numbers like this to compare things, it's very easy to pick the winner before-hand and make sure you end up that way.

Re:World's smallest violin

[Profane+MuthaFucka]

Hi, Profane. I see we're on opposite sides of an issue again.

Not a problem. You've always argued like a gentleman.

So far I've argued the upside of Sarbanes-Oxley, and I think that all those things are true upsides. I think that ultimately it will be effective in allowing corporate corruption to be detected.

I don't think this is the broken windows fallacy in general, because nobody is claiming that auditing in itself will be a benefit. The benefit comes from the lessened corporate corruption. Corruption causes even larger detrimental effects on the economy than the fix does. Unlike breaking windows, which doesn't aim to solve a larger problem, Sarbanes-Oxley aims to solve a larger and more expensive problem than would exist without the law. With some consideration, I think you will see the difference.

You have outlined very well here some of the downsides to Sarbanes-Oxley. These are real things that cannot be ignored. The response, and the reason the law was enacted, is that all the economic pain that you describe is less than the pain which corrupt corporations cause.

A free country definitely relies on people being able to get rich. Nothing wrong with that. On this, I am sure we agree. But I also believe that a free country also relies on people being able to get rich *fairly*. Corruption means that people get rich unfairly, and that in turn means that some people are prevented from getting rich fairly.

Re:World's smallest violin

[God_Retired]

The correct answer was for _ALL_ companies trading in the US to publish complete annual accounts down to the transaction level. This would be easier for the company, would provide all the detail any investigator needed.

Well, I doubt that would fix it. If people are going to lie about paperwork, they'll lie about that paperwork as well. It may make it a little harder.

No siree. The correct answer is to pass a law saying if you knowingly screw people out of their retirements you die. Painfully. And the people you love and anyone 2 or less steps down the corporate heirarchy.

Seriously. Enough pussy footing around it, that would make a difference. Oh yeah, this is the United States of America. People will always end up getting screwed. Never mind.

Re:World's smallest violin

[dubl-u]

Enron failed because they had a business model based on buying and selling of GOVERNMENT pollution credits and other fabrications of government which failed to be legislated into existence.

I can't fairly evaluate the rest of your post, but I hope it's more accurate than this.

Enron failed primarily because of pervasive accounting fraud, although their overspending on things like bandwidth trading and the outright theiving of people like Andrew Fastow sure didn't help. To anybody who knows the first thing about accounting, the shit they got up to was stunningly foolish. Both their execs and their auditors deserve to spend a decade in the pen. For those interested, a very readable account is Power Failure.

The market worked. Their accounting firm was demonstrated to be corrupt and it failed too. This is what happens in a free market, bad companies fail. To call that a "bad thing" it to try to argue that corrupt, inefficient, or just plain badly run businesses should not fail.

The problem here is with a very long feedback loop, which allows the consequences of failure to be very large.

It can take years for a carefully run fraud to be discovered. It's hard enough to evaluate a company that is disclosing things fully; it's beyond the means of most investors to evaluate a company that has room to lie. For public markets to function well, it's essential that the information companies give to their investors be clear and correct. Otherwise people will put their money in less productive but safer places, like mattresses or government bonds.

I don't think anybody wants to keep companies from failing. But I want companies to report risks and failures honestly. That lets me invest with confidence, and it helps keep little problems from snowballing into big ones.

Re:World's smallest violin

[jbolden]

Your a missing the point about the shifting. If I sell $1b worth of bonds based on fraud that $1b hasn't disappeared. The creditors might not get the $1b back but it went to shareholders or employees or somewhere else in the economy. It most likely went somewhere worse than the bond holders could have put it so there is a frictional cost. Say 5% or so.

Some people lost money others gained. If I blow up a building the wealth is just gone.

Re:World's smallest violin

[jbolden]

And this wasn't happening in 2001 when oil was at $20.

Re:World's smallest violin

[jbolden]

Now subtract off the cost of making several hundred million uncrashable cars.

Re:World's smallest violin

[Profane+MuthaFucka]

I understand the point about the shifting, but I think you're underestimating the cost of corruption.

As I pointed out in another post in this thread, corruption allows people to get rich unfairly. This also means that some other people are prevented from getting rich fairly. It's a direct undermining of the integrity of the capitalist system. There are countles countries around the world where widespread corruption is a significant part of their problems (think Central and South America).

Obviously, money doesn't disappear. But when "shuffling" money around means that people lose their entire retirement, that's much more than a 5% frictional cost. If "shuffling" money means that the government has to bail someone out, that's more than 5%.

Re:World's smallest violin

[gnovos]

How much is nerf per metric ton these days?

Re:World's smallest violin

[The-Bus]

By the way, #8 is not directly related to the event.

Re:World's smallest violin

[I_M_Noman]

Items 6-9 are only as large as they are in magnitude because of the war in Iraq, which has nothing to do with bin Laden.

I agree re: items 7 & 8; however, items 6 & 9 (6: Resulted in large permanent increases in US airline ticket prices, 9: May have increased cancer rates and other long term health costs for something on the order of 2 million people) are directly related to the attacks and, therefore, bin Laden.

Re:World's smallest violin

[Bob_Robertson]

I thank you for your kind words.

Actually, I do have a big problem with one thing you're saying, even though I am not certain you mean what it seems you mean. To wit:

a free country also relies on people being able to get rich *fairly*

There's nothing fair about life. Trying to impose "fairness" is a justification used by tyrants to lull individuals into a false sense of security while they're being stabbed in the back. But what I think you meant was not fair but ethical.

One of the unseen effects of all these regulations, especially limited liability incorporation, is that officers and stock holders are insulated from the repercussions of their choices.

Remove all the legal impediments, and what will happen? Ethical accounting practices will be demanded by stockholders. Accountability (please pardon the pun, English is a limited language) of officers for the results of their decisions will be imposed not because the governments say so but because stock holders are attentive and fickle. It is, after all, their money, not the company officer's, and people tend to be careful with their own money.

I do implore you to click on over to http://www.mises.org/ and check out not just the daily articles but also their "blog" where they post several times as many comments and links on business, regulation, ethics, anything that relates to economics. Sarbanes-Oxley has been discussed in detail, to an extent anything I say pales in comparison.

Bob-

Re:World's smallest violin

[jbolden]

You are still talking within the system. People "losing their retirement" is a choice we make within the system. We can simple the wealth back and it didn't happen. A bail out is within the system. Nothing is being destroyed one way or the other. Yes corruption and misallocation of wealth introduce a frictional cost which in the end can be destructive. 5% seems reasonable to me, lots of people would argue its closer to 1% or so. That's actually a very high number, I'm not underestimating the cost of corruption at all. I'm just not willing to say that a $1b being stolen is equally bad for the economy to $1b being destroyed.

Re:World's smallest violin

[duffbeer703]

Then think less and read more :)

The are a several main factors, none of which have much to do with the supply of crude oil.

