Sarbanes-Oxley - How is it Affecting You?

Grant Barrett asks: "All I hear from IT directors is Sarbanes-Oxley, Sarbanes-Oxley, Sarbanes-Oxley. SOX, as they're calling it, is taxing manpower, swallowing time, and adding huge administrative headaches--not to mention incurring fees and salaries paid out to staff or third-party firms hired to ensure compliance--and that's just the IT department. How are you dealing? Did you make your compliance deadline even after the extension? Are you joining the the backlash?"

World's smallest violin

[Profane+MuthaFucka]

OK, so the collapse of mega-corporations like Enron and Worldcom in accounting scandals cost the people of the country, particular investors, billions of dollars. Enron also defrauded California of billions of dollars.

MORE billions, in fact, than what the attacks on the World Trade Center cost us.

And now, they are saying that the burden of complying with a law that will help to prevent future abuses is too high? Boo Hoo.

I don't think it's too much to ask companies to prove they aren't ripping us off.

Re:World's smallest violin

[jbolden]

You can see from the above that I'm hugely in favor of this law. The World Trade Center bombing:

1) Killed thousands of highly productive people
2) Shut down a section of a major US city for days
3) Destroyed extremely expensive buildings which then required a very expensive clean up effort
4) Shut down a all foreign trade for days
5) Shut down a good chunk of the US transportation system for days
6) Resulted in large permanent increases in US airline ticket prices
7) Resulted in 2 wars
8) Resulted in an increase of oil prices from $20 barrel to about $40-50
9) May have increased cancer rates and other long term health costs for something on the order of 2 million people.

Depending on how you add this up you are talking $200b-600b in costs. I'd say Bin Ladin has Ebbers and Lay beat by about two orders of magnatide. I'd love to see Ebbers and Lay do 20 years and lose everything they own in fines. Bin Ladin is way beyond merely a criminal.

Re:World's smallest violin

[josecanuc]

Where is your proof that this new law will prevent future accounting mis-practice?

Just to note: Laws don't prevent anything from happening, they just provide legal footing for a response/recovery. Murder is illegal, but that doesn't stop people from murdering. It is, in some way, a deterrent to rational people who may contemplate murder.

In the same way, this law provides a framework for prosecution abilities. We will hope that the threat of being held responsible for a hurtful act will act as a deterrent to rational people contemplating such acts...

Re:World's smallest violin

[jbolden]

I don't have a clue what you mean by complex I don't see anything complex about high ranking executives committing fraud. It a simple scam, no different than shipping empty boxes and having your own trucks hijacked (which was a business technique in the 20s and 30s). These guys got paid for generating profits, they deliberately overstated the profits their company's made.

As for your idea, transaction data is worthless to investors. That's data not information.

The purpose of the act is to create a paper trail so that when senior executives commit fraud it will be easier to prove. We used to have a culture of law enforcement where fraud at high levels was simply impossible because low level people involved in fraud knew that while they wouldn't be rewarded there was a high likelihood they would go to jail. We don't have that anymore and recreating it would require broad societal changes. The hope is that this is successful in reducing fraud, not prevent all of it just some of it. I think Congress would have been very open to all sorts of techniques to reduce criminal executive behavior, during the hearings what they kept finding was that senior had plausible deniability about misrepresenting their financial status. I think it is safe to say this act will make it much harder for these executives to have this sort of deniability. It may force them to engage in more explicit criminal behavior (which is easier to prosecute) or maybe just not commit the crimes at all (which is good for everyone) no way to know in advance. Or maybe it isn't nearly enough and accounting in public companies needs to be nationalized. I don't know we will have to find out.

Finally, generally in a private company the high executives and the owners are the same people. So high executives would just be stealing from themselves in this case and thus its not nearly as much a matter of public interest.

Re:World's smallest violin

[jbolden]

Oil prices toped out in mid '00 at about $35 a barrel. They were down 40% right before the 9/11. They have gone up since then to set record highs. 9/11 is literally a vertex in the price graph. I can't think of anything else that would cause the derivitive of the price function to go from $-12/year to $+5/year

Re:World's smallest violin

[aaarrrgggh]

How much does compliance cost?

