I wish I would have found this earlier, and how I hope you're still listening.:)
Just as you said, the developer is the most qualified person and has the easiest time falsifying data. Just because the developer didn't rollout the update, doesn't mean they didn't falsify data in some way.
At the beginning of this thread, the AC said he had to document every line of code that he changed. Everyone posted and said that the company he works doesn't know what they're doing. The people that posted that have no clue what Sarbox is and what it entails. The people that say it's reasonable for this law to be in place don't know what they are talking about and haven't worked with it. What the AC posted what they are doing is totally understandable, believable, and we are doing it too!
The easiest way to explain Sarbox controls is this:
"Prove to me that you did this", and that's where the problems lies.
How do I prove to you as the auditor that I didn't falsify data in non-obvious ways? -- You create a paper trail 10 miles long, that's how.
Under IT, you have things that sound totally reasonable, you must have backups, you must have offsite backups, you must have temperature and humidity monitoring, performance monitoring, data center must be locked and secure, etc. Not only that, they don't define any guide lines, what are the guidelines that I must follow? -- There are none, which makes it even worse. So it comes down to this:
Prove to me that you're checking your backup logs. Prove to me that you have off site backups. Prove to me that you're monitoring temperature and humidity. Prove to me that you're monitoring system performance. Prove to me that your data center is locked and secure. Prove to me that you haven't falsified any data in non-obvious ways. Prove to me that you have Anti-Virus Installed. Prove to me that you're keeping your Anti-Virus defs up to date. Prove to me that you're changing your password every 90 days.
So you're guilty until proven innocent. That's problem number 1. To prove that you're all doing that; you create a paper trail, and then sign off on the paper trail.
So lets pretend that I'm the auditor.
Prove to me that you didn't falsify any data in non-obvious ways.
If you don't prove to me that you did that, you just failed Sarbox compliance.
Thank you, nice doing business with you.
So you put in place 50 checks and balances with every code change, printed on paper, signed off by 50 people. You heard me right, PRINTED ON PAPER. Why? Because it has to be signed. -- Prove to me again. It's proven if it's signed. Gay, huh?
So say you need to a quick change, that takes you 10 seconds, and then after you've done that, you spend the next five hours getting people to sign off on that change. That's why simple projects wont get done, it's just too costly and time consuming. Think of the red tape on that. That's why the costs of Sarbox will never end, and will only cost the share holders money. For the billions that were lost on Enron and Worldcom, many more billions will be spent on compliance.
In the article it says that companies are spending on average $4.36 million EACH on Section 404 of Sarbox. Do the math, how many publicly held companies are there and multiply that by 4.36 million and I'm sure it will be a number higher than what was lost in Enron and Worldcom put together.
In the end, you can still cook the books if you want.
Slashdot Mirror
I wish I would have found this earlier, and how I hope you're still listening. :)
Just as you said, the developer is the most qualified person and has the easiest time falsifying data. Just because the developer didn't rollout the update, doesn't mean they didn't falsify data in some way.
At the beginning of this thread, the AC said he had to document every line of code that he changed. Everyone posted and said that the company he works doesn't know what they're doing. The people that posted that have no clue what Sarbox is and what it entails. The people that say it's reasonable for this law to be in place don't know what they are talking about and haven't worked with it. What the AC posted what they are doing is totally understandable, believable, and we are doing it too!
The easiest way to explain Sarbox controls is this:
"Prove to me that you did this", and that's where the problems lies.
How do I prove to you as the auditor that I didn't falsify data in non-obvious ways? -- You create a paper trail 10 miles long, that's how.
Under IT, you have things that sound totally reasonable, you must have backups, you must have offsite backups, you must have temperature and humidity monitoring, performance monitoring, data center must be locked and secure, etc. Not only that, they don't define any guide lines, what are the guidelines that I must follow? -- There are none, which makes it even worse. So it comes down to this:
Prove to me that you're checking your backup logs.
Prove to me that you have off site backups.
Prove to me that you're monitoring temperature and humidity.
Prove to me that you're monitoring system performance.
Prove to me that your data center is locked and secure.
Prove to me that you haven't falsified any data in non-obvious ways.
Prove to me that you have Anti-Virus Installed.
Prove to me that you're keeping your Anti-Virus defs up to date.
Prove to me that you're changing your password every 90 days.
So you're guilty until proven innocent. That's problem number 1. To prove that you're all doing that; you create a paper trail, and then sign off on the paper trail.
So lets pretend that I'm the auditor.
Prove to me that you didn't falsify any data in non-obvious ways.
If you don't prove to me that you did that, you just failed Sarbox compliance.
Thank you, nice doing business with you.
So you put in place 50 checks and balances with every code change, printed on paper, signed off by 50 people. You heard me right, PRINTED ON PAPER. Why? Because it has to be signed. -- Prove to me again. It's proven if it's signed. Gay, huh?
So say you need to a quick change, that takes you 10 seconds, and then after you've done that, you spend the next five hours getting people to sign off on that change. That's why simple projects wont get done, it's just too costly and time consuming. Think of the red tape on that. That's why the costs of Sarbox will never end, and will only cost the share holders money. For the billions that were lost on Enron and Worldcom, many more billions will be spent on compliance.
In the article it says that companies are spending on average $4.36 million EACH on Section 404 of Sarbox. Do the math, how many publicly held companies are there and multiply that by 4.36 million and I'm sure it will be a number higher than what was lost in Enron and Worldcom put together.
In the end, you can still cook the books if you want.