Susan: > See the thing is, we're letting the auditors drive this thing.
Auditors don't drive this. Auditing is basic procedures plus statistical sampling of transactions to validate these basic procedures. Politics drive this. As Thomas Sowell often notes: politics does what feels good at the moment and mostly has _NO_ connection to results. > Don't get me wrong, they have to, to a certain extent. > The Sarbanes-Oxley Act of 2002 (available in its entirety at > Sarbanes-oxley.com) isn't really very specific > about HOW the numbers are verified. Only, in a nutshell, > that the CFO and CEO sign off saying "I KNOW that the numbers > on our financial statement are correct." Now because they > can go to jail if it turns out they aren't they are in a > bit of a panic. And they haven't a clue what to do about it. It has always surprised me that corporate management could delegate their authority over corporate financial reporting to "outside auditors". But then Congress does it every day. Heck, they don't even know how much they spend and what they spend it on. :-) > But they want to make sure that its CLEAR AND OBVIOUS that > they've 'done diligence'. In step the auditors. Now the > auditors - for the most part, let's be fair - don't know all > that much about the inner workings of a large > company's IT department and the mechanics and shenanigans > that put that final number on the 10K. So they come up with > a lot of (sometimes unnecessary) hoops for us to jump through. I'd suggest there are other forces at work here. For instance, if IT knows so little about business reporting, just as Finance knows so little about IT, is it any wonder what gets reported can be suspect? My point is there are more powerful arguments for structural ineffectiveness rather than some surreptitious human behavior. Besides, one controls human behavior by instituting institutional structural controls. :-) > What can we do about it? Well, first, we have to realize > that we've got this powerful, flexible environment which has > nurtured a seat-of-the pants attitude. Not a bad thing, > I mean we can produce amazing results on the fly. We've > learned to depend on ourselves that way. But it might look > a little scary to an outsider contemplating jail time. So > we might have to suck it up just a little and say okay, > we're going to be slowed down a bit by this. Perhape a realization that strict financial controls shouldn't be ignored because: a) noone knows how, b) IT controls the systems and doesn't understand the problem, or c) Finance understands the problem and can't control the systems. > And then the next thing we do is realize that the slow-down > should truly be temporary. While we work out procedures > that work and get used to them its going to slow us down. > But believe it or not over time the fire-fighting will > slow down and we'll get time back. I promise. I suspect this is good for those companies who don't do this now. For those that implement proper controls there shouldn't be much change, except when the "lawyers" get involved. > Then - it would be a really powerful thing if we educated > ourselves a bit (see this months article in Spectrum on > CobIT) and took the reins. Make sure some if this gi-hyoogic > investment is going to give Us something WE want. If we > come to management with a clear picture of how we can comply > we can set aside some of the hoops. Kind of like the blind leading the blind. :-) > I have one colleague whose auditors are demanding a full > table/chart of all access to all files by all programs. > Hey that would be a cool thing to have. But trust me, > its not required for SOX compliance. Its just the > auditors trying to come up with ways that look nice and > "black-and-white" and "legitimate" and compliant. If > somebody over there had proposed the - realistic steps - > that needed to be taken first, this would never have > happened. If someone would do a little reading and then > stand up and say "here's a plan" the requirement in > question would be scrapped in a heartbeat. The management, who are putting their necks on the line, so to speak, should be able to do what they think is necessary. The real difficulty is management are being hired who don't know how to judge the quality their business operations and activities. This is a primary cause of what you are seeing. The consequences of this are far reaching, economincally speaking of course. [snipped] > What SOX really is? A giant budget-boost for IT and a > guaranteed tech-onomic recovery. And incidentally an > opportunity for us to raise the bar on our software > quality. Gosh, possibly even legitimize Multivalue once > and for all! > > Ever the optimist,. As Bill and Ted always said....excellent! :-) Bill ------- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
