General discussion


Sarbanes-Oxley: How is it affecting your IT department?

By jasonhiner Moderator ·
There seems to be a wide range of experiences with Sarbanes-Oxley. I've heard some IT pros say that they've always got at least one person from their IT department assigned to help auditors access data for compliance with Sarbanes-Oxley and other regulations. However, other IT pros seem like they've scarcely heard of SarbOx and didn't realize that it has implications for their company and their IT department.

Where does your IT department stand with SarbOx compliance?

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Sarbox has taken over my life

by maecuff In reply to Sarbanes-Oxley: How is it ...

We found out 3 months ago that our revenue cycle is subject to a sarbox audit, which means IT is also subject to an indepth audit. Our fiscal year end is June 30, so we had a relatively short period of time to prepare.

My shop is somewhat small, and somewhat loose. It's been a nightmare. I spend at least 50% of my time on sarbox issues.

Some of the more ridiculous 'gaps' the auditors have found..

Insufficient distance between our two local facilities. (It would be difficult to dig up one warehouse and move it down the road).

We don't have a 24/7 shop. From Friday evening to Sunday evening, the IT department is empty. We have a guard who does cursory inspections during off shifts. Our 'gap' is, no one is here monitoring the environmental security of our computer room. I did tell the auditor that if the guard sees smoke, he will call the fire department.

We don't perform a full system backup before moving any changes into production. Again, this is a small shop. We move things into production every day. We need a dedicated system to do a full system back up. And it takes hours. This would impact productivity somewhat.

We don't keep a log each time the computer room door is opened. Again, this is a small shop. We have our refrigerator, coffee maker and microwave in the computer room. The door is protected by a keypad lock, but quite frankly, the door isn't all that secure. I'm sure if I kicked it, I could break it in.

We've gone from working towards a paperless system, to generating more reports, authorizations, etc. than ever before.

In making the decision to switch maintenance providers, our corporate office alerted the auditors that we were making the decision to switch. I had to have a conversation with an auditor (who didn't have a CLUE as to what she was talking about) to convince her that it was a good move. Why in the world would that even be their business???

All in all, I'd like to punch Ken Lay in the nose, just one time..

Collapse -


by Cactus Pete In reply to Sarbox has taken over my ...

"You're an auditor. Audit."

Collapse -

One of the auditors

by maecuff In reply to ugh...

had the nerve to tell me how difficult sarbox was for him. That it was too time consuming. I told him that auditing is his JOB. I already HAVE a job to do and have to deal with this sh*t on top of the work I already have. He doesn't get my sympathy.

Collapse -

Buried in Paperwork

by Montgomery Gator In reply to Sarbanes-Oxley: How is it ...

If I lived in one of the states that Mr. Sarbanes or Mr. Oxley represent, I would vote against them in the next election. Sarbanes-Oxley is a classic case of a solution in search of a problem. We already had regulations and laws on the books to handle corporate financial reporting, and do not need SarbOx. We are compliant, but that does not mean we have to like it!

Collapse -

It's all meaningless anyway..

by maecuff In reply to Buried in Paperwork

If someone wants to steal from the company, they will find a way. I don't care how many checks and balances you have in place, there is always going to be a hole somewhere.

Collapse -

Not True!

by praetorpal In reply to It's all meaningless anyw ...

They now mean that the bosses can no longer ransack the company treasury at will !!! That has to mean something.

SOX compliance means internal controls are being put into place that should have been there in the first place. The pain that people are going through with it is just a sorry inditement of the sad state of IT security for the last 10 years and up to the present.

Collapse -

I don't disagree

by maecuff In reply to Not True!

That security could be tighter. However, I still believe that if someone wants to do something bad enough and is clever enough, they can.

As far as SOX goes, even the SEC has ruled that the big 4 auditing companies have taken the IT guidelines to the extreme.

Collapse -

So much financial reporting depends on IT

by DMambo In reply to Sarbanes-Oxley: How is it ...

It's incredible how much documentation is required that seems several degrees removed from financial info. I probably spend about 20% of my time on SOX compliance in my one-man dept. Our corporate parent has a 3rd party SOX compliance consultant and an Internal Audit dept (which I never had the pleasure of being involved with before SOX).

From the priority we put on it here, I can't believe there are depts unaware of the requirements.

Collapse -

Auditors go ahead and Audit

by verd In reply to Sarbanes-Oxley: How is it ...

Let them do the work, I am an independent contractor and have several small business networks to take care of. Information is secure on all the networks, as secure as can be with the nature of hardware and software. It is not my problem

Collapse -

What a nightmare!

by TX_Admin In reply to Sarbanes-Oxley: How is it ...

SOX has been a complete nightmare for my company. We are a medium sized corporation with 6 subsidiaries spread across the country and all financial reporting is based in the corporate HQ, where I am lucky enough to be. We passed our audit 6 months ago and prior to that time I spent approximately 50% of my time on security issues.

We are a software development company with a separate development environment that just happens to be housed in the same data center as all the other systems, financials included. Getting the auditors to understand the difference was an exercise in futility. They just did not get it for a very long time.

I am sure that some of these controls are necessary but some of the things they chose to concentrate on were ridiculous. The amount of logging and paperwork for my department has tripled since all this was put in place.

Hopefully, continued compliance will be simpler than getting compliant. I feel for any IT manager that has not been through this yet.

Back to IT Employment Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums