Hi Susan, I see we are "on the same page" on this one! :-)
Hey, I hope you're wearing green. It's Saint Patrick's day!!! http://www.st-patricks-day.com/index.asp Allen (wearing his lucky green pants) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Joslyn Sent: Thursday, March 17, 2005 04:17 To: u2-users@listserver.u2ug.org Subject: RE: [U2] [OT] Financial fraud (was the thread: Epicor) Allen, This is a fantastic story. I am warning IT folks about just such a scenario ALL THE TIME. I've found that in these SOX audits the IT folk seem to think along two (deadly) lines. First, they tend to be "just tell me what you want / give me a list (e.g. don't make me think)" and secondly "yeah, yeah, we'll make sure you can't use vi on the data <wink, wink> : good thing they don't know about ed!" What folks don't realize about SOX is that now that an executive could be held responsible even if he didn't know (not that I think anyone on the jury believed Bernie Ebbers really didn't know (Worldcom)) those executives will be frantic to SHOW they didn't know. If they can point to a control that demonstrates a reasonable expectation that certain controls are in place (a signed off report that says data cannot be edited on live, for example) then the person who withheld certain editors from the control will actually end up being accountable. And this whole thing about exporting and importing data (soapbox is fully out and positioned center stage now): SOX is not there to PREVENT technology, flexibility, business realities! Some folks are getting so caught up that they are just lost in it. Excel is a great tool for presenting data. Users should be able to download it and play with it all day for internal decision making. But if those excel reports need to be used for consolidating multiple systems and actually reporting at an SEC level then they need "controls". A control can be technological -- some reports import into read-only directories, maybe. Or a control can be human -- this report is consolidated every day, but on Thursday Sam spot checks the sales figures against the cash register reports and Sally signs off on the proofs. Or a combination ... the data is imported, the reports are created and the figures that go to the report are re-summarized, re-hashed in alternate reports that are stored on the system. [Here's an idea that has been misunderstood, too -- one company I know has an electronic report of certain activities e.mailed to an individual every day. This individual must check a box, digitally signing that he's reviewed them. He laughs and thinks everyone is stupid because he just checks the box and doesn't really review them. But what I'm trying to get him to understand is that whether or not he bothers to look, by signing off he has ACCEPTED RESPONSIBILITY for them. So if there were a problem, he'd get the 'do not pass GO, do not collect $200' card! SOX is really -- at its most bare-bones and fundamental level -- about justifying finger pointing. Think like Allen. <collapsing portable soapbox that I seem to carry everywhere these days> SJ Date: Wed, 16 Mar 2005 11:47:56 -0800 From: "Allen E. Elwood" <[EMAIL PROTECTED]> Subject: RE: [U2]: Epicor The system that I had setup, allowed accountants to change any field on an invoice. Believe it or not, that was the request. What they didn't know was that I kept a simple before change/change request/after change snapshot of the data along with date/time/logon as I had been warned about by a wise professor back in my school days (daze?). What I didn't know, was that they were changing the dates and invoice numbers on the invoices to make them look as if they were only 30-60 days old. This was to make the receivables look current, and therefore the company could leverage that to borrow money from Wells Fargo for purchase of more product to sell. The auditors from AA were very savvy and spotted the same invoice amount with different dates and different invoice numbers on printed aging reports kept for historical purposes. When they asked me about how that could happen, I produced the audit report. The accountants were charged with FRAUD at Wells Fargo's request and were tried and sent to jail! This was in the 80's. Way way before SOX. The first thing the accountants did was point the finger at me. That's why the auditors came to me along with the CEO with the intention of nailing me. Had I not been a paranoid programmer, I might have ended up in jail. The accountants thought I was a patsy, and got lots of time to think about that for 5 years. At the time, I worked for the accounting department. So I literally was protecting my career from my boss who was a fool of the highest magnitude and whom had drastically underestimated my abilities as a business analyst and programmer. Just because you're paranoid, doesn't mean they're NOT out to get you! ------- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/