Skip to main content

    In the wake of the atrocities caused by ENRON,  MCI and other corporations congress passed sweeping audit and certification requirements. This law named in honor of it's sponsors Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.) is Sarbanes-Oxley aka SarBox or SOX in the business world. This governs every publicly traded company in the USA and falls on the Securities and Exchange Commision to oversee the SOX process.

    In addition to mandating the CEO "sign in blood" under penalty of prison time they have reviewed the financial statements and attest to their truth there are also Information Technology(IT) requirements. These are known as Section 404 requirements in reference to the section of the law. Section 404 governs how financial data is stored in computer systems. A yearly audit requires that documentation be produced for each and every computer application. From first hand experience this documentation involves producing some 150-200 documents per application with an average time of 1.5 person hours per document. So extrapolating forward that's 1000's of documents and thousands of person hours of time for just the computer people. Although I have no first hand knowledge of the business audit requirements I'm told third hand it's equally grueling.  

    Too many people lost too much money before SOX came along but rather than submit to the rigors of SOX, corporations are taking many approaches. They are not becoming publicly traded remaining privately owned aka private equity. The other newest fad is issuing shares on foreign exchanges such as The London or Russia stock Exchanges. In addition those publicly traded companies are withdrawing from trading by becoming privately equity companies.

As I posed in the pun do you have stories to tell about SOX?

Reference Sources

Originally posted to Julian Michael Lobachewski aka JML9999 on Sat Feb 24, 2007 at 02:33 PM PST.


Do you know about SOX requirements

23%7 votes
53%16 votes
16%5 votes
6%2 votes

| 30 votes | Vote | Results

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Tips,Flames or Pairs of SOX? (2+ / 0-)
    Recommended by:
    cris0000, NoBigGovernment

    Be carefull what you shoot at, most things in here don't react well to bullets-Sean Connery .... Captain Marko Ramius -Hunt For Red October

    by JML9999 on Sat Feb 24, 2007 at 02:34:05 PM PST

  •  I've dealt with SOX first hand many times (1+ / 0-)
    Recommended by:

    I'm a CPA and have worked with SOX many times.

    There are any number of things that SOX has done that are very positive (for example making Boards of Directors more than just a symbol). However, Section 404 is not one of them.

    The cost and time necessary to comply with section 404 is making this country very very undesireable. In fact, the London exchange (I believe) has an advertising campaign promoting itself as "A SOX free zone".

    As is typical, the government, with its heart in the right place, has overreacted.  There is some current movement to soften some of these requirements, which can't come soon enough in my opinion.

    The problem is, the cost to comply in the initial year is huge, and has mostly already been incurred by those companies already public when the law passed.

    But better late than never.

    •  Dial it down a Tad in places like 404 (0+ / 0-)

      but certainly not eliminate too many folks got hurt by a lack of safeguards.

      Be carefull what you shoot at, most things in here don't react well to bullets-Sean Connery .... Captain Marko Ramius -Hunt For Red October

      by JML9999 on Sat Feb 24, 2007 at 03:54:09 PM PST

      [ Parent ]

  •  SOX is just the legilative version of (1+ / 0-)
    Recommended by:

    how real financial auditors are supposed to perform audits.  SOX is not new with regard to GAAS procedures.  They are the steps I had to take when I was an auditor in the early 1980s.  However, over the years the large public accounting firms opted for profit over proper procedures, so they turned to "risk based" audits that took short cuts.
     IMHO, while a few aspects of SOX may seem onerous, overall SOX law is still needed for oversight.  Even then, public accounting firms fudge some of the rules.  And if companies are going private because of SOX, then they probably shouldn't have been public anyway.
     Also note that even some privately held companies and other entities are subject to SOX.  It's not just an SEC requirement.
     For the record, I'm a CPA, though I don't currently perform financial audits.

    My Karma just ran over your Dogma

    by FoundingFatherDAR on Sat Feb 24, 2007 at 03:56:01 PM PST

    •  Actually (0+ / 0-)

      404 goes WAY beyong what a normal audit would require under GAAS, along with the additional requirements of managment.

      And the audits that public accounting firms provide, are meant to provide reasonable assurance that the financial statements are not materially misstated. Not absolute assurance. To provide that would be, if not impossible, cost prohibative at best.

      What 404 requires is an opinion by the public accounting firms on the internal controls of a company. Something never required before.

      And if companies are going private because of SOX, then they probably shouldn't have been public anyway

      And that comment makes no sense. On what do you base that? I worked on a SOX project a number of years ago for a company that was spending almost $1 million a week to try and get a clean SOX opinion. And I worked on it for almost 6 months. You do the math.

      This was not a company that was doing anything wrong. They were just trying to comply with the new government rules.

      •  To your comment (1+ / 0-)
        Recommended by:

        What 404 requires is an opinion by the public accounting firms on the internal controls of a company. Something never required before.

         While an official "opinion" on internal controls may not have been separately required in the past, the testing of internal controls had to be a substantial part of audits.  And if internal controls were severely inadequate, that changed not only how the audit was done but whether a full audit would/could be done.  Ie. the "opinion" on internal controls was inherent in the overall audit opinion.

        My Karma just ran over your Dogma

        by FoundingFatherDAR on Sat Feb 24, 2007 at 05:06:19 PM PST

        [ Parent ]

        •  True and not true (0+ / 0-)

          Yes the testing could have been a substantial part of an audit. You had to review and document the controls. But if their design was deemed inadequate, then substantive testing was performed instead. It did not determine if an audit could/would be done as you say. And normally was not a "substantial" part of most audits.

          The audit opinion has no bearing on the internal controls of a company. A company could have no internal controls at all, and could still be audited. And could get clean opinion. It just changes how an audit is performed.

  •  I work on a Network Services team (0+ / 0-)

    for a fortune 500.

    SOX, while it is PITA, actually uses common sense. Things like, well, credit card data has to be encrypted, users have to be purged when they leave, and any user given access to a system that can access de-crypted credit card data must have an audit trail.

    It is common sense, unfortunately, Corporations have not invested in IT smartly to gain efficiencies of scale in any meaningful way so as to allow these best practices to take hold. It firefighting, all the time. I mean, we try to do things smarter, but there is so much entropy standing between the IT workerbee and effective efficiency that I sometimes doubt it will ever get better.

    Chuck Norris Fears Democrats.

    by roboton on Sat Feb 24, 2007 at 04:05:40 PM PST

  •  Die SOX! (0+ / 0-)

    well, I'm a network engineer, and while the company I work for is not technically required to follow SOX (we are privately held, and the parent company is headquartered in Europe) we follow it nonetheless. Rumour has it it makes their stock look better. Or some such.

    But SOX is a curse. Other commentators have called it the revenge of the beancounters.  It is basically a huge buerocratic nightmare, without much benefit for those following it.

    And the procedural-technical aspects of it are mind bendingly stupid.

    Let me give you an example:
    Every single change of a so called "SOX relevant" computer system needs a huge buerocratic effort. Numerous managers haver to sign it off, it has to be extensively documented, and since all this is a slooow process, it needs forever. And the security requirements are so hefty we needed to build separate computing centers to house them.

    But, what is a "SOX relevant" computer ? Well, in a classical manufacturing company this seems straightforward - the ones that do the accounting. Everything else is safe from the onerous socks.

    But we are not in manufacturing, we are a telco. So the smartass bean counters decided, that the SAP stuff isn't enough. There's also the Customer Care and Billing system. Fair enough, one might think, even thopugh this includes another really huge and broad system landscape.

    But wait! When all is said and done, a billing system basically gets call records and constructs bills from them. So what about those call records, our bean counters asked themselves. You can guess the answer: everything that handles CDRs is now also socks relevant.

    Now it gets really tricky. Because, while there is only a medium sized number of systems handling call records, there are tons of systems who can either produce them (basically, every customer outer, every dial in router, broadband gateway, all voice switches, voice processing, voice routing), or can affect those system#s operation by supplying them with automated config data (a process that is called "provisioning" in telco land). And thern there are toins of systems whose correct operation directly or indirectly affects the access to those systems.

    In theory, all those were SOX relevant as well.

    This is were the techs stopped listening. Declaring all those systems socks relevant would have basically brought our operations to a halt.  So it was decided that they just would not be identified as SOX relevant, full stop, end of story.

    So we now have the wonderfull situation that the distinction between SOX relenat and not relevant systems is mostly arbitrary. This in turn had the effect of people trying their absolute best to somehow get "their" systems not to named SOX relevant.

    etc. etc. I could spend hours writing about that travesty.

    SOX brought us massive additional costs, tons of buerocracy, further reduced our ability to quickly react to external (unplanned) circumstances, and brought us hardly any benefits.

    So, suffering dayly from their thoughtless misdeeds, let Msrs Sarbanes and Oxley know they have my full and undivided contempt. I'm quite sure there is a special place prepared for them in Hell were they will be forced to write change requests for all eternity.

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site