Well, the audit trail for a $1 transaction can easily cost $0.20. ($0.12 is a best-case number that the credit card companies used to use.) Small component costs can kill your margin quite quickly!

Much of what is required by the act is "good." However, the end-run for many businesses will be to force them to offshore (audit) work in an effort to drive down that extra overhead by 50-60% and make themselves remain competitive.

It's a boon to my business... as long as we aren't publicly traded! It adds work and helps us provide lower cost solutions than our listed competitors.

What is Sarbanes-Oxley?

Would it have killed the poster to mention what Sarbanes-Oxley is?

Oh well, since he can't be arsed, here's a quote from the second link:

"The Sarbanes-Oxley Act is a sweeping piece of legislation that regulates, among other things, how companies report financial results and disclose executive compensation. What's more, the law holds both company executives and external auditors directly accountable for the accuracy of financial reports and seeks to protect employees who blow the whistle on suspected fraud."

Re:What is Sarbanes-Oxley?

[gstoddart]

No kidding. Another thing that would have been useful would have been had he pointed out what the fuck this has to do with IT.

Easy -- E-Mail communications related to the operation of a business which is subject to SEC oversight (publically traded) is now considered a vital piece of corporate history which must be preserved.

From this thread you can get the gist of it.

Violated Section 17(a) of the Securities Exchange Act of 1934, Rule 17a-4 under the Exchange Act, NYSE Rule 440 and NASD Rule 3110 by failing to preserve for a period of three years, and/or preserve in an accessible place for two years, electronic communications relating to the business of the firm, including interoffice memoranda and communications.

That includes e-mail correspondence.

Which means if a publically traded company gets hauled into court by the SEC and have NOT successfully kept every single e-mail related to corporate-governnance, the executives can go to jail.

This means that for large companies, IT is expected to be able to retain, find, and present their e-mail records in a court of law for several years.

There are huge IT ramifications involved here.

For more, read this piece which does a pretty job of describing the impacts (and creepy aspects of SOX). (OK, he's actually talking about a different aspect, but the first few paragraphs cover the topic.)

Your ignorance of SOX doesn't negate that this is very much an IT issue.

Cheers

One the best laws in a long time

[jbolden]

There have been few laws passed in the last 3 decades which are designed to help people (investors are often mutual funds and pension funds) at the expense of executive management. Executives for far too long have been able to lie and then claim they didn't know they were lying. Because the SEC doesn't go after white collar crime they way they go after some 16 year old who rips off a 7/11 these guys never go to jail. By creating a paper trail hopefully more executives who commit fraud will go to jail and there will be some decrease in the amount of fraud in US business.

If that's costs money I'm all for seeing the money spent.

Re:One the best laws in a long time

[wolf31o2]

I really have to agree with you. There should be a paper trail on this sort of thing. If that is "taxing manpower" then I have to ask you, what the hell were you actually doing before?

I would love to see these white-collar criminals treating like the self-serving scum that they really are. Maybe we need to see a few of them get the business end of a night stick. Maybe we need to see them paraded out of their homes, which are promptly seized by the police, and into the back of squad cars with their crying, spoiled little wives screaming as they are taken away. I really cannot stand to see this sort of corruption go unpunished. These men and women are criminals, just like anyone who steals money via any other means. Why do we insist on treating them like they're VIP's?

Re:One the best laws in a long time

[Fig,+formerly+A.C.]

The part you're missing is that this isn't hurting the average exec, it's hurting the stockholders. The extra fees are eating into profit, so everyone's 401k plan is going to start sliding... This BS legislation doesn very little except keep a LOT of auditors employed at the expense of the people the law was meant to protect.

More info...

[Chris+Pimlott]

I had no I idea what this act was either, so I recommend checking out the Wikipedia entry.

