Subscribe to SQL Server Magazine | See More SQL Server and Database Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Will your accountant be setting corporate IT policy sometime soon? My recent articles about using SQL Server Profiler during application development raised a lot of interest in and debate about how to give developers controlled access to Profiler (and the requisite sa password) in production and quality assurance (QA) environments without giving away the keys to the kingdom. And some readers said they're particularly concerned about how the U.S. Public Company Accounting Reform and Investor Protection Act of 2002, aka the Sarbanes-Oxley Act, will affect their IT environments. Although Sarbanes-Oxley doesn't regulate information technology, IT is the foundation for the financial processes that the law regulates.

Here's one reader's comment: "Your comments about integrating developers more into supporting production systems have some merit. However, Sarbanes-Oxley will rain on that parade. Because of this legislation, auditors are forcing the complete segregation of the production and QA testing environments from the developers to ensure no changes are put into those environments without the proper approvals."

Gartner Research calls the Sarbanes-Oxley Act "the most sweeping regulatory reform of publicly traded markets since the Securities and Exchange Act of 1934." Sarbanes-Oxley's wide-ranging set of new laws is a response to the Enron, WorldCom, and other accounting scandals that roiled financial markets in recent years. In principle, the act is primarily targeted at publicly traded companies with the aim of making corporate accounting procedures more transparent to investors. That's a noble goal. However, I worry when bean counters have the authoritative and final decision about who can have access to an administrator password.

Do you have any idea what Sarbanes-Oxley legislation means to your IT department? The above comment came from a reader whose organization's IT security policy is being set by a team of auditors who, quite frankly, aren't trained to implement proper security measures. I spoke off the record with a colleague who has a fair amount of experience helping companies design Sarbanes-Oxley compliance plans. He said that some internal and external auditor groups are being overly aggressive in their interpretation of certain sections of Sarbanes-Oxley. These different interpretations can lead to inconsistencies where one group of auditors tells a company, "Yes, Bob can have the sa password," and another set of auditors tells the company, "Heck no, Bob can't have the sa password."

Part of the problem lies in the law's ambiguity. Take for example the phrase "real time" in the following excerpt from the law's Section 409 Simple: "SEC. 409. REAL TIME ISSUER DISCLOSURES. Section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m), as amended by this Act, is amended by adding at the end the following: `(l) REAL TIME ISSUER DISCLOSURES- Each issuer reporting under section 13(a) or 15(d) shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest."

In researching this commentary, I perused a number of Web sites to find out what "real time" in this section means—only to find out that no one really knows. Most IT folks interpret "real time" to be just that: a constant flow of information with a response time measured in milliseconds if not faster. Some real-time control systems have response-time requirements in the nanosecond range, which is a billionth of a second. I sure hope Congress doesn't expect that. But apparently, no one knows for sure what constitutes "real time" under the new law. You can find the full text of Sarbanes-Oxley at http://vscpa.com/Advocacy/SOtext.htm , and the most relevant sections for IT teams are nicely summed up in "How CIOs Should Prepare for Sarbanes-Oxley" at http://www2.cio.com/analyst/report2271.html.

Sarbanes-Oxley's intent is laudable. But I suspect that IT professionals in many public companies are in for a few years of Dilbert-like antics and bureaucracy as the implications of Sarbanes-Oxley on IT departments are sorted out.

End of Article


Post Your Comments Here

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now

Reader Comments

Dilbert like it for sure. Our auditors appear to be on the extreme side. Effective Sept 20th the DBA's are not allowed to hold admin rights in the land of production because we are also considered developers since we manage some internal code. If we need access to the production world we must wait for a work order to be generated through the help desk and then request the ID from the network admins, hopefully they are not busy at 2:00 am when a job fails. This is going to really improve our response time to problems. Oh did I forget to mention all the logging we have to do now. At this point we have over 20 logs that must be checked and acknowledged daily, by month end is likely to exceed 50. The joke around here is that we are going to have to start a new department with the sole purpose of reviewing the logs each day.

The “separation of duties” is not a bad thing if you are fortunate to have a large IT department, but with 7 people supporting offices in 6 states there are not enough heads for all the new hats.

Lets give a big thanks to the boys at Enron and Worldcom and hope that this legislation gets clarified or revised a bit in the coming months.

mxz600se- September 03, 2004

Article Rating 4 out of 5

We were just rung through the SarbOx ringer here where I work and the effort was a total waste of time, IMHO. The auditors didn't know exactly what they were supposed to do and they also couldn’t see the forest for the trees by missing things that I know would have benefited from a closer audit scrutiny, They were either given a cursory look or totally ignored, while they focused on real important financial bottom line stuff like: how often do you change passwords and where do you store your backup drives?

I'm not saying these aren't valid IT audit concerns, but the question I kept asking over and over was "Please tell me again how this impacts our corporate financial statements?" It just seems to me that auditors with lots of axes to grind went way overboard in using SarbOx as a big stick to finally get their way on certain issues.

SarbOx caused the term "Preaching to the choir" to be changed to "Punishing the choir" thanks to Kenny-boy and the rest of the greedy SOBs at Enron, et al.

bluemagoo- September 07, 2004

Article Rating 5 out of 5

"It just seems to me that auditors with lots of axes to grind went way overboard in using SarbOx as a big stick to finally get their way on certain issues."

I couldn't agree more or said this better myself. As if our jobs aren't complicated enough as it is. Let's just make it even harder by inserting yet another layer of bureaucracy into the muddy mix.Give me a break!

talltop- September 07, 2004

 
 

ADS BY GOOGLE