- The dollar has devalued nearly 25% since 2000 versus the Euro (imports are more expensive)
- The Feds have allowed oil company mergers to go through again. There used to be 15 gasoline refineries in NY, post-consolidation there are 6. (ExxonMobil represents the core of the old Standard Oil monopoly.)
- Oil company lobbyists have encouraged state governments to pass differning gasoline formulations to battle smog. The result is that refineries work at 90% of capacity and keep inventories low, resulting in high prices.

Re:World's smallest violin

[jbolden]

How exactly does that chart not show a pretty strong connection. You have oil hitting a vertex right at 9/11 and proceeding to go up since then.

Re:World's smallest violin

[Major+Lame+Brain]

Ethical accounting practices will be demanded by stockholders.

An increase in value of their holdings is all that is demanded by stock holders IMHO. And unethical behavior all too often increases value long enough to make it worthwhile.

I'm a former UUNET (bought by WorldCom) employee and your assertion is invalidated by much of corporate history. Most CEOs, board members, senior officers are heavily invested in the companies they run. The main motive ascribed to Ebbers' fiddling with the books was that if the stock price fell too far he might loose his home since its purchase was leveraged with his massive stock holdings. The board paid off his loan but that didn't end the shinanagans (sp?).

If greed wasn't a more powerful motivator than ethics for far too many corporations then there wouldn't be a need for any regulations whatsoever.

You're not really advocating that are you?

To the topic:
I spent months doing SOX work for Three-Five Systems in Phoenix and while it did require enormous resource expenditure in IT, I approve of the concept of demanding that CEOs legally state their responsibility for the "cleanliness" of the company's books.

Re:World's smallest violin

[jbolden]

The last two effect the price gas not the price of oil. The devaulation of the dollar would explain a rise from $20 to say $27 not to $50.

Re:World's smallest violin

[Artemis]

You did an awesome job posting as an AC there.

Re:World's smallest violin

[duffbeer703]

That is true... demand is growing all over the world for crude.

I have a good friend who's own a small chain of gas stations, so most of what I hear about the industry centers around gasoline.

Re:World's smallest violin

[avi33]

The number one factor affecting oil prices is demand, shortly followed by production capacity and/or reserves.

It is convenient for our current government to blame terrorism for a failure in planning and policy, but 9/11 did not cause current oil prices.

If so, why did it take 3 years for the price to climb? Demand and Production capacity! When the price used to jump, OPEC adjusted production to stabilize it. Why can't they do the same now? Production is running pretty high already, and they can't just "turn up the spigot" like they used to.

Demand is generally attributed to 2 major factors at the moment: Chinese Industrial development and US demand. If the US had implemented a sound energy policy, we could dial down our thirst for oil, use and resell our reserves (built up at a time when oil was cheap) and we wouldn't have any worries in regards to a domestic shortage. We could leave it to the Chinese to figure out how to sustain industrial growth without overconsumption.

The fact is, the US corporate oil interests want it high. It's easier for them to make profits at higher prices, to expand exploration, to deliver it at high cost across great distances, and to scare the public into going along with things (like ANWR) that would otherwise be met with resistance.

9/11 is a convenient excuse for a lot of things. An avoidable war, an airline industry that wants both a government handout and a premium from consumers, a permanent expansion of government powers that will have no positive impact on security...

Re:World's smallest violin

[jbolden]

You are ignoring the vertex point. As for the jump in demand and OPEC's inability to respond; there has been an Al-Quida counter attack in Saudi Arabia. They've driven huge number of the westerners (who are needed for bring new wells onlne) out the country. The result is that Saudi is not the swing producer it used to be. Further they've managed to prevent us from being Iraq oil online.

Yes world demand is high. But the shortage is being caused by enemy forces succesfully attacking our oil production.

Re:World's smallest violin

[Profane+MuthaFucka]

Aha, very interesting. I understand the word "ethical" to mean operating in a manner consistent with the rules. Some people take "moral" to be the same thing, but I think that "moral" is a judgement of the rules system. An ethical system can be moral (good) or immoral (bad), but it's just a set of rules. You are ethical when you obey the rules, and unethical when you don't obey the rules.

Now, I happen to think that people are free to make up ethical systems which can either promote fairness, or not promote fairness. Life is not fair, as you point out. But an ethical system is an artificial construct, and life is a natural one. We humans are best at saying "this environment sucks", and then changing the environment to suit our desires. In my opinion there's nothing wrong with an ethical system trying to create fairness, if that's something that is valued in the society that makes the ethical system.

Here is a simple case for fairness in ethical systems:

A major criticism of Communism and Socialism is that when economic products are distributed without regard to the merit of the recipient, then the will to succeed breaks down. Everyone performs at the same mediocre level, because there is no personal benefit to performing better. This criticism is accurate and true, in my opinion. Equal distribution is not the same as fair distribution, because those who work harder/better/smarter are screwed.

In a capitalist system, the same thing can happen because of corruption (unethical behavior). The undeserving get rich, and the harder/better/smarter people get screwed. When fairness is not included into a capitalistic ethics system, capitalism suffers from the same kind of breakdown that communism does. Before a person is going to go that extra mile, they need to have confidence that their extra efforts are not going to be squandered in a system that isn't set up to reward them for better effort.

Now, within the sense of the fair ethical framework that we have set up for our capitalist system, there is a flaw in the application of Sarbanes-Oxley which troubles me, and if it were presented in an argument I would be hard-pressed to justify. I'm not going to be the first to bring it up though. :-)

Re:World's smallest violin

[Bob_Robertson]

If greed wasn't a more powerful motivator than ethics for far too many corporations then there wouldn't be a need for any regulations whatsoever.

The regulations don't punish anything that isn't already punishable, and impose great gobs of costs in their compliance.

It's like making detailed laws against murder. Death by bludgeoning is a separate crime from death by stabbing, separate from death by shooting, etc etc etc. Motorvehicular homicide? Still homicide. All are murder, all prosecutable, but it takes volumes of law books to track and years of practice to understand.

Did the accountants lie? Yes. Prosecute it. One sentence, rather than 17,000 pages of regulations.

You're not really advocating that are you?

Technically speaking, yes. What I am not doing is advocating anyone get away with lying to their stockholders about the condition of the company.

Which means that you and I are in complete agreement with the approval in your last sentence, while being in complete disagreement about how to get there.

Bob-

Re:World's smallest violin

[Bob_Robertson]

You are ethical when you obey the rules, and unethical when you don't obey the rules.

Which is why I would only invest in a company (if this were a completely voluntary system) which ascribed to a set of accounting practices. I'm not saying that the level of detail that SOX requires is in-of-itself bad, I'm saying that I would prefer it be something done because it inspires investor and customer confidence.

The reason that a free market doesn't succumb to the same dead-end corruption as a command economy does is because there isn't anyone in "command" to be corrupt. Abusive companies lose their reputations, badly run organizations fail, consumers are free to buy from whomever they wish while new sellers can enter any venture where they can offer value.

I see great value in good accounting practices. I don't expect it will prevent abuse any more than laws against murder prevent murder. What quality accounting practices do is raise confidence of both customers and investors. In a truly free market, such confidence is exceptionally important.