The Sarbanes-Oxley Act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002), signed into law on 30 July 2002 by President Bush, is considered the most significant change to federal securities laws in the United States since the New Deal. ... The goal of the act was to protect investors by improving the accuracy and reliability of corporate disclosures. The act covers issues such as establishing a public company accounting oversight board, auditor independence, corporate responsibility and enhanced financial disclosure.

SOX Sucks

I'm posting this anonymously as I wouldn't want it traced back to me, but I can tell you not only is it costly and burdensome, but it doesn't work. We are now in "compliance", but the changes we had to make to our systems not only didn't have any affect on my ability to alter financial data, but they made them less secure in the process, because external auditors know nothing about our systems, they only have a checklist of features that have to be enabled. It's nothing more than a costly joke that wastes my time and keeps me from doing work that would actually improve our systems. I've started avoiding small, quick projects that would benefit the users, because I would spend 5 minutes making the changes and then 2 hours spread over several days documenting them and getting the required approvals to implement them.

Re:SOX Sucks

[dynamo]

I heard that the actual section 404 rules were not found, thus people have been making up all kinds of 'interpretations' to cover up that fact.

Re:Network security measures

[tchuladdiass]

Well, the act specifies that records have to be accurate. And if corporate officers are relying on the data on the systems to be acurate, then the systems need to be secure. So anything that is part of "security best practices" is being implimented just to make sure. And yes, 90-day password expiration is generally accepted a best practice at a minimum.
Also keep in mind that even if policies can be compromised, the fact that a policy is there can protect a company in the event of a lawsuit, whereas if there was no policy then the company could be more liable for not taking reasonable measures to protect their security.
It's just like the fact that you perform system backups even though it is possible for the backup tape to break at the same time as a disk crash.

fyi

[oliana]

Sarbanes-Oxley is a law that only applies to SEC firms (firms that are publicly traded in the US and must report financial statements to the SEC.)

Prevents Accounting firms from doing non-Audit functions for SEC firm that they also perform SEC Audits for (except tax-work, and only if approved by the SEC, and for work that produces minimal income to the Audit firm. These must be disclosed in the Financial Statements of the firm audited.) This is important becase an audit firm in the past could be doing as much or more work for a company in consulting as they were for in audit. The leads to an impression that the auditor might not be independant of the firm.

Increases the required independence of the Audit Committee of SEC Firms (Members of the Board of Directors who hire and oversee Independant Auditors). This is important because the Audit committee should not be biased towards the company if they are hiring the independant auditors and overseeing their work.

Makes Management of companies more responsible for the assertions they have in their Financial Statements (and assertion may be along the lines of "Currents Assets: $1.3 Billion" or "In the following year we expect to open three more locations in ..."). This is important because, if the CEO signs a statement that states that he knows financial statements are reported fairly and without any material misstatements, he cannot say in court that "I had no idea that this was happening."

Requires Management to asses the controls associated with preventing fraud, defalcation and errors that could lead to materially misstating their Financial Statements, and requires an independant Audit of this assesment. (This would be the part that affects the IT community the most.)

It also created a required record retention for audits, more thourough peer reviews of audits and rotations of the Audit Partners associated with the audit. (Thank you, Arthur Andersen)

How this affected me:
Many more jobs in the Audit field, mine being one. Which allows me to be a techy on the side, which is a lot more fun that it being work.

Re:I too hear the buzz, but no real effects.

[avi33]

The most obnoxious changes have come from the IT side of things. Changing passwords every month, and having crazy requirements on them (must have two case changes, mix of numbers and letters, can not just merely end in numbers, and we can not repeat any passwords from the past year).

Funny, when some box gets rooted for having a dictionary password, there's plenty of blame to go around (for users and IT), but when rules are implemented to prevent such things, it's "obnoxious changes" from IT.

When I was an admin, I would run a script once a month trying to hack everyone's passwords...a list of users that got cracked would be sent companywide as the proverbial "walk of shame." If people showed up on that list a couple times, then the President of the company would stop them in the hall and chat about security...much more effective than a harshly worded email from the kid in the server room.

