RE: [U2] [OT] Sarbanes-Oxley
Bill H. wrote: The management, who are putting their necks on the line, so to speak, should be able to do what they think is necessary. The real difficulty is management are being hired who don't know how to judge the quality their business operations and activities. This is a primary cause of what you are seeing. The consequences of this are far reaching, economincally speaking of course. I think we've seen a lot of incompetent CxO's collecting big salaries and then bailing without pain when they run their companies aground - only to be picked up by some other company later. People at that level tend to stay at that level despite the Peter Principle. Some of these guys can afford to bounce around because of the huge salaries and bennies they command. And I think SOA will change that significantly, because the incompetent wannabe's, the smart ones, will realize that this behavior now returns jail time, and some of them will go find another racket. And the Board of Directors who bring in CxO's will be more careful about who they bring in too, or face not only trashed stock values but public embarrassment as well as they and/or their corporate figureheads get carted away. I don't expect it to be as cut-n-dried as that, but I think this will cause more people to think in different ways. Laws aren't just intended to punish people who do wrong, but to further motivate people to do what's right (oh yes, and to line the pockets of politicians and lawyers). SOA/SOX (with the little I understand) seems to be a good motivator, and best of all, as Susan says, IT stands to benefit immensely. Be valuable. Understand the requirements before they're presented. Be proactive. Let management know your MV system can handle SOA so that they don't go overboard and call Oracle or SAP for quotes. Encourage management to consider the risk associated with trading partners - no matter what country you or they are in. Tony Nebula RD --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
Others have argued: See the thing is, we're letting the auditors drive this thing. Auditors don't drive this. Auditing is basic procedures plus statistical sampling of transactions ... *** No, no, no, that's what financial auditors do, not I.T. auditors. The word auditor is an overloaded descriptor, referencing either a financial auditor or an I.T. auditor, which are two very different animals. Financial auditors examine financial transactions and financial controls, and they verify samples of data. I.T. auditors look at the software that produces and uses that data, and look at how the software is controlled, and they also look at physical control of I.T. hardware. ** The Sarbanes-Oxley act specifically mandates both kinds ** ** of auditing, both financial auditing and I.T. auditing. ** The I.T. audits aren't much like financial audits. Instead, they are much like ISO-9000 audits, and require excruciatingly detailed documentation of I.T. quality assurance (or at least QA-ish) policies and procedures. As with ISO-9000, the costs of becoming compliant may be high, but sometimes there are good benefits. For instance, some I.T. departments which were scrambling to become compliant with SOX audits have found themselves accidentally becoming more compliant also with the SEI-CMM (Software Engineering Institute's Capability Maturity Model). *** The information contained in this e-mail message may be privileged and confidential information and is intended only for the use of the individual and/or entity identified in the alias address of this message. If the reader of this message is not the intended recipient, or an employee or agent responsible to deliver it to the intended recipient, you are hereby requested not to distribute or copy this communication. If you have received this communication in error, please notify us immediately by telephone or return e-mail and delete the original message from your system. --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
All this makes me glad I am in the uk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Joslyn Sent: 06 August 2004 14:39 To: [EMAIL PROTECTED] Subject: RE: [U2] [OT] Sarbanes-Oxley Three more things about Sarbanes-Oxley ... most important, acronyms. I immediately latched onto SOX but the accounting world and the official sites started calling it SOA. So I used that for the article but I still like SOX mainly because its unique and because you can say it. :) Tony, SOX doesn't have a whole lot of specifics in it. Most of the specifics are coming from COSO which was endorsed as an accounting frame work by SOX. Section 404 is the one that is driving a lot of the specific requirements and as you can see here it is open to much interpretation (see below). Bill, I think you misunderstood me. I didn't say auditors should drive it. I said the problem is that we are allowing that to happen. Everyone I know in IT is responding to requests from auditors rather than saying Okay, lets study up a bit and see what we can bring to the table to meet the requirement. Cut 'em off at the pass, I say. And Bill, I *love* this remark -- for this is exactly what has now occurred! My point is there are more powerful arguments for structural ineffectiveness rather than some surreptitious human behavior. Besides, one controls human behavior by instituting institutional structural controls. :-) TITLE IV Section 404 Management Assessment Of Internal Controls (a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall-- (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
