How is SOX affecting you?

I know very little about the Sarbanes-Oxley Act, nor do I care to.

I do know that I now spend a ridiculous amount of time doing documentation that my employer feels is required for SOX compliance. My group now spends about 50% of its time documenting every small thing we do. The group does technical support, and it’s a real stretch to see how what we do relates to “the effectiveness of [the company’s] internal accounting controls”.

For example, a programmer might contact me to tell me that their program is obsolete and should no longer be set up to run every hour. This is a 1-line code deletion for me. Now, however, one of us has to complete a complicated change request, which requires several levels of approval and generates a bunch of emails every time it’s updated. The change request form requires the creation of a SOX compliance document, which requires a project plan, pre-implementation and post-implementation test plans, pre- and post-implementation test results, and enough additional nonsense to fill two pages. Every element of the “SOX doc” requires several levels of approval and generates emails at every step. Both the change request and SOX doc systems are horrendous home-grown software (I believe they are so bad because no one with any integrity or competence would agree to work on them); spending more than five minutes using any of this software usually produces a stabbing pain in the right eye.

Total time required for a SOX-compliant 1-line code change: at least 4 hours.

As a long-time corporate drudge, I accept that there is a huge amount of inefficiency and stupidity inherent in the corporate environment. The corporate hysteria over SOX compliance, however, has produced a level of stupidity I would not have thought possible. It’s amazing that U.S. companies can continue to produce a competitive product with this nonsense going on.

How is SOX affecting your job?

In my current job, not so much. I have to accrue expenses on a monthly basis, and the accounting department now requires back-up documentation for any item over $10,000. I’d estimate that probably adds 2-3 hours a month to my process.

However, I transferred out of accounting/finance almost a year ago. The counterpart I left behind is MISERABLE because of it. Lots more documentation and justification are required, lots more review. I think I got out just in time.

To show you how far out of the loop I am, I seriously thought you were talking about the White Sox season this year.

But your SOX looks about as much fun as the HIPPA regulations that have been crammed down people’s throats for the past few years. Thanks for the heads up on this - had no idea yet another Orwellian legal barricade/hurdle was being built.

I wrote a short story the other day about Rank Group Plc’s announcement that it plans to end its American depositary receipt program, delist from the Nasdaq Stock Market and drop its Securities and Exchange Commission registration because the compliance costs aren’t worth it.

I’m pretty sure that Rank, the London-based owner of the Hard Rock Cafe chain and gaming businesses including Grosvenor Casinos and the Blue Square betting website, isn’t the first European company to vote with its feet, although I can’t think of any others offhand. I do know that Wendelin Wiedeking, chief executive of Porsche AG, has been a vocal critic of Sarbanes-Oxley.

DMark, I think your comparison to HIPAA is quite valid. I’ve heard rants of a similar nature to the ones I’ve read/made about SOX.

I work at a major company whose advertising jingle you would recognize and be able to sing, and Sarbanes-Oxley compliance is at the top of the list of why I hate my job right now.

For me, double it, and spread it over two weeks. :mad:

Never heard of SOX. I’m another HIPAA victim.

Better hurry up and log off before someone comes by and steals all the PHI I have here…

Oh, wait. I’m at home.

Our managers told us that they realize that our procedures to comply with SOX are not efficient. Complying with SOX has nothing to do with efficiency, they said. These are the procedures we’ve told outside auditors that we follow, and we have to follow them or face having “material findings” made public. SOX SUX! I wish I could lay claim to that, but I think that came up independently by everyone who has had to deal with this added layer of bureaucracy.

We still do ISO certification too. That peaked the year we were all given sheets of labels that said “OBSOLETE. For reference use only” that we had to stick on every printed item (manuals, documents, etc) we owned.
ISO audits are now handled by taking the auditor to several areas where all work is done according to well-documented procedures. The auditor is never taken to areas where thinking people are involved in making intelligent decisions in response to real-time situations.

At the half-day “Welcome to SOX: you will comply” meeting, I asked if we could use the documentation systems we’d established for ISO to comply with SOX. The answer was no, they have to be totally separate.


I have in the past mentioned my employer’s name on the SDMB. In case any one remembers it, please don’t mention it in this thread.

I work as a professional services consultant for a database company that specializes in data warehouses. Big ones. The smallest server you can get from us is just a bit under a Terabyte capacity and Petabyte systems will be here shortly.

SOx impact varies a lot depending on the client. Sometimes I work as a DBA resource so I get to play in god mode with absolute control and access to everything. I like that, makes it so much easier for me to do my job. The downside is often the client can’t even give me guidelines for what data is impacted by SOx and needs controlled access.

Me: What is your backup schedule and retention policy?
Deer-in-headlights client: Guh?

The downside to tight control is that they may not allow me offsite access so I have to work from the customer site which can add a thousand dollars or more per week to the cost with airfare, hotel, etc. I least like working for a client where the control is gnat’s ass tight and I’m a developer instead of a DBA. One client would not give us sufficient rights to see the data to do our jobs and it would often take a week when we went through the proper channels. Oddly enough they allowed to to have VPN access so I could work from my home office and attend meetings in my skivvies.

Not affecting me now, but when I was a lawyer for a big corporate firm, I spent a tremendous amount of time trying to figure out what various provisions meant. It’s a very badly written law–at least the portions that amend the securities laws, which is what I dealt with.

In one case, we couldn’t tell if it had changed the statute of limitations for a particular claim. Which is a huge frickin’ deal.

This is what our company is doing. We have 2 contractors working with my department right now, and they’re not allowed remote access. So they always have to be onsite. Not a huge deal, since they are local, but still probably a pain if they want to wrap something up after hours.

I work for a payroll company.

I, specifically, process and print checks. On a daily basis I or my co-workers put our hands on 15-25,000 blank checks.

Our documentation is redonkulous.

However, we passed our SOX audit on Wednesday. Go us!!

Much more paperwork, and a significant rise in our information retention… which is saying a lot, since most of it before this was held for 7 years as it was.

Was this a real SOX audit with an outside federal auditor (or however it’s done) or was this an inside audit where an auditor hired by your company checks to see that you’re meeting your own requirements?

My understanding is that the SOX act is so unclear that companies are devising their own SOX compliance procedures and usually going way overboard because they don’t know what they will face if they’re ever actually audited, and the companies are terrified of the publicity if they fail an audit – and terrified of what the penalties might be, since the first few to fail an audit might be punished severely to serve an example.

That about sums it up from my perspective. Before I was transferred, I worked in the Internal Audit department of a financial services firm. Almost all of the responsiblities I used to handle were relocated to the home office, in part due to the nature of the procedures developed internally to deal with SOX. The firm has an Operations center somewhat removed from the home office; both the Operations center and the home office perform several essential back-office functions, and have (had) respective reconciliation units supporting them. The Operations head wanted to “centralize” all like responsibilities in one department instead of having to account for and audit two departments doing similar work, geographic separation be damned. I don’t believe this move was absolutely necessary (and several officers of the firm agree), but it’s just one of the things my ultra-conservative employer did in an overzealous effort to comply.

So yeah, it’s affected me greatly, but the upside is the department to which I’ve transferred is a better environment for me, and my past experience with internal audit controls and procedures is very useful. I still think some of the things we are being asked to do are a bit over the top, but I don’t know if that is due to the letter of the law, or, more likely, the above and beyond approach of management and our own Internal Audit.

I believe it was a 3rd party Audit. I imagine the odds of getting a real live SOX audit is pretty slim.