The importance of quality in accounting practices is evident in the fact that a "representative" style government believes it has the mandate required for it to take action in the matter. Government involvement is not a first step, it is a reaction to what investors, customers and other individuals already want to see.

Being "unfair" in the eyes of the consumer is also a great way to go out of business. Thus is the "social standard" imposed upon business practices without any government needed.

Bob-

Re:World's smallest violin

[node+3]

6: Resulted in large permanent increases in US airline ticket prices

The major increase in ticket prices are due to the increasing cost of oil, but even limiting ourselves to the 9/11 related price increases, there's a lot of overkill there, as well as the airlines using it as an excuse to raise the prices for an already ailing market. I'll grant calling the ticket price increase 'huge' is a matter of opinion, but when taken as a portion of the hundreds of billions the parent poster claimed, I'd be hard-pressed to call it a significant factor.

9: May have increased cancer rates and other long term health costs

I took that to mean the use of depleted uranium in Iraq, as well as the conventional toll of the war (on both sides). If the poster just meant debris from the WTC, then I agree that OBL/AQ is responsible for the initial exposure, and the costs of the resulting clean up and rebuilding, but the Federal Government said the air was safe. If if wasn't, then they hold some blame for not warning people.

are directly related to the attacks and, therefore, bin Laden.

Which is why I made the distinction that, "Items 6-9 are only as large as they are in magnitude." In other words, those items would still be issues, but a significant portion of those effects are not direct results of OBL or 9/11.

Re:World's smallest violin

[incabulos]

Interesting. I would suggest that George W Bush is responsible for half the points you have attributed solely to Bin Laden. Or is OBL secretly running the US government and authorising all the foreign and domestic policy since that fateful day?

I'm quite sure Osama does not need to take credit for the actions of any other mass murderer or war criminal, he has done more than enough as it is.

Re:World's smallest violin

[fbg111]

Nice website. I just love opening pr0n at work.

Re:World's smallest violin

[Profane+MuthaFucka]

Thanks. I made it just for you.

What is Sarbanes-Oxley?

Would it have killed the poster to mention what Sarbanes-Oxley is?

Oh well, since he can't be arsed, here's a quote from the second link:

"The Sarbanes-Oxley Act is a sweeping piece of legislation that regulates, among other things, how companies report financial results and disclose executive compensation. What's more, the law holds both company executives and external auditors directly accountable for the accuracy of financial reports and seeks to protect employees who blow the whistle on suspected fraud."

Re:What is Sarbanes-Oxley?

[Mr.+Slippery]

"The Sarbanes-Oxley Act is a sweeping piece of legislation that regulates, among other things, how companies report financial results and disclose executive compensation....

Ok. So WTF does it have to do with software, hardware, or any anything else we generally talk about /.? Sounds like a potential pain for the CFOs and their legions of bean counters, not the CIOs and their geek armies, so what's up?

Re:What is Sarbanes-Oxley?

[node+3]

Would it have killed the poster to mention what Sarbanes-Oxley is?

No kidding. Another thing that would have been useful would have been had he pointed out what the fuck this has to do with IT.

I mean, seriously, "All I hear from IT directors is Sarbanes-Oxley, Sarbanes-Oxley, Sarbanes-Oxley."? If *I* was a conservative (or corporate, if you prefer) lobbyist, and *I* wanted an issue on Slashdot that has nothing much to do with IT, *I'd* submit an article that mentions IT without any logical context, and repeat my propaganda 3x in a row, then close out with, "and that's just the IT department. How are you dealing? Did you make your compliance deadline even after the extension? Are you joining the the backlash?" (especially note the last part--are you joining the 'backlash'? No? What's wrong with you, citizen!)

Two more things that come to mind are:

1. "SOX, as they're calling it, is taxing manpower, swallowing time, and adding huge administrative headaches"

You mean the IT departments are growing (well, that's unclear as what it has to do with IT is unclear, but assuming the submitter's context makes a damn lick of sense...), and that's bad?

2. "not to mention incurring fees and salaries paid out to staff or third-party firms hired to ensure compliance"

Salaries paid out to staff--oh the humanity!

As others have pointed out already, this is good legislation that forces corporations into a more honest and open state. Exactly who would see this as a bad thing?

Re:What is Sarbanes-Oxley?

Section 404 of the act essentially requires companies to prove that they have adequate internal controls to ensure that the financial statements are accurate. What this ends up doing is cascading a simple thing (Is the 10-K accurate?) into a giant list of things, including IT procedures, HR and Payroll proceedures, etc.

We got dinged on a few minor things, like no documented policy on hardware service level agreements. K-P-M-G considered this a "Significant Deficiency" in internal controls, which is one step below having K-P-M-G say to the world that your financial reports cannot be trusted. They just had no sense of proportion or scale.

Re:What is Sarbanes-Oxley?

[gstoddart]

No kidding. Another thing that would have been useful would have been had he pointed out what the fuck this has to do with IT.

Easy -- E-Mail communications related to the operation of a business which is subject to SEC oversight (publically traded) is now considered a vital piece of corporate history which must be preserved.

From this thread you can get the gist of it.

Violated Section 17(a) of the Securities Exchange Act of 1934, Rule 17a-4 under the Exchange Act, NYSE Rule 440 and NASD Rule 3110 by failing to preserve for a period of three years, and/or preserve in an accessible place for two years, electronic communications relating to the business of the firm, including interoffice memoranda and communications.

That includes e-mail correspondence.

Which means if a publically traded company gets hauled into court by the SEC and have NOT successfully kept every single e-mail related to corporate-governnance, the executives can go to jail.

This means that for large companies, IT is expected to be able to retain, find, and present their e-mail records in a court of law for several years.

There are huge IT ramifications involved here.

For more, read this piece which does a pretty job of describing the impacts (and creepy aspects of SOX). (OK, he's actually talking about a different aspect, but the first few paragraphs cover the topic.)

Your ignorance of SOX doesn't negate that this is very much an IT issue.

Cheers

Re:What is Sarbanes-Oxley?

[node+3]

the executives can go to jail

Which has little to do with IT. If IT fails to preserve email, IT won't go to jail. The executives will only go to jail if they are seen as negligent or otherwise accountable for IT's failure--which is the way it should be!

There are huge IT ramifications involved here.

You mean they have to click a check-box/add a config line to an rc file?

OH MY GOD!!! SARBANES-OXLEY, SARBANES-OXLEY, SARBANES-OXLEY!!!!

Your ignorance of SOX doesn't negate that this is very much an IT issue.

My ignorance of SOX doesn't make it "very much" an IT issue either.

Everything I've seen of Sarbanes-Oxley points to it being designed to keep CEO's and other executives from putting into place policies designed to remove responsibility.

And this isn't some major impact on IT. You're gonna have to come up with something more than, "IT has to store data". I mean, isn't that exactly one of the things IT is already doing?

I know you're going to say, "but you didn't ask, 'what *huge* impact will this have on IT?' you asked 'what does this have to do with IT?'" I'll grant you that, if you want to talk semantics, but my point hasn't changed (and the context of my post should make my point fairly easy to grasp), which is that the article's submitter appears to be ideologically opposed to SOX! SOX! SOX!, and is trying to use a non-issue to get others onto his bandwagon.

There's nothing to backlash against, unless you're an ideologue who thinks the powerful shouldn't be held responsible for their actions, an executive who counts on being able to game the system, or an incompetent IT staffer who doesn't know how to store data.

One the best laws in a long time

[jbolden]

There have been few laws passed in the last 3 decades which are designed to help people (investors are often mutual funds and pension funds) at the expense of executive management. Executives for far too long have been able to lie and then claim they didn't know they were lying. Because the SEC doesn't go after white collar crime they way they go after some 16 year old who rips off a 7/11 these guys never go to jail. By creating a paper trail hopefully more executives who commit fraud will go to jail and there will be some decrease in the amount of fraud in US business.

If that's costs money I'm all for seeing the money spent.

Re:One the best laws in a long time

[wolf31o2]

I really have to agree with you. There should be a paper trail on this sort of thing. If that is "taxing manpower" then I have to ask you, what the hell were you actually doing before?

I would love to see these white-collar criminals treating like the self-serving scum that they really are. Maybe we need to see a few of them get the business end of a night stick. Maybe we need to see them paraded out of their homes, which are promptly seized by the police, and into the back of squad cars with their crying, spoiled little wives screaming as they are taken away. I really cannot stand to see this sort of corruption go unpunished. These men and women are criminals, just like anyone who steals money via any other means. Why do we insist on treating them like they're VIP's?

Re:One the best laws in a long time

[Fig,+formerly+A.C.]

The part you're missing is that this isn't hurting the average exec, it's hurting the stockholders. The extra fees are eating into profit, so everyone's 401k plan is going to start sliding... This BS legislation doesn very little except keep a LOT of auditors employed at the expense of the people the law was meant to protect.

Re:One the best laws in a long time

[dave1g]

Sounds like a smart person would move his investments to auditing companies.

Youg gotta know how to roll with the punches.

Re:One the best laws in a long time

[Brandybuck]

I would love to see these white-collar criminals treating like the self-serving scum that they really are.

Ditto! Instead of punishing the honest corporation for the sins of Enron and WorldCom, why not punish the actual lawbreakers?

Re:One the best laws in a long time

[krist0]

reminds me of a episode of chappells show where he wished the roles were reversed on how the police treat people...so on one hand you have a business exec and the other a crack dealer.....its great fun seeing the swat team bust into the business guys house, shot his dog, interrogate him and send him to jail....

if only.

More info...

[Chris+Pimlott]

I had no I idea what this act was either, so I recommend checking out the Wikipedia entry.

The Sarbanes-Oxley Act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002), signed into law on 30 July 2002 by President Bush, is considered the most significant change to federal securities laws in the United States since the New Deal. ... The goal of the act was to protect investors by improving the accuracy and reliability of corporate disclosures. The act covers issues such as establishing a public company accounting oversight board, auditor independence, corporate responsibility and enhanced financial disclosure.

Re:More info...

[Marillion]

The thing that gets me is that I can't find anything in the legistation that actually mentions technology. I think it was an excuse for the the "Big Accounting Firms" to impose new criteria for of what a firm must do before they'll certify a companies financial statements.

In the Cincinnati financial district, there are accounting firms that can't remodel floors fast enough to hold all the people in their 'Sarbanes-Oxley wing.'

Network security measures

[crow]

They made a bunch of security changes here, some of which they blamed on SOX. The worst one was 90-day password expiration. Is that really part of SOX, or just the local interpretation?

They also closed off access to most ports besides 80, but I think that was just a local decision.

Re:Network security measures

[tchuladdiass]

Well, the act specifies that records have to be accurate. And if corporate officers are relying on the data on the systems to be acurate, then the systems need to be secure. So anything that is part of "security best practices" is being implimented just to make sure. And yes, 90-day password expiration is generally accepted a best practice at a minimum.
Also keep in mind that even if policies can be compromised, the fact that a policy is there can protect a company in the event of a lawsuit, whereas if there was no policy then the company could be more liable for not taking reasonable measures to protect their security.
It's just like the fact that you perform system backups even though it is possible for the backup tape to break at the same time as a disk crash.

SOX Sucks

I'm posting this anonymously as I wouldn't want it traced back to me, but I can tell you not only is it costly and burdensome, but it doesn't work. We are now in "compliance", but the changes we had to make to our systems not only didn't have any affect on my ability to alter financial data, but they made them less secure in the process, because external auditors know nothing about our systems, they only have a checklist of features that have to be enabled. It's nothing more than a costly joke that wastes my time and keeps me from doing work that would actually improve our systems. I've started avoiding small, quick projects that would benefit the users, because I would spend 5 minutes making the changes and then 2 hours spread over several days documenting them and getting the required approvals to implement them.

Re:SOX Sucks

I have to agree. At my employer, SOX compliance has simply gotten out of hand. It has gone from detailing the procedures used to control financial data to deailing the procedures used to control any corporate asset, including software and code. As a result, we are undertaking all kinds of efforts to ensure what a reasonable configuration management policy should already take care of. And we're doing it in such a way that it takes an inordinate amount of time and signatures to get anything productive done.

I love that we've passed legislation to protect individual investors and place personal liability on executives for fraud, but the section 404 rules have been too widely interpreted and as a result are overly burdensom.

My anonymous $0.02.

Re:SOX Sucks

[stevenbdjr]

Wait, you're bitching because you have to spend time documenting system changes? How long have you worked in IT? Do you have any idea how important and valuable system and network documentation is?

Next to reliable backups, I can't think of anything more important than a changelog.

Re:SOX Sucks

25 years, and this goes way beyond a changelog. It involves getting and documenting approval from people who don't even understand what I do, and don't want to know, that's why they hired me in the first place. They'll sign whatever I put in front of them, and even if they didn't, I could still make whatever changes I want to make, they would just catch up with me at the next audit and I'd get fired (assuming I didn't go out of my way to hide what I did). It has had no effect on the accuracy of our financial statements, it has only burdened us with needless red tape.

Re:SOX Sucks

[dynamo]

I heard that the actual section 404 rules were not found, thus people have been making up all kinds of 'interpretations' to cover up that fact.

Re:SOX Sucks

[Quixote]

I smell BS.

PS: see my journal entry about the perceived "anonymity" at /.

I'm Lovin' It

[wishus]

My wife is a an auditor for a big-4 firm doing SOX work. Cha-ching!

fyi

[oliana]

Sarbanes-Oxley is a law that only applies to SEC firms (firms that are publicly traded in the US and must report financial statements to the SEC.)

Prevents Accounting firms from doing non-Audit functions for SEC firm that they also perform SEC Audits for (except tax-work, and only if approved by the SEC, and for work that produces minimal income to the Audit firm. These must be disclosed in the Financial Statements of the firm audited.) This is important becase an audit firm in the past could be doing as much or more work for a company in consulting as they were for in audit. The leads to an impression that the auditor might not be independant of the firm.