Sorry Tony. It was a beautiful day in the Pacific Northwest and I couldn't help reminding us all of the generalized useless nature of Congressional edicts. :-) When the dust settles I suspect it'll be like the year 2000 problem; by 2004 noone can remember it. :-) (gota add those smileys) As always, Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Gravagno Sent: Thursday, August 05, 2004 8:51 PM To: [EMAIL PROTECTED] Subject: RE: [U2] [OT] Sarbanes-Oxley My friend, we rarely disagree, even on these points. I've made no such assumptions about rationality, actual vs intended effects, nor the competence of those sponsoring laws. I only stated the possible effect the new laws will have on people worldwide. Are you responding to someone else's comments?? If my intent wasn't clear, please let me know. Nothing worse than being admonished for thinking something that never occurred to you. :) Tony Bill H. wrote: Tony: You make large assumptions: 1) Congressional lawmaking is rational 2) Laws passed don't have the opposite effect from intended 3) Those sponsoring laws have a clue what they're doing. When it comes to Congress, the less they do the better. :-) Tony Gravagno wrote nothing of the sort: [snip - go check] --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
This sounds like the kind of thing that would drive one to purchase PRC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosenberg Ben Sent: Friday, August 06, 2004 7:03 AM To: '[EMAIL PROTECTED]' Subject: RE: [U2] [OT] Sarbanes-Oxley The I.T. audits aren't much like financial audits. Instead, they are much like ISO-9000 audits, and require excruciatingly detailed documentation of I.T. quality assurance (or at least QA-ish) policies and procedures. --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] [OT] Sarbanes-Oxley
Same here. We have established a fairly extensive Change Control Tracking system with approval tracking at every stage. Change Request - Approval Modification - Approval Testing - Approval Move to production - Approval Final - Approval Vance Alspach J L Industrial Supply I was just wondering what lengths other departments/companies are doing to satisfy the requirements imposed by the Sarbanes-Oxley act? How much of an impact is it on your operations? Gordon J. Glorfield Sr. Applications Developer MAMSI (A UnitedHealth Company) 301-360-8839 [demime 1.01d removed an attachment of type image/gif which had a name of graycol.gif] --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
snip Our department has gone Sarbanes-Oxley mad here. /snip Same thing where my wife works. Not here as we're privately held. We've discussed this at length between ourselves and determined the least-cost route is to buy back all your stock and go private grin. Jim --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
We're close to the same... Change Request via module-specific superuser. Write up a proposal that includes description of problem, what the mod will do to fix the problem, and any ongoing maintenance that will be required as a result of the mod. Sign off from the requestor, requestor's department manager, and IT manager. Do the mod. Programmer signs off that it's finished. IT manager delivers change to pilot, signs off. Superuser tests in pilot, signs off. IT manager delivers change to live, signs off. Amazing that the process to get a mod in place sometimes takes lots longer than the mod itselfweek or two ago, I just needed to change the length of a field...uugghhh! But that's the part where we've felt the most pain. Most of the other points we had to meet were minor changes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 05, 2004 12:24 PM To: [EMAIL PROTECTED] Subject: Re: [U2] [OT] Sarbanes-Oxley Same here. We have established a fairly extensive Change Control Tracking system with approval tracking at every stage. Change Request - Approval Modification - Approval Testing - Approval Move to production - Approval Final - Approval Vance Alspach J L Industrial Supply I was just wondering what lengths other departments/companies are doing to satisfy the requirements imposed by the Sarbanes-Oxley act? How much of an impact is it on your operations? Gordon J. Glorfield Sr. Applications Developer MAMSI (A UnitedHealth Company) 301-360-8839 [demime 1.01d removed an attachment of type image/gif which had a name of graycol.gif] --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
I just re-read Susan's excellent article, and it strikes me as odd that the definition of world class (reducing overhead, et al.) seems to run counter to the way folks are approaching SOA compliance. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clifton Oliver Sent: Thursday, August 05, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: Re: [U2] [OT] Sarbanes-Oxley You may want to check out the May-Jun 2004 issue of Spectrum Magazine. Susan Joslyn has an article starting on page 29 about the Sarbanes-Oxley Act. See http://www.intl-spectrum.com/mayjun04mag.html for a free PDF download. -- Regards, Clif ~~~ W. Clifton Oliver, CCP CLIFTON OLIVER ASSOCIATES Tel: +1 619 460 5678Web: www.oliver.com ~~~ On Aug 5, 2004, at 11:50, Gordon Glorfield wrote: BTW My apologies to our non-USA list members as this is only pertinent to US operations. Sometimes I forget we are not all in the USA. Gordon J. Glorfield --(Part time ugly American) Sr. Applications Developer MAMSI (A UnitedHealth Company) 301-360-8839 --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
