Sunday, October 16, 2005

Sarbanes-Oxley Sucks

 
Well, since it’s the weekend,I’m going to go off-topic (the topic, of course, being the Great Islamic Jihad) for a little rant.

I hate Sarbanes-Oxley.

For those of you who have been honeymooning on Titan for the last four years, “Sarbanes-Oxley” is shorthand for the Sarbanes-Oxley Act, Public Law 107–204, passed by Congress on July 30, 2002. The full text of the Act is here (in pdf format). It was a response to the financial shenanigans and corporate misdeeds performed by Enron, WorldCom, Global Crossing, etc., and is supposed to prevent American businesses from ever doing such naughty things again.

The following is Sarbanes-Oxley (known, at least in our company, as “SOX”) from an IT department’s point of view, so non-geek readers may want to tune out and skip this post.

I’m a database programmer in a company of moderate size. We just recently went public, and the requirements of Sarbanes-Oxley caused the company to engage the services of a SOX-compliance auditor and an IT/Network consultant. We had a meeting last week to go over the changes we would have to make in our practices in order to ensure that we become SOX-compliant.

Up until now, all the programmers in the department have had full access to the database servers; that is, with a user ID and password we could view, design, and make changes to any of the production data in the corporate databases. This has always been very handy: whenever Accounting messes up, and needs to move a nickel from the right-hand pocket to the left-hand pocket of a hundred thousand virtual pairs of pants, my bosses will ask me to design and run an update query to do the job. Things like this happen fairly often, and it has always seemed natural that programmers should have the capacity to do such things, as a part of their jobs.

But that’s all over now.

From now on we will have full access only to the test servers, and not the real data. Depending on our job descriptions, we may have “view privileges” for the production data, but no “write privileges.” Anytime Accounting needs IT to clean up their messes, someone high up will have to create a paper trail leading down from the CFO and the CIO to my boss, changing my permissions and allowing me a brief window to modify the production data, under supervision and also creating a full log of the changes made.

What a crock of solid waste.

We don’t have access to the check printers and check paper. We can’t make bank transfers to numbered accounts in the Cayman Islands. All we do is create and maintain millions of records of accounting and business-related data in databases, and write the code for the apps that give the users access to the data and provide reports for them.

Do you remember the corporate hijinks that prompted Congress to get all high-minded and create the SOX behemoth in the first place? Hiding corporate debt. Maintaining high share value by the accounting version of three-card monty. Colluding with auditing firms to keep bogus records so none of this escaped into the light. Fleecing shareholders out of billions of dollars and destroying the pension funds of thousands of employees.

Programmers didn’t do these things. Not even the network administrators were involved. It was the top-level corporate managers, the major accountants, and the lawyers.

Under SOX, who will be permitted to have the codes that allow access to the important data? The top-level corporate managers, the major accountants, and the lawyers.

This isn’t just locking the barn door after the horse has been stolen. It’s turning over the keys to the horse thieves.

SOX places yet another handicap weight on the legs of American businesses in the global commercial sprints. It is reckoned to add enormous costs to every company, requiring new layers of auditors and accountants and overseers and paperwork. Every year it will cost an additional umpty-bazillion dollars to run American corporations, thanks to good ol’ Uncle Sam.

And did Congress, in its generous foresight, raise taxes and appropriate funds to reimburse businesses for their extra expense? No, it didn’t; the cost is simply passed on to the consumer.

That’s you, Jack.

Yup. That widget you have been paying six bits for will shortly be costing you a dollar, thanks to SOX. It’s a present from Your Friendly Federal Government, a little secret taxation without any representation.

And all that extra money you’re laying out — whose pockets will it line? Why, those of the top-level corporate managers, the major accountants, and the lawyers, of course.

Yes, yes, I know: the programmers will get a little bit of it, too. So I’m biting the hand that feeds me. So what?

21 comments:

DSmith said...

Exactamundo. A huge competitive disadvantage for American business, thanks to our posturing, clueless, and knee-jerk politicians. And yes, every single one of us will end up paying for it, from our pocketbooks and in jobs sent overseas. Think the Chinese have sarbox?

But I suspect your sarbox consultant isn't so great, either. I work for a company that is *very* conservative when it comes to corporate governance and we're not nearly so bad. As I understand things, and not claiming to be an "expert" (I'm not sure anybody really is), nothing like that level of control is required for compliance. Basically, you just have to have extensive audit records, with excellent security so that you can prove who did what when. It's not a question of preventing people from doing things, or requiring extensive authorization; it's about not being able to hide things.

Good luck in living with this abomination.

Baron Bodissey said...