Increases the required independence of the Audit Committee of SEC Firms (Members of the Board of Directors who hire and oversee Independant Auditors). This is important because the Audit committee should not be biased towards the company if they are hiring the independant auditors and overseeing their work.

Makes Management of companies more responsible for the assertions they have in their Financial Statements (and assertion may be along the lines of "Currents Assets: $1.3 Billion" or "In the following year we expect to open three more locations in ..."). This is important because, if the CEO signs a statement that states that he knows financial statements are reported fairly and without any material misstatements, he cannot say in court that "I had no idea that this was happening."

Requires Management to asses the controls associated with preventing fraud, defalcation and errors that could lead to materially misstating their Financial Statements, and requires an independant Audit of this assesment. (This would be the part that affects the IT community the most.)

It also created a required record retention for audits, more thourough peer reviews of audits and rotations of the Audit Partners associated with the audit. (Thank you, Arthur Andersen)

How this affected me:
Many more jobs in the Audit field, mine being one. Which allows me to be a techy on the side, which is a lot more fun that it being work.

How I'm affected

I work as a geek/developer at a well known fortune 500 oil company. I can say that although I personally thought SOX was a positive step in the right direction, the knee-jerk reaction of individual companies is stifling any benefit that may have been brought about as a result of SOX.

Now, having seen the changes around the company and the assinine requirements that NON-financial related projects have to meet, I'd say it's worthless and will only cause the US economy to further stagnate.

Just a quick example:
I develop/maintain a menu of sorts used by about 800-1000 people on a daily basis to complete their daily sales paperwork. It's just an interface to the underlying software, and does not interact with financial data in any way. Since we've started SOX compliance, I've been required to document every line of code that changes and maintain a hard copy of said change for 3 years. It doesn't even do anything with financial data, it's just a user tool so they don't have to remember the commands of an archaic accounting package. Yet, because of what the company views as SOX compliance, about 50% of the time I used to put towards developing this tool and providing support/documentation to the end user, now get's spent doing diff's and printing reports.

So I ask you, /., how is this going to prevent the CEO of a company from having the books cooked? How is what I'm doing a benefit to the company? (We already use CVS, so you can't say the hard copy has any purpose other than to satisfy some bean counters wicket)

Re:How I'm affected

[jbolden]

How exactly is it a fault it SOX that your company is creating stupid rules that have nothing to do with SOX? I can't even begin to follow the chain or reasoning here. Your company has bad management that can't implement requirements properly. That's a problem with your company not with the law.

Re:How I'm affected

[pbrammer]

A system doesn't have to interact with financial data to fall under SOX. If a system is used to even influence financial data (making a financial decision based off of sales numbers, for instance) it falls under the SOX realm.

Re:How I'm affected

[bvk]

The problem here is that SOX is very very vague in how it impacts IT. So the advice you get from an auditor is that you should use "Best Practices" for IT (like those defined by COBIT [do a google search for it]). These cover a great many things that have nothing specifically to do with SOx, but which add an enormous amount of documentation, approval, and other overhead.
This is a huge time-sink. And evaluating existing systems and creating the processes to audit them is an even bigger sink.
If the auditor insists you need it, you better have it or you fail, even if you don't think it applies. And each auditor has different standards....

Re:How I'm affected

[jbolden]

SOX is very clear. A company is responsible for putting in place standards so that they know their data is correct and secure. A company can come up with any reasonable standard they like. If they don't have good reason to come up with their own standard then they can use a good off the shelf standard. The off the shelf standards are generally quite complex and som summaries are provided which don't include the exceptions and thcases. Many people hired as "experts" have never read the standards and at best have read the summaries.

The situation you are describing is:
a) A company that doesn't have its own standards
b) Had hired an outside consultant to have them implement these standards rather than developing in house expertise on IT standards and practices
c) Either the consultant does not have suffecient hours or suffecient knowledge to provide to implement the standards properly.
d) The company does not listen to its employees that indicate that these standards are not helpful.

a,b,c and d I all see as failures of the company not of SOX. Its not unreasonable for the government to assume that:

a) Companies should already have in place good standards for their data security when it involves financial data
b) Companies should be anxious to devleop the in house expertise to develop such standards if they don't already have them
c) These standards should be developed in full coordination with the SMEs in the business
d) The people they choose to implement such standards should be knowledgeable and qualified
e) The standards should be well considered for the type of systems in place and applied reasonably

I don't think those are unreasonable expectations.

Re:How I'm affected

[bvk]

I agree that standards for security and other aspects of IT are a good thing. However, in my case, we're a group of about 10 people in a company of 400. We maintain networks/servers/vendor apps/custom apps, as well as developing new apps. We were told by our auditors to ensure that our existing standards met extremely vague "Controls", many of which have nothing IT-specific in them. This meant we had to guess at how strict the new standards would need to be to pass an audit, create the standards, and then hope that they will be good enough.

Many controls that I thought were already "reasonable" were deemed insufficient. For example, we don't let all developers log in to production systems to release updates. Only certain qualified developers can do that for each project. This seems "reasonable" to me.

We were told that this violated the controls, and *no* developers were allowed to log on to production systems. This is insane, since there is no way anyone other than a developer for the systems is qualified to do a release. It would be a much bigger risk to have a non-developer do it, but that's what was suggested.

If we had a bigger group, maybe we could afford to have a qualified person around just to do releases. But we certainly can't afford that here. And, as I mentioned, our existing process seems "reasonable".

This is just one example, I have a bunch more.

Another major area of overhead is the cost of the paperwork and useless approvals for every change to a system, even when there is no way the person approving the change can possibly understand the ramifications of the change. Peer-reviewing a change is much safer and more effective, but not sufficient (I'm told) because it doesn't separate responsibilities appropriately. So it needs to be signed-off by a Business Owner who in many cases neither understands nor cares about the technical details.

In general, your assumptions a through e are fine. But they (like SOx) leave a lot of room for interpretation, and the people doing the interpretation are the auditors, who may know very little about most aspects of IT.
There are specific problems with how SOx seems to be applied, especially to small companies which can't afford the overhead. There are companies which managed OK (pre-SOx) with only a single-digit IT staff, and run secure, reliable operations because they have limited needs. But imposing a layer of paperwork on them will rapidly kill their ability to do so, because their technical time is soaked up by paperwork. And I have no idea how a company with an IT staff smaller than ours could possibly segregate responsibilites in a SOx-compliant way.

I think the big problem is that in practice, "reasonable" varies a great deal from auditor to auditor, and the same overhead is being demanded of all organizations, without regard to size.

Re:How I'm affected

[jbolden]

This actually makes sense to me. Let me play devil's advocate for a second and defend the auditor.

You are defining risk in terms of who is more likely to technically be knowledgeable enough to successfully roll an application into production. The auditor is defining risk as assume that some of the people in the company want to deliberately falsify data, how do you put in place a process such that they are unlikely to be successful. Developers because they are the most qualified are the people who would have the easiest time falsifying data particularly in non-obvious ways. So any application rolled into production directly from developers cannot be trusted at all to protect the organization from a conspiracy involving a small number of carefully chosen people to falsify data (which is what SOX is meant to prevent).

