|
I suppose my three immediate questions would be: 1. What is SOX intended to prevent? 2. How effective is it at actually enforcing what it's intended to prevent? 3. What are the new methods of circumventing it? -----Original Message----- From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Milt Habeck Sent: Tuesday, April 04, 2006 11:30 AM To: Midrange technical discussion group Subject: Sarbanes-Oxley / my opinion Dear Mark, Your 'SOX and BRMS' post last week has encouraged me to share my personal point of view about SOX. In my opinion, Sarbanes-Oxley compliance doesn't require an enterprise to do anything that good business practice did not already require a couple of decades ago. SOX just requires that external auditors do a more thorough job looking for distinctions between world class business practice and how a company actually operates ... and ... it requires that the auditors report those distinctions for review by investors. It's not clear how well the "report-it-to-the-investors" part of the legislation is working. If anyone knows of an annual report that has included a SOX-type complaint in an audit letter, please tell me more about it. If annual reports of that genre can't be found, then we're left with two hypotheses: 1. Thousands of publicly traded companies are doing a great job running their business with sound internal control regimens in all functional areas (including IS). 2. The fear of annoying a client and not being invited to perform next year's audit has proved to be more compelling than the fear of failing to observe the letter of Sarbanes-Oxley. [Quite candidly, it's hard to believe hypothesis #1 given the testimonies I've personally heard from managers across a broad cross section of manufacturing industries.] Long before SOX was invented, pharmaceutical companies had much more demanding business practice requirements imposed by the FDA. If your enterprise could get system-certified under FDA's 21 CFR part 11 rules, SOX would be a cake-walk. There are several other IT compliance requirements that pre-date SOX and here's a link to information about the better known ones: http://www.unbeatenpathintl.com/ITstandards/source/1.html You mention BRMS (Business Rule Management System) software and that genre of tool can help an enterprise develop and maintain operational policies. But, it's not going to help much if the purchaser doesn't already grasp what world-class business practices are supposed to look like. Without that intellectual property, the final deliverable won't help improve the quality of operations any more than many of the ISO 900x policy books I've seen. (I'm referring to the "just-write-down-what-we-are-already-doing-so-we-can-pass- the-ISO-audit-ASAP" type efforts.) Warm regards, Milt Habeck Founder/President Unbeaten Path International www.upisox.com (888) 874-8008 "Unbeaten Path is in the business of helping enterprises move towards world class performance" +++++++ +++++++ +++++++ +++++++ +++++++ +++++++ From: "Mark Allen" <scprideandms@xxxxxxxxx> To:midrange-l@xxxxxxxxxxxx Date: Mon, 27 Mar 2006 14:45:59 Subject: SOX and BRMS saves of Application data and Objects Looking for some ideas from somebody who's been thru this or at least part of it. I know a little about BRMS and not even sure "what" the SOX Compliance people MIGHT be looking for. I know this is vague but its all I got for now. just looking for some general ideas. Thanks, also feel free to respond off list.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.