Sarbanes Oxley is a SCAM

[spidey07]

So as there are countless audits and a tremendous amount of work going on involving "audit consulting firms" here's my take on it.

Mr sarbanes and Mr Oxley (we'll call them SOX bastards from now on) happened to lose a lot of money when their interests in a now defunct audit house got raped for poor practice.

Now how do you recooperate that loss? Why you invest EVEN MORE into the audit firms still standing and you get SOX passed.

Win for SOX bastards, pain in the rear for corporations everywhere.

What do ya think? I wish I had thought of it.

<---tired of being audited and having to prove my department to a bunch of IT auditors who wouldn't know good practice if it smacked them.

I'm ultimiately in charge of corporate info security. And I'm getting grilled about passwords and firewall rules. I mention that there are multiple layers of security for a "security in depth" approach.

This bafoon starts grilling me on "what do you mean security in depth?"

I mean if you had a frickin clue you would know what that meant. So my typical response has been "I'm not here to train you. You are here to audit and I presume you know a little about info security otherwise you wouldn't be on the account. So when I say "security in depth" I expect you to know what I'm talking about. What are your qualifications again?"

Now who's your boss again so I rant at him.

/end rant/moment of clarity and lessons on how to turn an audit around.

 

[ggavinmoss]

I fail to see how getting snippy with your auditors makes the audit go more smoothly. (And I do work for a financial services company and we're audited annually.)

-geoff

 

[m2kewl]

dude, i consult for some insurance/reinsurance firms...i feel your pain!!

i have to take orders from a failed A+/MCSA/CCNA wannabe from kpmg, regarding fw and global domain security...

SOX is da sheitnizt!!! BOOO!

 

[imported_FishTaco]

You probably forgot to show him the new cover sheets for your TPS reports.

 

[JulesMaximus]

Agreed. We are subject to an annual audit, quarterly audits and internal audits by our parent corp every year. Currently preparing for SOX compliance. It blows.

 

[UNCjigga]

I used to work for a firm promoting Sarbox and writing pro-Sarbox research, analysis, studies etc. I thought it interesting myself that these two people you speak of would create legislation and audit rules so complex, that the only way to achieve compliance is to hire one of the consulting/accounting firms that got everyone in trouble in the first place! How does one become 'sarbox certified?' They go on the talking circuit at conferences/trade shows and instantly they are an expert and qualified to provide oversight on compliance!

 

[Double Trouble]

Spidey, I feel your pain I'm responsible for SOX compliance for one part of the office of finance, and it's a pain. It's here to stay though, and I've taken kind of the opposite tack you seem to be taking.... Remember that those guys are just trying to do their jobs, to make sure they cover all their procedural bases so that if something goes wrong, they can hold up some nice "get out of jail free" cards.

Basically, if you make their life difficult, they can make yours a whole lot more difficult. For one, you can be snippy with them, but in the end, they can simply ding you and not certify your area. Then, you're going to stand in front of some corporate bigwig who doesn't know a domain from a hole in the wall, who doesn't give a ratts butt about whether the KPMG guy 'knows hist stuff' or not. You'll have to explain to him why he shouldn't fire you and get someone else in house that will play the SOX game with the auditors.....

Remember, as a result of SARBOX, the guys at the top are the ones that stand to get bitten in the butt if something does go wrong, and trust me, covering their butt is waaaaay more important than some peon in an IT department

 

[n0cmonkey]

Those who do, do. Those who can't, audit?

 

[spidey07]

Originally posted by: Jigga
I used to work for a firm promoting Sarbox and writing pro-Sarbox research, analysis, studies etc. I thought it interesting myself that these two people you speak of would create legislation and audit rules so complex, that the only way to achieve compliance is to hire one of the consulting/accounting firms that got everyone in trouble in the first place! How does one become 'sarbox certified?' They go on the talking circuit at conferences/trade shows and instantly they are an expert and qualified to provide oversight on compliance!

and you see my point.

 

[spidey07]

Originally posted by: tagej
Spidey, I feel your pain I'm responsible for SOX compliance for one part of the office of finance, and it's a pain. It's here to stay though, and I've taken kind of the opposite tack you seem to be taking.... Remember that those guys are just trying to do their jobs, to make sure they cover all their procedural bases so that if something goes wrong, they can hold up some nice "get out of jail free" cards.

Basically, if you make their life difficult, they can make yours a whole lot more difficult. For one, you can be snippy with them, but in the end, they can simply ding you and not certify your area. Then, you're going to stand in front of some corporate bigwig who doesn't know a domain from a hole in the wall, who doesn't give a ratts butt about whether the KPMG guy 'knows hist stuff' or not. You'll have to explain to him why he shouldn't fire you and get someone else in house that will play the SOX game with the auditors.....

Remember, as a result of SARBOX, the guys at the top are the ones that stand to get bitten in the butt if something does go wrong, and trust me, covering their butt is waaaaay more important than some peon in an IT department

I totally understand and am very compliant with audits of my department (there are 14 open ones as I speak).

But when my guys complain to me I have to do something about it. They're my boys and some of this stuff is preventing them from actually doing their jobs. And its getting out of hand.

And hence I will not and shall not be audited by idiots. Especially fresh ones.

I refer to Jigga's very appropriate take on it as he hit my sentiments on the head.

 

[Triforceofcourage]

Sarbanes is good for us aspiring accountants. Sarbanes = more accounting jobs

 

[Garion]

You guys have NO idea what it's like to work at a major financial firm as SOX is being rolled out. Thank god there's others that get to deal with the constant audits and questionaires.

I guess that is one nice thing about not doing networking and firewalls anymore - I just point at you Spidey-types and say "Ask him!"

- G

 

[vi edit]

Does this only apply to publicly traded companies?

 

[Apathetic]

We just added a bunch more SOX crap to our change control procedures here at work. One of the new changes is that a bunch more paperwork has to be done if a change affects one or more "SOX categories". Unfortunately, one of the categories is "change in performance". Well, by definition EVERY code change ANYONE makes will affect performance (unless your sequence of changes generates the EXACT same list of assembly instructions - which is higly unlikely). I pointed this out to our SOX guy and needless to say he wasn't very happy with me.

Dave

 

[DurocShark]

Originally posted by: vi_edit
Does this only apply to publicly traded companies?

No.

My company is large, but privately owned. Here's what I've had to go through since SOX:

15 character passwords for IT people (Including uppercase and lowercase and numbers)
Help Desk no longer able to reset pw's for IT people
Must get approvals for Help Desk "cheat sheets"
Laptop login even more of a PITA
Fully documented development for "one off" applications
Must now follow Microsoft's "Best Practices" (Like M$ has a clue what best practices might be)

and the list goes on...

It really blows and I think is a total waste of time and money.