The point of having business owners have to sign off on changes and developers not having direct access to the system is not because these people can necessarily successfully audit the developers without having to go to a great deal of trouble (like perhaps bring in outside expertise) but rather that developers won't be able to roll in changes without lots of people knowing and asking questions. Changes "out of the blue" become suspect.

Mind you it sounds like the best way for you to handle things is for most of your apps to simple untrusted, and to have controls at the interface points between the trusted and the untrusted apps. SOX does not require that all or even most of the IS systems be trusted only those that handle company financial data.

BTW you may be right that at 5 or 10 IS staff with a wide range of responsibilities you simple cannot segregate responsibility in a SOX compliant way and thus you have no choice but to use other means of self auditing (for example redundant systems some of which are maintained by outside vendors).

If you want to give some of the other examples I'd be interested in continuing this thread.

Re:How I'm affected

[salempiper]

I wish I would have found this earlier, and how I hope you're still listening. :)

Just as you said, the developer is the most qualified person and has the easiest time falsifying data. Just because the developer didn't rollout the update, doesn't mean they didn't falsify data in some way.

At the beginning of this thread, the AC said he had to document every line of code that he changed. Everyone posted and said that the company he works doesn't know what they're doing. The people that posted that have no clue what Sarbox is and what it entails. The people that say it's reasonable for this law to be in place don't know what they are talking about and haven't worked with it. What the AC posted what they are doing is totally understandable, believable, and we are doing it too!

The easiest way to explain Sarbox controls is this:

"Prove to me that you did this", and that's where the problems lies.

How do I prove to you as the auditor that I didn't falsify data in non-obvious ways? -- You create a paper trail 10 miles long, that's how.

Under IT, you have things that sound totally reasonable, you must have backups, you must have offsite backups, you must have temperature and humidity monitoring, performance monitoring, data center must be locked and secure, etc. Not only that, they don't define any guide lines, what are the guidelines that I must follow? -- There are none, which makes it even worse. So it comes down to this:

Prove to me that you're checking your backup logs.
Prove to me that you have off site backups.
Prove to me that you're monitoring temperature and humidity.
Prove to me that you're monitoring system performance.
Prove to me that your data center is locked and secure.
Prove to me that you haven't falsified any data in non-obvious ways.
Prove to me that you have Anti-Virus Installed.
Prove to me that you're keeping your Anti-Virus defs up to date.
Prove to me that you're changing your password every 90 days.

So you're guilty until proven innocent. That's problem number 1. To prove that you're all doing that; you create a paper trail, and then sign off on the paper trail.

So lets pretend that I'm the auditor.

Prove to me that you didn't falsify any data in non-obvious ways.

If you don't prove to me that you did that, you just failed Sarbox compliance.

Thank you, nice doing business with you.

So you put in place 50 checks and balances with every code change, printed on paper, signed off by 50 people. You heard me right, PRINTED ON PAPER. Why? Because it has to be signed. -- Prove to me again. It's proven if it's signed. Gay, huh?

So say you need to a quick change, that takes you 10 seconds, and then after you've done that, you spend the next five hours getting people to sign off on that change. That's why simple projects wont get done, it's just too costly and time consuming. Think of the red tape on that. That's why the costs of Sarbox will never end, and will only cost the share holders money. For the billions that were lost on Enron and Worldcom, many more billions will be spent on compliance.

In the article it says that companies are spending on average $4.36 million EACH on Section 404 of Sarbox. Do the math, how many publicly held companies are there and multiply that by 4.36 million and I'm sure it will be a number higher than what was lost in Enron and Worldcom put together.

In the end, you can still cook the books if you want.

Re:How I'm affected

[jbolden]

Yes I get the slashdot emails so I'm still listening.

Again, SOX does not require that all or most of your systems be trusted. So it doesn't even apply to most applications. This is a regulation people are creating for themselves. It doesn't require you have good backups or that you are monitoring your systems against failure, failure doesn't create falsified data.

It sounds to me like your organization is implementing change control across the board. Change control can be a real productivity killer from a developer standpoint. From a system administration and an operations standpoint it can be a major productivity enhancer. If you don't have operators in your company its a money loser and it sounds like your company is making a bad choice. But making a bad choice has nothing to do with SOX. SOX does not require change control, at worst it requires change control for trusted systems which can be a very small fraction of all systems. So this is where the complaints come from, every line of code in every application doesn't have to be documented. Rather what you need to do is develop a security scheme so that applications have levels of trust and there are trusted interfaces between these tiers.

For example I implemented lots of applications which automatically generated millions of dollars in checks a month each. You better believe the company for its own sake wanted these applications to be trusted. Any $12/hour print operator could modify the name or address on a piece of junk mail pretty easily, it took some sign off at higher levels to modify the name or address on a $100k check. If an operator wants to send a piece advertising to his friend, or maybe even a promotional item (like a free baby car seat) to his friend who cares? If he wants to send a 50 checks totaling $2m to a friend that's could be a big deal and we needed controls. The check application exits on tier 1. The applications that manipulate check data exist on tier 1. The data for the baby seats exist on tier 3 even though they are running on a tier one application (since the same application handles check data). I can go into more detail on this if you want. Its standard in large corporate IT shops which handle financial data (banks, insurance companies, etc..). It may be the case for a smaller business that they should simply outsource their tier 1 financial functions (which will be a very small fraction of all applications) to a 3rd party who is used to operating like this.

I suspect the problem you have in your shop is there are no tiers at all. I mean in my experience no PC is tier 1 ever, and general PCs aren't tier 2. They are far to easy to physically compromise (PCs don't support untrusted hardware, so I need a great deal of physical security). Thus things Anti-Virus don't matter in terms of financial data in the SOX sense at all.

BTW printing changes on paper and having them physically signed is a poor security measure. How do I know what's printed has anything to do with the changes that occurred in the application that is actually running? If I were your an auditor I'd fail that right off the bat. I'd want a approvals workflow system tied into your change control system tied into your source management system. That way I know that people are approving the code changes that actually were implemented, the code changes that were approved are the ones being compiled in to the new application and the new compiled application is in fact the one that is running. Build teams can corrupt an application in ways similar to a developer.

In answer to your other questions, there are about 7500 public companies in the United States. Many of them don't even have IT organizations. If we assume Russell 1000 which are your large and mid sized business then we are talking $4.36b which is still less than Enron and Worldcom. If we assume it is all of the Russell 3000 (which includes all the companies that are tracked by analysts) then $13b which IMHO is more than what Enron or Worldc

Re:I too hear the buzz, but no real effects.

[avi33]

The most obnoxious changes have come from the IT side of things. Changing passwords every month, and having crazy requirements on them (must have two case changes, mix of numbers and letters, can not just merely end in numbers, and we can not repeat any passwords from the past year).

Funny, when some box gets rooted for having a dictionary password, there's plenty of blame to go around (for users and IT), but when rules are implemented to prevent such things, it's "obnoxious changes" from IT.

