At our company, we start this process in mid to late July.  The company brings in extra internal auditors from a local firm who review with us all of our SOX documentation to ensure nothing needs to be changed.  Then we get to review the previous year’s findings (i.e. what they found we did wrong) to see what we have done to mitigate the risks.  This is always fun because maybe 6 months at most has past since it was last discussed.  From there, the internal team begins auditing everything.  This means they need list of the population so they can select from that list which they want details on for testing.  If you pass, all is good.  If you fail or they find problems or questions, more testing will be done – and more meetings.

As Manager of Software Developer, I have to give them a list of all changes in our system from January 1st through current date.  The auditor gives me a list to pull details on, and my printing craze begins.  Since this “population” is huge, I usually have at least 20 samples to pull.  A quarter of a ream of paper later, I have the info she needs…..for one test.  And, there are about 15 tests.  And, this isn’t even the “real auditors”…this is to get ready for the “real auditors”.  When they come, we’ll repeat the whole process because our systems are important so retesting is a must.  

In the end, I will have gone through 2-3 reams of paper just to provide them with the info they will need.  The internal and external auditors themselves will go through 10 reams in copies and “extra evidence” to support the testing.  And, again, I must emphasize, this is for one group only.  I can’t imagine what accounting goes through in paper!

And, as I am going through this process, I ask myself, “would this have prevented Enron? How about WorldCom?”.  And, when I’ve asked those questions out loud, the answer is “probably not”.  Probably not??  My department has deforested several trees alone in this effort to ensure our Shareholders that they aren’t invested in the next “Enron”, and the auditors answer is “probably not”.  Nice.

I am all for controls and checks & balances.  And, I am not happy with what happened with Enron and WorldCom.  But, I am also a big fan of the solution actually solving the problem.  I’m a big fan of actually mitigating the risk.  I am not a huge fan of arguing with auditors who will tell me this person has too much power in the system while at the same time tell me to give them more power because the wrong people have it.  Why? Because they are afraid that the person in question might do something in the system that undermines the whole accounting process thus making them millions through embezzlement.  If I’m not mistaken, it wasn’t some Help Desk person that made millions at Enron, but the much higher ups.  

I hate SOX each year.  I hate the 6 months of time I spend on it. I hate explaining why my little company can’t afford the staff of a bigger company to make things a bit more segregated in terms of who can do what.  I hate explaining IT to people who should have a better understanding of it given they are the ones going in and auditing it.  I hate breaking the news to my staff that it is coming.  I hate killing trees just to do CYA for the auditors.  

While I know that the auditors are just doing their job, I wish someone with some common sense would interject some into this stuff.