I have encountered a lot of difficulties to deal with our security department. And they rejected all our user profile maintenance request all the days. After a series of “conversation”, it seems that they do have a difficult time under stress of Sarbanes-Oxley (SOX). So, what is SOX? And what’s the impact to IT dev teams?
There are too much information for SOX over the internet. And I can find nothing useful, but Wikipedia. It covers information from history, overview, cost, and even case studies. And what’s great is that all the information are writen for laymen, such as myself. I think no IT guys would like to go straight into the laws, even a summary is too much for me.
After reading the material and linked back to the experience in the company, I will would like to quote following from wikipeida:
The following areas are described as impedances to the process:
- “Project mindset: … many companies understandably treated section 404 compliance as a discrete project with a clearly defined ending point.”
- “Overextension of internal audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed.”
- “Poorly defined roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward”
- “Improvisational approach: Another symptom of deadline pressure showed up in the jerrybuilt practices that carried many companies through the first year.”
- “Underestimation of technology impacts and implications: …IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls… IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting — a critical requirement at most large and complex enterprises.”
- “Ignored risks: Effective internal control is predicated on risk… the controls themselves — exist expressly for the purpose of minimizing the risk of financial reporting errors… In year one, risk assessment was treated as an afterthought — if addressed at all.”