Sarbanes-Oxley

[Fushigi]

<rant>
Any of you folks dealing with Sarbanes-Oxley compliance? It's a royal PITA. People say it's worse than Y2K and that's true. Y2K at least had a goal, an end-point. SOX requires work every frickin' quarter. I would not be surprised if smaller firms (and even some larger ones) give up being public & revert back to private so they don't have to report their numbers anymore.

In the end, it's about having processes and controls in place to ensure the sanctity of a firm's financial data. But that general statement fails to provide the proper imagery of the scope. Everything from anti-virus to intrusion detection to account management to authentication & authorization services needs to not only exist but have documented processes & controls. It is not an easy job and is costing companies millions, if not billions, of dollars.

As usual, the lawyers & consultants are making out like bandits.
</rant>

 

[LiamC]

As usual, the lawyers & consultants are making out like bandits.

Minor nitpick. Lawyers and consultants are bandits

 

[Buck]

Fushi, I'm not really familiar with this new SOX initiative, isn't it just legislation that outlines what type of documents need to be archived and for how long? I think they stipulate 5 years. Anyway, if you could explain a little bit about it and what is involved on your end as an IT guy, it would help. Thanks.

 

[Fushigi]

First, I should add that storage vendors are also making out like bandits.

Fushi, I'm not really familiar with this new SOX initiative, isn't it just legislation that outlines what type of documents need to be archived and for how long?

At the surface level, yes. But what compounds the problem are the details:
- What types of documents need to be maintained? Document types include not only the financial records, but all transactions and all logs related to those records. Which means server access/event logs, LDAP/Active Directory, firewall, router, intrusion detection, antivirus logs, data center access, etc. And the procedures related to the implementation and administraiton of those systems. And user account management forms (add / change / delete). And IT policies & procedures that may impact the transactions (which includes pretty much everything from user acceptance/"terms of use" to security to server configuration).
- For each document type, what is the retention period? For most logs, 90+ days should be sufficient. For most other things, multi-year retentions will be the norm. Since the reporting is done quarterly, a minimum of a quarter's worth of logs must be retained for anything.
- For each doc type, what safeguards are in place to ensure the authenticity? This would include policies, procedures, safeguards, checkpoints, etc.
- For each doc type, what safeguards are in place to ensure the validity? This also includes policies, etc.
- For each doc type, what safeguards are in place to ensure the privacy? More policies, etc.
- For everything above, provide physical evidence that the policies and procedures are being adhered to. For instance, provide proof that firewall logs are reviewed on a regular basis and that unusual activity is acted upon.

Do all of this every quarter & report on it in your financial statement.

I think they stipulate 5 years.

Probably 7 since taxes can go back that far.

 

[Buck]

If a company is ISO 9000 certified, then a lot of this is already in place, right? Either way, it does sound like a lot of extra work. I can certainly see the need for storage space and hopefully hard drive sales will increase. : )

 

[ddrueding]

Yup. One of my clients is starting to get some nice govornment contracts, and in order to get more they need to follow a bunch of these guidelines. Not fun.

 

[sechs]

This is just document management. The government is only adding reporting

If you didn't have metadata on your financial documents before, then a problem was waiting to happen. While malfeasance was the reason for the legistlation, mistakes are the more likely source errors. Errors in financial documents always lead to something negative occuring, whether its as simple as not managing the finances correctly or as big as people going to jail.

The reporting simply forces the management, which is in the company's best interest. Once the system is up and running, there is more to be gained that lost.

 

[Mercutio]

Be glad the things we're talking about in this thread are electronic rather than physical documents. The commodities brokers I sometimes work for have a cavernous "office" in a renovated warehouse. Their firm is about 30 years old, and most of the space they have is taken up by filing cabinets filled with paper records. Even for electronic transations they STILL have to generate multiple copies of paper forms and file them in several different places.

 

[Fushigi]

Actually it's both. Some forms & logs are paper-based while others are electronic. A few, such as new user requests, could be on either. In our case, thankfully, HR gets to deal with most of the paper forms.