Gordon Glorfield wrote: BTW My apologies to our non-USA list members as this is only pertinent to US operations. Sometimes I forget we are not all in the USA. Actually Gordon, while the legal responsibilities of compliance with USA regulations only apply to USA companies, I can easily see initiatives for SOA compliance driving non-USA companies that do business with USA public companies. I'm no expert on the matter, but it seems to me that change will be (or should be) driven from the top-downward to ensure compliance, and that means vendors, partners, and even some customers of these public companies may be requested or mandated to make changes in IT and/or manual procedures. So all of you foreigners and grinning private companies out there better look out. ;) I've seen a couple comments here that tell me that some people have a different understanding of SOA than I do - I have no idea who's right. I'm under the impression that SOA doesn't just mean approvals need to be recorded, but that much stricter auditing need to be done of any physical process or policy which affect the bottom line. That means creating lots of cross-index files, periodic balancing of summary to detail, and some decent drill-down/reporting into all of this data. When someone asks where that bottom line came from, it's management's neck on the line if they can't click a few times to show the detail. The terms data warehouse, cube, ETL, and BI come to mind. Which is what we/MV are very good at once we write the code. We'll see how far it goes when management types actually do their reading and then get serious. I don't think we (consulting community and IT staff) have been asked by our clients/managers to make driving changes yet, simply because there are lot of CxO types still ignoring SOA or still trying to figure out how deep it really goes. Perhaps the thing to do is to contact the CxO's with whom you have influence and ask them if there is anything you can or should be doing to help them get through this. I hope our resident expert, Susan Joslyn, can provide some insight. Tony Nebula RD --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
Kevin's observation is sadly true. We don't have any managers or accountants in here do we? (you may want to leave now grin) See the thing is, we're letting the auditors drive this thing. Don't get me wrong, they have to, to a certain extent. The Sarbanes-Oxley Act of 2002 (available in its entirety at Sarbanes-oxley.com) isn't really very specific about HOW the numbers are verified. Only, in a nutshell, that the CFO and CEO sign off saying I KNOW that the numbers on our financial statement are correct. Now because they can go to jail if it turns out they aren't they are in a bit of a panic. And they haven't a clue what to do about it. But they want to make sure that its CLEAR AND OBVIOUS that they've 'done diligence'. In step the auditors. Now the auditors - for the most part, let's be fair - don't know all that much about the inner workings of a large company's IT department and the mechanics and shenanigans that put that final number on the 10K. So they come up with a lot of (sometimes unnecessary) hoops for us to jump through. What can we do about it? Well, first, we have to realize that we've got this powerful, flexible environment which has nurtured a seat-of-the pants attitude. Not a bad thing, I mean we can produce amazing results on the fly. We've learned to depend on ourselves that way. But it might look a little scary to an outsider contemplating jail time. So we might have to suck it up just a little and say okay, we're going to be slowed down a bit by this. And then the next thing we do is realize that the slow-down should truly be temporary. While we work out procedures that work and get used to them its going to slow us down. But believe it or not over time the fire-fighting will slow down and we'll get time back. I promise. Then - it would be a really powerful thing if we educated ourselves a bit (see this months article in Spectrum on CobIT) and took the reins. Make sure some if this gi-hyoogic investment is going to give Us something WE want. If we come to management with a clear picture of how we can comply we can set aside some of the hoops. I have one colleague whose auditors are demanding a full table/chart of all access to all files by all programs. Hey that would be a cool thing to have. But trust me, its not required for SOX compliance. Its just the auditors trying to come up with ways that look nice and black-and-white and legitimate and . compliant. If somebody over there had proposed the - realistic steps - that needed to be taken first, this would never have happened. If someone would do a little reading and then stand up and say here's a plan the requirement in question would be scrapped in a heartbeat. This is what I do for a living. I'd love to help any of you. Either with my tools and services (hey, it is my living) or with a little advice and direction. You can't FIGHT this stuff . but remember when you were taught that if you capsized in a strong current not to swim against it but to angle toward the shore and let the current take you there? What SOX really is? A giant budget-boost for IT and a guaranteed tech-onomic recovery. And incidentally an opportunity for us to raise the bar on our software quality. Gosh, possibly even legitimize Multivalue once and for all! Ever the optimist,. Susan Joslyn PRC - Real software configuration management for U2/Multivalue http://sjplus.com Date: Thu, 5 Aug 2004 15:44:14 -0600 From: Kevin King [EMAIL PROTECTED] Subject: RE: [U2] [OT] Sarbanes-Oxley I just re-read Susan's excellent article, and it strikes me as odd that the definition of world class (reducing overhead, et al.) seems to run counter to the way folks are approaching SOA compliance. --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