When I was an admin, I would run a script once a month trying to hack everyone's passwords...a list of users that got cracked would be sent companywide as the proverbial "walk of shame." If people showed up on that list a couple times, then the President of the company would stop them in the hall and chat about security...much more effective than a harshly worded email from the kid in the server room.

I *heart* Sarbanes-Oxley

[foobarbaz]

I have a great job making Linux devices that companies use for SOX compliance.

Thanks Sarbanes-Oxley!

Far reaching scope of SOX

[3r33tguy]

The SOX demand on audit compliance covers the entire spectrum of business. Under the general computing section, there are strict guidelines for server logging, authentication audits, remote access, database access, incident response, change management, data integrity, data retention, monitoring, etc. This goes far beyond ethical standards involved with doing business as seen from an executive position. Executives will never understand everything involved with meeting the requirements this law has established.

No impact on me.

[Richard+Steiner]

I'm just a programmer/analyst working on developing and supporting one of our products -- I don't deal with the finance end of things. :-)

Is it having an impact on IT resources that I can see? No, not really. I'd never heard of it until this story, in fact.

Re:No impact on me.

[gstoddart]

Is it having an impact on IT resources that I can see? No, not really. I'd never heard of it until this story, in fact.

For others who may also think this has purely accounting applications instead of any tech implications should know that either as part of SOX or related to, corporate e-mail has now become court-admissable.

Companies are expected to be able to retain (and possibly audit) their e-mail in case they are required for court purposes.

Cheers

Re:No impact on me.

[Richard+Steiner]

> For others who may also think this has purely accounting applications instead
> of any tech implications...

I didn't say it had no tech implications -- I said that I currently don't *see* any, at least in the area of the company where I currently work.

> Companies are expected to be able to retain (and possibly audit) their e-mail
> in case they are required for court purposes

Interesting. When I worked at Northwest Airlines, we used to keep mail around for years (since we did a certain amount of informal software design via e-mail with analysts in other buildings), but in 1999 or 2000 corporate legal told us that the new policy was to retain 90 days maximum, and that anything older than that should be printed out and removed from the server. They even set up an auto-purge to enforce this limit.

I wonder if that policy will be changing in light of this legislation?

SarBox

[PhoenixIce]

This should give you an idea of what we think about it: The Sarbanes Grinch. It made sense since the worst of it in our company was around the holidays, and it pretty much stole our Christmas away. We did make our deadlines, and are preparing for the next round this year.

Oh - and I prefer to call it SarBox - makes it sound more like the disease it really is.

Why reward the guilty?

The consultants that these businesses hire are responsible for the problem as much as the businesses themselves. The accountants and independent auditors are in the business of selling hours just like any other consultant.

The new laws were crafted to solve a real problem, but only end up costing the businesses more money. Why should the same consultants that caused the problem be rewarded by a law that requires more paperwork and more billable hours for those who caused the problem in the first place?

Congress should have passed a law that rewards companies for having simplified accounting systems. Simpler accounting rules would be much easier for shareholders to understand. Similarly, those companies would be much easier and cheaper to audit. That type of law would reward well behaved companies and punish the accounting consulting firms by making their services less profitable.

IT & SOX

[turboflux]

SOX doesn't effect IT nearly as much as it does accounting. It really only dictated to us how our backups should be run, retention policies. A few of the other minor things involved how secure the servers containing financial information were (physical access), and tracking who should/shouldn't have access to financial software/files.

In all of the above cases, we were already more than compliant. The only major change was the inclusion of a "special" character in passwords to make them more difficult to crack. Our workflows did make some minor tweaks to things, but for the most part I'm not even noticing it.

Ahh Sarbanes-Oxly...

[jmoo]

I recently left a company where they were working on Sarbanes-Oxly (SOX). At that company, at least, it was a huge waste of time and by the time I left a black hole that sucked up out IT budget and most of our time.

Don't get me wrong, the idea behind the law is a good one, but the problem as I saw it is that its too vague in definition of what is a controlled system. Basically as I understood it any system that touched the financial records needed to be audited and controlled. For a smaller company with an IT staff of only 12 that can be a crushing overhead.

We had consultants brought in to help us figure out how to get complaint and as with normal consultant they were completely useless. When ever they didn't know an answer they said that the auditors would explain the correct procedure, that we were not expected to pass the audit the first time around. It didn't help that our manager saw this as an opportunity to force new rules on other departments that would give IT more power in "process improvements" for the company.

I left the company for a smaller private run company that doesn't have to bother with SOX audits. That was 5 months ago and my former company is still wrestling with getting compliant. The audit has been pushed back several times and apparently the consulting company that was brought in is going to be the one to audit us...

Take a moment to think about and see if that doesn't make you go cross-eyed....

Re:I too hear the buzz, but no real effects.

[Brandybuck]

All picayne password requirements do is force the users to write their passwords on little pieces of paper stuck to the bottom of their keyboards.

Have to change your password every month? Simply append a monthly-incrementing number at the end of your normal password. Congratulations, you just lost the benefit of rotating passwords! Have to use symbols and numbers? Write in 133t5p3&k and all you do is prevent the 1&m35t of dictionary crackers. Prevent that and the users will WRITE their passwords down!

One password on a system at my work had a dictionary that was cracked in less than 72 hours. Corporate IT chewed my ass off and spit it out in little pieces over that one. But the sad part was that the system was a lab system that two hundred people needed access to. The result of IT's analism was that we had to write the password on the lab chalkboard so people could use the system.

My point isn't that passwords are stupid it's that rules for the mere sake of having rules is stupid.

Re:Feh

[a55mnky]

I too am an InfoSec guy and I have seen exactly the opposite.

I work with fortune 500 clients and they are scared s-less - the threat of jail time makes the security concerns appear more real.

All of the services and products we have been pushing - identity management, e-mail archiving, log analysis, data correlation are all growing by leaps and bounds.

my sponsors are loving it as well. The projects they have been trying to jump-start for months if not years now are getting the go ahead due to SOX audit reports.

it is amazing that all of the concerns i have had for years are now important

Rolling.

[Telastyn]

As a staffer of a 4th party company which sells products to 3rd parties to impliment and ensure compliance, I am figuratively rolling in the legislatively guaranteed income.

"compliance"

Just a few things I've noticed here..

Our blank check stock must be kept under lock and key. Great.. Well the key is just in a draw in the AP department.

Control issue with AR not being able to recieve checks so in the event a check comes into our office instead of the lockbox it goes to AP. Well AP can't deposit the check without a customer # or Inv #. So they take the check to AR to get the info which generally means dropping it off and coming back later to get a stack of checks.

Database security has been changed so that people have the correct access privs. Before when a person who transfer departments they were not strict at changing them. Well turns out are genius sys admin for the DB has an SQL server running that will allow any user to write/read to any DB file despite user privs in actual database application itself. But since SOX doesn't know about any SQL server it's not an issue.

Basically everything you need to comply with is there for a good reason but in practice I find it to be for show and nothing more.

