Derrick Leggett Blog

Ramblings, grumblings, and other nonintelligible nonsense about SQL Server.

<b>SOX Auditing Companies SUCK!!!!</b>

Just gotta rant for a second.  (I know it's hard to believe.)  There are only a few approved SOX auditing companies out there currently.  The law is so broad in scope, yet undefined, that auditing companies really have no idea what they are auditing for.  We have internal auditors talking to D&T; and one of the biggest problems we face is the vagueness of responses received back.  None of the auditors really agree with each other on what needs to be done.  Passing and/or failing an audit will not be determined by the security of the companies data.  It will be determined by your auditors interpretation of their auditing companies interpretation of a law the courts haven't yet interpreted.

That should give anyone truly concerned about productive process and data security a really bad headache!

Long live stupid laws......job security for IT people that couldn't keep a real job.

Why do all these SOX auditing companies have IT consulting divisions???? HMMMMMMMMM

Legacy Comments

re: <b>SOX Auditing Companies SUCK!!!!</b>
sox auditors can rejoice now, because they finally won the world series!

re: <b>SOX Auditing Companies SUCK!!!!</b>
Yes, you are right. Everyone's answers are vague. However, it's impossible for anyone to know the answers since there has not yet been even one SOX certification in the history of civilization. No one will know anything clearly until the SEC flunks the first company.

When you get unsatisfactory answers from Deloitte, are they functioning as advisors to your internal auditors, or are they ruling as your external auditor? Big difference, and I'm honestly curious.

You see, I worked for Deloitte for a couple of years helping to create their SOX documentation application. Then I performed IT controls testing with internal auditors. I don't know if you believe me when I tell you this, but my testing teams were always conscientious and wanted to provide solid, consistent answers. It just happens to be virgin territory, and we disliked the vagueness as much as you.

But anyway, I quit in order to take a DBA position with an insurance company, so now I'm an "ex-sucker" (since, as you say, we suck).

Jai Jeffryes, AKA "IT person who can hold a real job"
Hudson Insurance Group
New York City

Derrick Leggett
re: <b>SOX Auditing Companies SUCK!!!!</b>
:) Well, it's nice to hear from someone who helped out with Deloitte. We actually have an internal auditor I really like working for us. He used to be a DBA (a real one). :)

There are benefits to the SOX compliance that our company definitely needed. I just think we're going way overboard with some of the controls. When Deloitte goes into a company as advisors, they should stress remediation on controls not currently mitigated. Many companies (like ours) went overboard on trying to make sure every single control was mitigated in too tight of a timeframe. This creates more instability and costs more to implement than the benefits provided to the company and stockholders.

Deloitte is currently working with our internal auditors. They will begin testing though as external auditors at the end of this week.

v. fransman
re: <b>SOX Auditing Companies SUCK!!!!</b>
Important notice in the one year evolution, SOX isn't their to punnish, but rather gives guidelines why working in separate intities does not work. By providing auditing cappabilities, you will automatically have a better overall view. SOX only works when a company that implemenents sox does this in several domains:
- the business stategies
- the peoples mind
- the supporting technologies

Its only when all aspects are working together that an added value is generated, thus looking towards SOX as an IT work generator is totally misplaced. It just happens that the auditing data resides on IT, but the data comes from people working according to well defined processes.

Complaining abouth auditing firms is somewhat misplaced, as they do not intend to privide the solution, but rather point towards elements needing attention (possitive or negative).

BTW: the auditing company for SOX may not be a service provider, thus that IT department will not have benefits at that specific customer.
BTW2: by having an IT department internal and SOX specialists, they are able to improve their offerings based on internal advise on both business aspects of SOX as IT aspects.

Kevin Noakes
re: <b>SOX Auditing Companies SUCK!!!!</b>
We have been working with one of the top auditing firms for over two years and are the technology provider to their Continuous Online Auditing solution. They realized that SOX would be almost prhobibitively expensive to implement unless you could continuously monitor the controls.

The SOX tests that our partners have built run in real time, so the moment something is breeched the audit team know about it. This has obvious benefit for SOX in that if something breaks a week after you perform a manual audit it could be a nightmare to fix and may even be too late to get SOX sign off if it occurs at the wrong time of the year.

With continual auditing you get maximum possible time to resolve issues and traceability that you do have controls in place that tell you when things break. Continual auditing with the correct tools (yes ours ;o) has one very big upside to frequent forensic auditing in that you get the opportunity to execute additional processes as and when things happen, so for example if a control to prevent the same user from entering and approving a purchase is turned off, you get the opportunity to know that something fraudulant may be about to take place, if you wanted, you could even forceably turn it back on!

Internal auditors will spend far less time performing analysis on hostoric data to try to detect the causes of issues and for external auditors, they save a great deal of time by not having to be on site unless they have issues to resolve, many of which would not require site visits anyway.