Susan: See the thing is, we're letting the auditors drive this thing. Auditors don't drive this. Auditing is basic procedures plus statistical sampling of transactions to validate these basic procedures. Politics drive this. As Thomas Sowell often notes: politics does what feels good at the moment and mostly has _NO_ connection to results. Don't get me wrong, they have to, to a certain extent. The Sarbanes-Oxley Act of 2002 (available in its entirety at Sarbanes-oxley.com) isn't really very specific about HOW the numbers are verified. Only, in a nutshell, that the CFO and CEO sign off saying I KNOW that the numbers on our financial statement are correct. Now because they can go to jail if it turns out they aren't they are in a bit of a panic. And they haven't a clue what to do about it. It has always surprised me that corporate management could delegate their authority over corporate financial reporting to outside auditors. But then Congress does it every day. Heck, they don't even know how much they spend and what they spend it on. :-) But they want to make sure that its CLEAR AND OBVIOUS that they've 'done diligence'. In step the auditors. Now the auditors - for the most part, let's be fair - don't know all that much about the inner workings of a large company's IT department and the mechanics and shenanigans that put that final number on the 10K. So they come up with a lot of (sometimes unnecessary) hoops for us to jump through. I'd suggest there are other forces at work here. For instance, if IT knows so little about business reporting, just as Finance knows so little about IT, is it any wonder what gets reported can be suspect? My point is there are more powerful arguments for structural ineffectiveness rather than some surreptitious human behavior. Besides, one controls human behavior by instituting institutional structural controls. :-) What can we do about it? Well, first, we have to realize that we've got this powerful, flexible environment which has nurtured a seat-of-the pants attitude. Not a bad thing, I mean we can produce amazing results on the fly. We've learned to depend on ourselves that way. But it might look a little scary to an outsider contemplating jail time. So we might have to suck it up just a little and say okay, we're going to be slowed down a bit by this. Perhape a realization that strict financial controls shouldn't be ignored because: a) noone knows how, b) IT controls the systems and doesn't understand the problem, or c) Finance understands the problem and can't control the systems. And then the next thing we do is realize that the slow-down should truly be temporary. While we work out procedures that work and get used to them its going to slow us down. But believe it or not over time the fire-fighting will slow down and we'll get time back. I promise. I suspect this is good for those companies who don't do this now. For those that implement proper controls there shouldn't be much change, except when the lawyers get involved. Then - it would be a really powerful thing if we educated ourselves a bit (see this months article in Spectrum on CobIT) and took the reins. Make sure some if this gi-hyoogic investment is going to give Us something WE want. If we come to management with a clear picture of how we can comply we can set aside some of the hoops. Kind of like the blind leading the blind. :-) I have one colleague whose auditors are demanding a full table/chart of all access to all files by all programs. Hey that would be a cool thing to have. But trust me, its not required for SOX compliance. Its just the auditors trying to come up with ways that look nice and black-and-white and legitimate and compliant. If somebody over there had proposed the - realistic steps - that needed to be taken first, this would never have happened. If someone would do a little reading and then stand up and say here's a plan the requirement in question would be scrapped in a heartbeat. The management, who are putting their necks on the line, so to speak, should be able to do what they think is necessary. The real difficulty is management are being hired who don't know how to judge the quality their business operations and activities. This is a primary cause of what you are seeing. The consequences of this are far reaching, economincally speaking of course. [snipped] What SOX really is? A giant budget-boost for IT and a guaranteed tech-onomic recovery. And incidentally an opportunity for us to raise the bar on our software quality. Gosh, possibly even legitimize Multivalue once and for all! Ever the optimist,. As Bill and Ted always saidexcellent! :-) Bill --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] [OT] Sarbanes-Oxley
My friend, we rarely disagree, even on these points. I've made no such assumptions about rationality, actual vs intended effects, nor the competence of those sponsoring laws. I only stated the possible effect the new laws will have on people worldwide. Are you responding to someone else's comments?? If my intent wasn't clear, please let me know. Nothing worse than being admonished for thinking something that never occurred to you. :) Tony Bill H. wrote: Tony: You make large assumptions: 1) Congressional lawmaking is rational 2) Laws passed don't have the opposite effect from intended 3) Those sponsoring laws have a clue what they're doing. When it comes to Congress, the less they do the better. :-) Tony Gravagno wrote nothing of the sort: [snip - go check] --- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/