Sarbanes-Oxley slowed OSS corporate involvement

At the 2004 O'Reilly Open Source convention, r0ml Lefkowitz spoke about the impact of Sarbanes-Oxley on corporations and Open Source Software. This is the gist of what he said. Any corporate software products on the books are considered assets and are assessed at an arbitrary value for purposes of acquisition, etc. The accountants depreciate software system assets over a set number of years, often 3. So by the time the corporation has software of no more book value as an asset, that is when programmers think to ask management to open-source it. But the programmers time (usually salaried exempt) is an expense. Sarbanes-Oxley requires certain reporting of assets and expenses, such that a corporation will not be able to pay a programmer to roll up the source tree or zip it or hardly do anything. Expenses not spent in developing positive value assets are a red flag for auditors.

Posting anonymous because it has been so long that I've forgotten my password. But then, my karma was never a positive value asset for long.

more laws != better laws

[why-is-it]

And now, they are saying that the burden of complying with a law that will help to prevent future abuses is too high? Boo Hoo.

I don't think it's too much to ask companies to prove they aren't ripping us off.

I'm pretty sure that it was already against the law for executives to loot a company and steal from the shareholders, even before Sarbox was passed.

I am center-left on political, social and economic issues, and even I fail to see how another law will prevent future corporate scandals, when there are plenty of laws on the books that already regulate corporate behaviour.

The problems at Worldcom and Enron (et.al.) happened because existing laws were not enforced, and nobody complained as long as the stock prices were increasing. It was only at the very end when the house-of-cards collapsed that everyone cried foul.

Unfortunately, there would be no glory in enforcing the existing laws. Can you imagine the howls of outrage if the legal system took down Enron or Worldcom at the height of the bubble? The neo-cons would have had a field day complaining about undue government interference in the economy...

I'm not sure whether Sarbox would deter a dishonest CEO from stealing the company blind if he/she thought that they stood a reasonable chance of getting away with it. Even if you get caught, the consequences don't seem to bad. It's not like Bernie Ebbers or Ken Lay are living in cardboard boxes underneath the freeway...

Re:more laws != better laws

[Profane+MuthaFucka]

I'm pretty sure that it was already against the law for executives to loot a company and steal from the shareholders, even before Sarbox was passed.

True, but that's not what the law is about. The law is meant to make accounting more accurate, resistant to "fudging", and more transparent to investors.

The problems at Worldcom and Enron (et.al.) happened because existing laws were not enforced

Enforcement isn't possible without a certain level of transparency. The law forces that, and limits opportunities for creative accounting. I also disagree that the existing laws are not being enforced. They are, which is why we are seeing prosecutions in both Enron and Worldcom cases.

You are arguing that existing laws need to be enforced. Sarbanes-Oxley makes it more likely that the laws can be enforced before the fraud happens, rather than after.

i'm not sure

[XO]

I'm not sure what SOX does, exactly, not into that magnitude of stuff.. but.. my retail company has been making all sorts of uncharacteristic declarations, stating "we need to do this now, because of sarbanes oxley" with no other explanation. *shrug* things have been improving drastically around here, i think.

Re:I'm just curious...

[symbolic]

What does ANY of this have to do with disclosure of corporate finances and executive compensation?

Problem: What does compliance actually mean?

[sudog]

In every scenario I've seen so far, none of our customers know precisely what they need when they ask us whether our software is "Sarbanes-Oxley" compliant. When pressed for details, they all plead ignorance.

In terms of concrete specifics, I think there's a great deal of confusion out there as to whether a software company is even *capable* of being compliant.

So, you Americans have my sympathy! Perhaps someday your congresscritters will have some measurable grasp on something other than their own two buttcheeks.

Re:Problem: What does compliance actually mean?

[josepha48]

I just tell them, yeah our software sox(sounds like sucks)... ROTFLOL...

We have the same problem. Are you blah, blah, blah. Our real answer is, "our product has enough bells and wistles to meet that need". No joke, it really does. Its all about security and what kind of stuff your product it can do.

Re:I too hear the buzz, but no real effects.

[man_ls]

I am in an environment where I have to change my password every 90 days...and every time I change it, the complexity requirements get more and more bizzare.

I was originally assigned an 8-character, all-lower-case + 2 letters alphanumeric password. It was computer generated. I kept this password until the first expirey, then changed to another password of the same length, lowercase + digits.

Then the third expirey came around. Suddenly my previous passwords were off limits -- and I needed to use more distinct letters and numbers.

The fourth expirey came around, and I had to now use capital letters as well as lower case letters, in addition to numbers.

My password on this system has ballooned from a phrase that I could easily type in a second, and was still difficult to guess, to variations on the pattern "QWERTY" or similar on my keyboard. Anyone who watches me type my password, knows what it is without any effort at all.

The anal security policy means my password will be virtually bulletproof from the outside -- and paper-thin to someone standing over my shoulder.

I love Sarbanes-Oxley

[smileyy]

It lets me make all sorts of unreasonable requests of my co-workers, and then tell them it's required for Sarbanes-Oxley compliance.

Re:I too hear the buzz, but no real effects.

[Brandybuck]

I remember once having to create a passphrase. I chose a short obscure quotation, misquoted it, and translated it into Quenya. Unacceptable! The passphrase needed upper case, lower case, numbers and symbols! Huh?!?!

I guarantee you that EVERYONE, including the shitwit who came up with the rules, has their passphrase written down.

As a student...

[ragingtory]

I got a thesis topic out of it. I'm convinced that the reglation wouldn't have come into play without WorldCom happening. I'm also going into the accounting / audit field = more work for us... it's funny how this was supposed to "punish" the audit / accounting industry and the industry will end up making far more money as a result of this.

Sarbanes-Oxley damages

[Bob_Robertson]

Profane,

Here's a quick article over on mises.org that addresses the continuing problems with this latest massive interference with "the market":

http://blog.mises.org/blog/archives/003418.asp

I would appreciate any comments you have on it.

Bob-

Re:Sarbanes-Oxley damages

[Profane+MuthaFucka]

I think that backs up your case pretty well, but they still didn't get to the problem with the law that I alluded to before. I'll go ahead and spill the beans:

I don't have a problem with heavy burdens on companies that display fraudulent behavior. Seems like good punishment to me. But when I said before that there was a problem with Sarbanes-Oxley that I would be hard pressed to justify, it's that the law presents a very heavy burden to companies that are NOT displaying fraudulent behavior.

Re:Sarbanes-Oxley damages

[Bob_Robertson]

Ah! Many thanks for the clarification. I agree, that is a problem. I agree, they don't get into compliance costs on honest companies directly, but it has been addressed many times before.

It is exactly the same problem with all government regulation. That the costs of compliance with the regulation and its consequential requirement for yet more regulations to try to fix the problems the first regulation caused, on and on ad nauseum, constitute far greater damage to everyone, especially the innocent, than would have been represented by the "problem" that the first regulation was touted as solving.

Alcohol prohibition, gun control, and the War On Some Drugs are extreme examples with commensurate extreme costs overwhelmingly out of proportion with the "problem" supposedly addressed.

Here's a great short article on that subject:

http://www.mises.org/story/1773

The article highlights material from Ludwig von Mises' book "A Critique Of Interventionism", which is online in its entirety if you're interested.

Bob-