DSmith, you are right about my company. I think our CFO is being over-fastidious in his CYA response to SOX.

I know the man very well, and he is a fellow of enormous incorruptible integrity. He'd never be a party to any of this kind of stuff, so that's why he's requiring such stiff compliance on the part of his subordinates.

Whereas I'm sure the managers of the corrupt companies are handling it with a wink and a nudge and going on with business as usual.

Wagner said...

Next is SAP, the secret German plot to gain control of the world by using integrated accounting.

Already at the company I work for, we can no longer keep historical e-mails, they are now kept up on a server and purged after a certain period of time. Protection to the future guilty.

Baron Bodissey said...

Wagner, tell me more about SAP. What does it stand for?

A quick google turned up this, but it is too dense with corporate-speak for me to get much out of it.

sammy small said...

Our large defense electronics company has added so many new reporting requirements that I have had to add an additional person to the staff just to keep up. In our matrix organization, I now report certain financial data to three different managers of different orgainzations. Of course these organizatins never work to the same reporting schedules, so I'm having to do this almost monthly instead of quarterly.

Certain management levels are determined not to be found guilty of mis-management or lack of oversight, so they demand more and more reporting. The threat of jail time makes people over-react in ways that astound most of us.

Dave Schuler said...

So, what do you do when your domestic industries are feeling the pinch from overseas competition? Hand them a boat anchor, of course. Any idea that Indian or Taiwanese or Chinese companies will conform to the Sarb-Ox provisions are dreams.

The provisions of Sarb-Ox are drifting down to mom-and-pop companies—they're being required to conform by their Fortune 1000 customers for whom this is the only way to become Sarbanes-Oxley compliant themselves. The Congressmen who thought this was a good idea hadn't worked for real companies for a generation. They don't recognize the revolution that's gone on in how U. S. companies actually function today. They still apparently think of huge 1950's-style giants.

Dave Schuler said...

Baron, SAP is a German company. Their product is a large, complicated, do-everything-for-everybody application that's being used by most if not all of the companies in the Fortune 500 these days.

Since the time-to-implement for SAP is so enormous lots of companies don't really know whether the benefits they were promised have been realized or not.

SAP credentials are one of the hottest things in IT.

John Sobieski said...

The recent Refco collapse proves Sarbanes-Oxley does not work. Fraud like thirdpary transactions can really be caught with only smart sleuthing and asking suspicious questions. SA should be rolled back.

El Jefe Maximo said...

My wife's a CPA and a corporate controller, and although I know nothing about that racket, I can always tell when some compliance deadline approaches because of all the expletive deleted references to "Sars-Ox."

I'm a Houstonian, and naturally, Enron was of some interest round here. Never, never ask a CPA/lawyer for a explanation of what happened at Enron ! When I asked wife for a brief description, 45 mins later, she was still going, and I was probably sound asleep.

Wagner said...

Baron,

Dave Schuler provided the answer, but I'll add more wry viewpoint.

SAP is the answer to the attempt to integrate low level managerial accounting or point of commitments (sales or purchases) into real-time high level financial statements.

While the concept may be the holy grail of accounting, the German's have been the best marketers so far. Basically what you do is hire a "SAP" implementation consulting company, who brings the basic SAP to your company and then studies your business processes so they know how to configure SAP to your world. Only, you find out after committing miliions, that SAP won't support your current processes. Senior management in your company, having been sold ion the SOX compliance aspect and embarassed by the millions already sunk, mandate that you change your processes to fit SAP.

The tie with SOX, is that SAP sells itself as being able to fully document and put in place (through software) the financial approvals and controls necessary to comply with SOX - hence the Fortune 500 rush to adopt and implement.

But it doesn't stop there, procurement policies in each of these companies are changed so that now, you as a seller of goods or services have to effectively change your business to integrate into your Client's SAP system. Its not mandated, BUT it becomes the path of least resistance. So the SAP becomes the Borg, growing and assimilating all it comes in contact with...

hank_F_M said...

SOX is certainly a 10 pound sledge to doing the job of a ball peen hammer.

A modest proposal, since the government is a public corporation, though not a publicly held corporation, why not extend it to the government. Just a thought.

texasviolinist said...

Sarbanes-Oxley is a crock for a million and one reasons but any programmer who tells me he needs to change production data directly in production is a rank absolute amateur and shoudln't be in the profession. I routinely hire programmers and any programmer who claims that this is what they need to be effective gets shown the door before the next question.

I am tired of all these pony-tailed freaks who learned programming on their home computers complaining about good change control. America's information resources are seriously jeopardized by the weak controls companies have over their production systems. So many companies have hired foreign nationals of uncertain loyalties who have more control over the IT future of their clients and employers than the board of directors. Many more companies have outsourced maintenance of these assets to third world countries that are still controlled by communist despots.

