Looking at SOX

  • Comments posted to this topic are about the item Looking at SOX

  • Only one of my current clients adheres to SOX and HIPAA. Yes, it has impacted work. I agree with you, that it is really for the better in that the separation of duties, although often raising the administration work, is really our job anyway.

    As for the extra paperwork, ya, I'm not going to jump for joy about that. But at the same time, it makes everyone up the food chain aware that cowboy-coding is a no-fly zone. Ok, I just had to mix something from Austin, TX with a current event in the same sentence.

    I actually think it made the management of my client to become aware of the risks of them ordering a bad practice, or sneak in some code/data changes 'like before'. So although there is a longer change management process between the SQL coder and the production db, with lots of testing and approval in between, shouldn't that be needed anyway for non-trivial systems?

    Really, the pressure is off my back because everyone is now used to changes taking a few days to implement - at least, and it will simply no longer be done 'this afternoon'. I'm talking about 95% of the time as a general procedure, not when there is an emergency.

    So I don't mind it so much. In fact, it has helped my own DBA staff to similarly cognitive of why this is in place so we can follow similar processes with our smaller clients - but with less paperwork.

    Jim

    Jim Murphy
    http://www.sqlwatchmen.com
    @SQLMurph

  • I agree that SOX overall has been a force for good. I see tighter controls over who has access to data now and a better understanding from non-technical management on the relevance of that.

    An interesting effect of SOX I've witnessed is that development of access control & tracing systems, bug fixes & upgrades to in-scope systems are funded & championed more readily. Where SOX is concerned the decision on whether or not to spend money on development is often made simpler for management.

    Keith

  • HIPAA, under most circumstances, hit me harder then SOX. SOX mostly forced change control into existence for the cowboy shops. It's been taken to rediculous extremes on occassion, but amongst the clients I've worked for, not very often.

    HIPAA has changed the way every healthcare firm I've worked for did business, never mind just the data side of things. From what I see, for the better, but it was taken MUCH more seriously then SOX was, or still is. Not enough companies care about SOX other then trying to make a best effort until the auditors are at the door, at least from my perspective. HIPAA will destroy them if they need to care, SOX still seems like a 'Nice to Have' on the list of requirements.


    - Craig Farrell

    Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

    For better assistance in answering your questions[/url] | Forum Netiquette
    For index/tuning help, follow these directions.[/url] |Tally Tables[/url]

    Twitter: @AnyWayDBA

  • I think SOX has had a negative effect on business in the US, mostly because it has become a scape goat or excuse in many instances.

    IT empires with a 1960's mainframe mentality have been built in the name of SOX.

    It has been used as an excuse to take away users' ability to create and execute custom queries and against a reporting database on the fly.

    The most bizarre extension I've seen of this came when a DBA told me that "We need to take Excel away from all the users because they can manipulate data in it and that violates SOX."

    I've researched SOX quite a bit and to me it's concept is very similar to ISO. (1) Do you have set procedures in place to run your organization? (2) Do you follow those procedures?

    I don't remember any SOX requirement that ensures that it will be easy to identify violations when the procedures are violated.

    In short, it's resulted in a lot of extra work in our organization with no value to the stockholders or public.

  • Craig Farrell (3/18/2011)


    HIPAA, under most circumstances, hit me harder then SOX. SOX mostly forced change control into existence for the cowboy shops. It's been taken to rediculous extremes on occassion, but amongst the clients I've worked for, not very often.

    HIPAA has changed the way every healthcare firm I've worked for did business, never mind just the data side of things. From what I see, for the better, but it was taken MUCH more seriously then SOX was, or still is. Not enough companies care about SOX other then trying to make a best effort until the auditors are at the door, at least from my perspective. HIPAA will destroy them if they need to care, SOX still seems like a 'Nice to Have' on the list of requirements.

    Well said

    ---------------------------------------------------------
    How best to post your question[/url]
    How to post performance problems[/url]
    Tally Table:What it is and how it replaces a loop[/url]

    "stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."

  • I don't have to deal with SOX but I do have to deal with HIPAA. Both of these are laws that were passed to make people feel better about something. SOX was to make people feel better about business in the wake of Enron and HIPAA was supposed to make people feel secure about their personal information in medical records in an effort to make health care portable.

