November 21, 2004

Mini Research Project: Sarbanes Oxley 404 Horror Stories

According to an unattributed source, the SANS people are looking to compile a list of Sarbanes-Oxley horror stories. They might have their work cut out for them!

For those who don't follow governance like it effects our every minute, Sarbanes-Oxley is the Act in the USA to tighten up the rules on how a company does .. well just about everything. It's the result of the Arthur Andersens, the Worldcoms and other billion dollar collapses. It's big, it's long, it's boring, and if you have heard of it, your only friends are people who have also heard of it...

Notwithstaning its dry accounting background, Sarbanes-Oxley has raised bureaucracy to new levels. Like a scene from Brazil, it's solution to every ill is rules and yet more rules. Understandably, people don't like it, but because it applies to all companies equally, there is little to be gained in fighting it, as it is only the customer who has to pay, and it has no bearing on competing against your competitors, only against your self.

What makes it especially interesting is that this time the risk is entirely within the company; outsourcing of any component is no excuse! A recently seen trend is that new hires in risk management are empowered to develop their own IT teams. Why? Because they can no longer simply shift the burden onto another department; Sarbanes-Oxley requires you to be responsible for the risk, however it's done.

And they're getting tough on compliance. This time, if your company is not up to scratch, you may well be offering yourself up as a sacrifice to a regulatory orgy of fines, inspections, naming and shaming and other terrors.

More great news for suppliers of solutions. More fear, uncertainty and doubt, and less risk. Who could ask for more?

Mini Research Project: Sarbanes Oxley 404 Horror Stories

SANS is looking for evidence to support an assertion we hear a lot, that there is insufficient IT guidance in SOX 404/COSO to show that your IT systems have the needed controls to demonstrate the audit report is accurate. We have heard reports from the field talking about 2 auditors | from the same firm having opposite findings, or more commonly, organizations that can't figure out what to do so they end up buying a six figure SAS 70 to have some sort of coverage. If you have a horror story you can share that would be great, I am happy to read non-attributable statements, but what we are looking for are stories where we can name the individuals and organizations. Send your horror stories to

Posted by iang at November 21, 2004 09:46 AM | TrackBack