Its a scandal and you shouldn't be compounding it with your naive view of data security.

Baron Bodissey said...

texasviolinist —

Well, aren’t you a sweetheart with a kind bedside manner?

I take exception to any number of assertions you make, most especially that I am a rank amateur. I have been programming professionally for almost thirty-five years, on mainframes, mini-computers, micros, PCs, etc. I resent your tone, and your unwarranted assumptions about my competence.

I learned programming in an academic environment, probably when your daddy was still in knee pants, back when we had to use punch cards and assemble Fortran code via a card reader. I am fortunate to have remained flexible and stayed current with the programming methods used nowadays, instead of having to prove the Peter Principle and ascend to the pure living hell of Administration.

I am not a “programmer who claims that this is what [I] need to be effective;” I am a programmer whose managers have decided that this was what they needed to be effective. This is a small IT department (though it may grow now after the merger), with only three programmers, a network administrator, a business analyst, and the CIO. All of us have to wear many hats.

The model you’re talking about is perfectly appropriate for large organizations, but this is not one. If you’ve ever tried to run a small business, it certainly doesn’t show.

I feel sorry for the programmers you “routinely hire”; I feel confident that they eventually come to regret working for someone with such an arrogant and overbearing attitude, and are grateful when they get to move on to a more congenial environment.

I have been a consultant to and an employee of many companies in my career, with the accolades and compensation to show for it. Fortunately, I have never run into a manager like you.

Oh… also, I do not have a ponytail, though I did at one point in my misspent youth.

linearthinker said...

hank_f_m's "...modest proposal, since the government is a public corporation, though not a publicly held corporation, why not extend (SOX) to the government. Just a thought."

This conjures up visions of that classic definition of bureaucracy: a group of individuals traveling in ever decreasing circles at ever increasing speed, until they vanish up their own arseholes in a puff of white smoke. Let's do it!

dsmith nailed it with his "...thanks to our posturing, clueless, and knee-jerk politicians."

(Baron, are you a "pony-tailed freak"? with naive views?) Whoops, comments overcome by events here.

Time for me to leave this Sunday afternoon diversion and get to work on my old beater that's up on blocks in the door yard.

linearthinker said...

texasviolinist

Those who anger you control you.
Sosoumi, Haiku Master

gandalf said...

I have posted on my site a notice to blog admin .
I can via your sitemeter access all of the stats of your site I could if I wish change your sitemeter settings.

Ip addresses and locations of the people who visit your site are available.

please change your meter settings
to "private" then this info will not be accessible to all and sundry.

"Shrink wrapped" is another site where access can be gained, indeed there are many sites which have not taken this precaution.

we do not live in a nice world as you know, information such as this can be used against us.

right around here said...

I don't like to throw rocks around glass houses, but isn't it time we "killed" this "person" called a corporation.

Eliminate all that legal corporate cover for miscreants so they have to live in the light as do I, a lowly "sole proprietor."

Sure it would be a lot of work but would eliminate a boat load of thieves calling themselves executives, and other meaningless names. Then at least when their hand was caught in the cookie jar there would be no place for them to hide.

The Kmart bankruptcy comes to mind. Kmart is broke one day, but spends $6 billion the next to buy Sears.

Even first graders know that is a rip only corporations with a bazillion lawyers can get away with.

Baron Bodissey said...

gandalf -- We keep our sitemeter public in order to allow NZ Bear's ecosystem access to the stats (which affect our ecosystem rating).

But there should be no way for you to change our preferences & settings; those require a password login. If you have been able to to that, this is a problem which the site meter people will have to address. I'm sending your message on to them.

Jason_Pappas said...

You’re quite right, of course. I recently interviewed a programmer from a large money manager and he said he wanted to leave because all work has come to a halt. He was spending his time filling out forms, waiting for approval, etc. I’ve worked in large and small companies and I respect the needs of both – and the risks involved. But one-size-fits-all regulation is strangling our productive companies. And it won’t absolutely eliminate fraud in the future.

Baron Bodissey said...

Jason, it won't eliminate fraud at all as long as top managers and auditors collude, as they did with Enron.

The government would have to audit every business itself to keep it from happening. And wouldn't that be ducky.

texasviolinist said...

pason_pappas,

Good change control and security doesn't have to mean that people have to be unproductive. But most IT managers have poop for brains so they substitute inconvenience and roadblocks for real controls. But throwing out security (especially for a money manager) isn't an option.

I frequently find that the companies with the most onerous security processes have the worst security.