Kevin's observation is sadly true.
We don't have any managers or accountants in here do we? (you may want to leave now <grin>) See the thing is, we're letting the auditors drive this thing. Don't get me wrong, they have to, to a certain extent. The Sarbanes-Oxley Act of 2002 (available in its entirety at Sarbanes-oxley.com) isn't really very specific about HOW the numbers are verified. Only, in a nutshell, that the CFO and CEO sign off saying "I KNOW that the numbers on our financial statement are correct." Now because they can go to jail if it turns out they aren't they are in a bit of a panic. And they haven't a clue what to do about it. But they want to make sure that its CLEAR AND OBVIOUS that they've 'done diligence'. In step the auditors. Now the auditors - for the most part, let's be fair - don't know all that much about the inner workings of a large company's IT department and the mechanics and shenanigans that put that final number on the 10K. So they come up with a lot of (sometimes unnecessary) hoops for us to jump through. What can we do about it? Well, first, we have to realize that we've got this powerful, flexible environment which has nurtured a seat-of-the pants attitude. Not a bad thing, I mean we can produce amazing results on the fly. We've learned to depend on ourselves that way. But it might look a little scary to an outsider contemplating jail time. So we might have to suck it up just a little and say okay, we're going to be slowed down a bit by this. And then the next thing we do is realize that the slow-down should truly be temporary. While we work out procedures that work and get used to them its going to slow us down. But believe it or not over time the fire-fighting will slow down and we'll get time back. I promise. Then - it would be a really powerful thing if we educated ourselves a bit (see this months article in Spectrum on CobIT) and took the reins. Make sure some if this gi-hyoogic investment is going to give Us something WE want. If we come to management with a clear picture of how we can comply we can set aside some of the hoops. I have one colleague whose auditors are demanding a full table/chart of all access to all files by all programs. Hey that would be a cool thing to have. But trust me, its not required for SOX compliance. Its just the auditors trying to come up with ways that look nice and "black-and-white" and "legitimate" and . compliant. If somebody over there had proposed the - realistic steps - that needed to be taken first, this would never have happened. If someone would do a little reading and then stand up and say "here's a plan" the requirement in question would be scrapped in a heartbeat. This is what I do for a living. I'd love to help any of you. Either with my tools and services (hey, it is my living) or with a little advice and direction. You can't FIGHT this stuff . but remember when you were taught that if you capsized in a strong current not to swim against it but to angle toward the shore and let the current take you there? What SOX really is? A giant budget-boost for IT and a guaranteed tech-onomic recovery. And incidentally an opportunity for us to raise the bar on our software quality. Gosh, possibly even legitimize Multivalue once and for all! Ever the optimist,. Susan Joslyn PRC - Real software configuration management for U2/Multivalue http://sjplus.com Date: Thu, 5 Aug 2004 15:44:14 -0600 From: "Kevin King" <[EMAIL PROTECTED]> Subject: RE: [U2] [OT] Sarbanes-Oxley I just re-read Susan's excellent article, and it strikes me as odd that the definition of "world class" (reducing overhead, et al.) seems to run counter to the way folks are approaching SOA compliance. ------- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/