    Have either had their intended affects?

  • While I see benefits in security and controls inspired by SOX, it doesn't stop fraud instigated by upper management. All that is needed is a little collusion and its done.

    I also dread the auditor visits and the long drawn out discussions of why a particular system has requirements that don't fall into their cookie cutter world. We just had this conversation last year. Didn't you take notes or document anything? Let me help, I'll forward you the email I sent last year (and probably the year before) explaining this.

    I've got no problem with the additional work, separation of duties analysis for new processes, etc. I just dread those six words... "The auditors are coming next week." 😛

    M

  • The "Separation of duties" is the big thing I see in SOX. No more "Jack of all trades" job descriptions. I see too many smaller companies not currently under SOX get away with this like posting a single job that includes: Application Developer, Project Manager, Database Administrator, Web Developer, and Network Admin duties all in one job requirement. Simply because they are too cheap to hire separate people for each job description. SOX takes care of this, and that is a good thing IMHO.:-D

    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"

  • Overall, the law has been a good thing as many expressed above. Allowing DBAs to tighten down production, while using SOX as the vehicle to get it done. This has improved our production environments stability considerably.

    The annual audit is a good thing, although the auditors don't really know what they are asking for or how to decipher the information generally. Thankfully powershell helps make these audits quicker than doing tons of screenshots. I have documented some of the scripts on my blog that I use to make the audit faster.

    A significant portion of my work from time to time is the audit, and while it can be painful, it does help us find nagging things and force us to review our environments more frequently.

    Cheers
    http://twitter.com/widba
    http://widba.blogspot.com/

  • I would not say SOX itself has ever been a problem for me but the slightly twisted perception some managers had was a bigger issue. For example my last employer took change control to the extreme. a two line code change sould be a weeks worth of paperwork and document and code reveiws. I think the biggest impact of SOX was actually on programming staff. That is when the daily work of a programmer started to shift and got to a point in many companies where the programmer was no longer spending the majority of the day writing code but doing paper work and other tasks. That trend then shifted slighly back and programming staff was may 70/30 but now it is in most cases upside down again and most programmers no longer spend the majority of their day writing code.

    Dan

    If only I could snap my figures and have all the correct indexes apear and the buffer clean and.... Start day dream here.

  • We are covered by HIPPA, SOX, CARF, and PCI compliance so adding SOX was not a big deal. My IT dept is also part of an annual SA94 accounting audit so you just get used to it. There is some additional initial work but once you get past that it just becomes a paperwork exercise.

    I came from a military background so audits and inspections were already part of my routine; just had to get used to different type of inspections.

  • I need SOX to keep my feet warm, as it seems the Controller keeps turning down the thermostat. 😀

    But seriously, when SOX first showed up we had a lot of extra paper work and testing. Over the years, that initial reaction to lock everything down has lessened. Now, I think our business has a better understanding of what needs to be checked and what is superfluous. It's manageable now, but when it first started, the requirements given to us were ludicrous.

  • SOX has had an awesome impact on my work.

    Gone are the days of every executive threatening my job at the end of each quarter.

    What was the threat?

    "If you don't make the changes I have requested to the finalcial statements you are fired!"

    It is no suprise to me that we hit a financial crisis in this country once all Publicly Traded companies had to show Real numbers in thier financials instead of made up ones created by Marketing.

    Also another thing I like is that it requires the Business user requesting a change to document what he asked for, and that the change did exatly what he asked for. I can not count how many time before SOX that someone would be forced into changing something for an executive or some VP and when it broke everything we said it would I would hear "You must have done it wrong.".

    😎

  • SanDroid (3/18/2011)


    What was the threat?

    "If you don't make the changes I have requested to the finalcial statements you are fired!"

    I can not count how many time before SOX that someone would be forced into changing something for an executive or some VP and when it broke everything we said it would I would hear "You must have done it wrong.".

    😎

    Good for you bro..This is where wearing a wire helps. Believe me, it works. SOX enforcement is not what these kinds of managers need. They need to be put in jail. I was in on a few stings in the past myself. Nothing makes you feel better than to put scumbags like this out of business.What's even better is they never saw it coming.:-D

    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"

Viewing 15 posts - 1 through 15 (of 30 total)

You must be logged in to reply to this topic. Login to reply