Part of my job has been ensuring complaince with SOX for my company. It is not one of those things that people volunteer for. For me it crept up on me. You can read about SOX from the link above, but I want to 'splain it to you my way.
SOX should really be called the Enron Law. Because of the bad people, our law makers passed a law that was supposed to help protect us from other bad people. So what does that mean for companies now? Executives are now responsible for the finacial data. They can no longer say they had no idea if the numbers are bad. And the auditors are under stricter laws also. And most things that the government puts in is easy, right? Having to change your password? SOX. The password has to have so many characters, a number, etc? SOX. In order for them to make sure the financial numbers are good we are audited for our internal controls related to our Finacial Applications. Many things have to be checked and I am involved with the Accounts/User Access part. This control is important because you want to make sure only the people who need access can get to your finacial data. You have to make sure that people don't have the access to "cook the numbers". So.....
Let's just take one system and review what has to be accurate. There are three levels to this system. You have the actual application and the database where the actual data is stored. All of that runs on a Operation System with accounts. Accounts at all levels *could* affect the financial data. OK, so 1 applications with 3 levels of accounts.
The Auditors come in and they want to verify that everyone who has access to any of the 3 levels is approved (since this is one of our internal controls). And since this is only our second year of being audited at this level and internal controls were not in place before,
verification clean up of the accounts need to occur. Before we give the data to the auditors. Guess who is doing that?
ME! For the last month. 3 levels per application. And we have around 10. So 30 levels total. Of course I don't know what each account is for since I do not support the applications. So I get with the support person. And if there are any exceptions to our internal control it must be documented and signed by at least 5 people. 2 of them question every exception. Not that they shouldn't, but please not so much resistance to the messenger. And we can't just delete the accounts since they may be needed and it could bring down the system.
This week I have been really working on this verification since the Auditors are "in the house". I now dream about it. I see lists of accounts scrolling and hear myself talking out what the accounts are for. This account is for this, that account is for that. Do we need this account? Where did the account come from? It wasn't on our list before! My alarm goes off this morning and I think "I will work on this list later, it's time to get up." Yikes! It is bad enough to have to do it during the day, but in my DREAMS?!?!?!?!
And this stuff has to be right. If it isn't they will intesify their auditing. And if we fail significantly it could be reported to the SEC making our stock go down. I guess you could say that I am contributing to the stock value of my company. As much as a hate what I am doing and as much as it gives me a headache, I have a strong will to do a good job and get it right. If we fail, I will have failed. Maybe that is why I am dreaming about it.
Posted by on January 28, 2006 02:23 PM | Permalink
TrackBack URL for this entry: