- Related Stories
-
Sarbanes-Oxley: Tech's big complaint of 2005
April 29, 2005 -
Sarbanes-Oxley cheat sheet
November 23, 2004 -
New piece of Sarbanes-Oxley kicks in
November 15, 2004
(continued from previous page)
to meet the letter of the law and related regulations from the U.S. Securities and Exchange Commission has been difficult to discern, AMR's Hagerty said. Interpretations of the rules changed over time, to the frustration of CIOs in 2004, he suggested. "Most IT organizations will tell you (SOX compliance) was disruptive," he said. "Section 404 is the part that caused people the heartburn."
StorageTek's Arnold suggested that the effort to comply with SOX last year was somewhat frenzied for the various parties involved--including regulators and auditors. "Everyone was in such a hurry," he said. "There was a lot of misunderstanding and misinterpretation."
At one point, independent auditors argued that when StorageTek clerks were confirming purchases with a computer keystroke, they should first print out the document that was on their screens. But that would have created a huge amount of paperwork with little SOX-related value, according to Arnold. "We said, 'absolutely not.'" The auditors backed off from the request.
Some IT departments seem to have responded to SOX by documenting a wide range of activities, including apparently trivial ones.
"Has anyone else's company gone off the deep end on (quality assurance) documentation supposedly to be in compliance with SOX?," Walter Robinson, a CNET News.com reader, wrote in response to a recent column.
"We're to the point that it takes about a day to produce the various change documentation for a one-line code change," Robinson wrote. "And the 'QA' department says that we are being told by third-party auditors that we have to be this inefficient in order to be in compliance with SOX. And it's not like these rules are only being applied on systems that maintain the (company's) financial data; it's being applied across the company. Why does SOX care if I widen the description field on the product table allowing them to have a 5-character longer style name for a pair of shoes?"
Consultant Steve DeLaCastro, though, has a different take on how much IT departments have done related to SOX. "I've actually noticed them doing less than they have to," said DeLaCastro, who focuses on outsourcing arrangements for professional services firm Tatum Partners. DeLaCastro argues that some IT shops have not gathered the proper evidence that their controls are in place and effective.
In addition, DeLaCastro suggested, companies using outsourcers may be out of compliance with SOX in part because controls aren't being audited. "They're not thinking about their outsourcing relationship, and what it means" for SOX, DeLaCastro said.
IT spending bonanza
DeLaCastro's group is one of many vendors of technology services or products that have stepped in to help companies comply with SOX. Vendor interest in SOX isn't surprising. AMR estimates that total spending on SOX compliance will rise from the $5.7 billion shelled out
See more CNET content tagged:
Sarbanes-Oxley Act, Section 404, StorageTek, financial reporting, information technology
While people compain about regulations and guidance, let's understand that the purpose of this legislation was to reign in corporate governance and provide additional transparency so that the likelyhood of a corporate implosion is significantly reduced.
Danni
http://www.my-insurance-loans.com/