Re:How I'm affected

[pbrammer]

A system doesn't have to interact with financial data to fall under SOX. If a system is used to even influence financial data (making a financial decision based off of sales numbers, for instance) it falls under the SOX realm.

Re:Feh

[a55mnky]

I too am an InfoSec guy and I have seen exactly the opposite.

I work with fortune 500 clients and they are scared s-less - the threat of jail time makes the security concerns appear more real.

All of the services and products we have been pushing - identity management, e-mail archiving, log analysis, data correlation are all growing by leaps and bounds.

my sponsors are loving it as well. The projects they have been trying to jump-start for months if not years now are getting the go ahead due to SOX audit reports.

it is amazing that all of the concerns i have had for years are now important

more laws != better laws

[why-is-it]

And now, they are saying that the burden of complying with a law that will help to prevent future abuses is too high? Boo Hoo.

I don't think it's too much to ask companies to prove they aren't ripping us off.

I'm pretty sure that it was already against the law for executives to loot a company and steal from the shareholders, even before Sarbox was passed.

I am center-left on political, social and economic issues, and even I fail to see how another law will prevent future corporate scandals, when there are plenty of laws on the books that already regulate corporate behaviour.

The problems at Worldcom and Enron (et.al.) happened because existing laws were not enforced, and nobody complained as long as the stock prices were increasing. It was only at the very end when the house-of-cards collapsed that everyone cried foul.

Unfortunately, there would be no glory in enforcing the existing laws. Can you imagine the howls of outrage if the legal system took down Enron or Worldcom at the height of the bubble? The neo-cons would have had a field day complaining about undue government interference in the economy...

I'm not sure whether Sarbox would deter a dishonest CEO from stealing the company blind if he/she thought that they stood a reasonable chance of getting away with it. Even if you get caught, the consequences don't seem to bad. It's not like Bernie Ebbers or Ken Lay are living in cardboard boxes underneath the freeway...

Re:How I'm affected

[bvk]

I agree that standards for security and other aspects of IT are a good thing. However, in my case, we're a group of about 10 people in a company of 400. We maintain networks/servers/vendor apps/custom apps, as well as developing new apps. We were told by our auditors to ensure that our existing standards met extremely vague "Controls", many of which have nothing IT-specific in them. This meant we had to guess at how strict the new standards would need to be to pass an audit, create the standards, and then hope that they will be good enough.

Many controls that I thought were already "reasonable" were deemed insufficient. For example, we don't let all developers log in to production systems to release updates. Only certain qualified developers can do that for each project. This seems "reasonable" to me.

We were told that this violated the controls, and *no* developers were allowed to log on to production systems. This is insane, since there is no way anyone other than a developer for the systems is qualified to do a release. It would be a much bigger risk to have a non-developer do it, but that's what was suggested.

If we had a bigger group, maybe we could afford to have a qualified person around just to do releases. But we certainly can't afford that here. And, as I mentioned, our existing process seems "reasonable".

This is just one example, I have a bunch more.

Another major area of overhead is the cost of the paperwork and useless approvals for every change to a system, even when there is no way the person approving the change can possibly understand the ramifications of the change. Peer-reviewing a change is much safer and more effective, but not sufficient (I'm told) because it doesn't separate responsibilities appropriately. So it needs to be signed-off by a Business Owner who in many cases neither understands nor cares about the technical details.

In general, your assumptions a through e are fine. But they (like SOx) leave a lot of room for interpretation, and the people doing the interpretation are the auditors, who may know very little about most aspects of IT.
There are specific problems with how SOx seems to be applied, especially to small companies which can't afford the overhead. There are companies which managed OK (pre-SOx) with only a single-digit IT staff, and run secure, reliable operations because they have limited needs. But imposing a layer of paperwork on them will rapidly kill their ability to do so, because their technical time is soaked up by paperwork. And I have no idea how a company with an IT staff smaller than ours could possibly segregate responsibilites in a SOx-compliant way.

I think the big problem is that in practice, "reasonable" varies a great deal from auditor to auditor, and the same overhead is being demanded of all organizations, without regard to size.