5 reasons why implementing Sarbanes Oxley Act is very very difficult.

For the latest two year, I have been working with Sarbanes Oxley section 404 especially in IT general control. I have been working both in design Risk Control Matrices (RCM) or performing testing thorough the control. And after hundred hours of discussion with auditee, hundred days of never ending meeting or checking document, I have a conclusion that implementing SOX is very-very difficult and sometimes not effective. Here is the reason:

1. Multi interpretation statement
IT Auditee: "Your significant level is different than mine"
SOX Auditor: "My interpretation in this matter is more specific than you do"
IT Auditee: "I understand but in here, this process is could not be performed"

SOX RCM Guidance is multi interpretation. If you hire a person from ABC audit firm to help you design RCM, than after a year we hire from DEF audit. I'm definitely sure that the result is will be different. Does it mean that the guy from ABC audit firm is smarter? No this is multi interpretation statement.

Just take a look at this: list of significant application. The rule is simple, every application that impact the financial statement. But how this could be explained more detail? Does firewall and router include as significant application? Or does a gateway application which pass the data without any parameter will be included? Or simple one, a big and integrated module is considering an application or not? What if the vendors who develop the module are different than the core vendor?

I'm definitely sure that a lot of question when designing SOX RCM, trust me, the multi interpretation statement is major source of a never ending meeting.

2. Text book auditor vs. real life IT process auditee
There is a big gap between SOX auditor and IT auditee, its matter on what do you see day by day. The SOX auditor main job is work with detail documentation. SOX auditor need to examine a lot of document. Complete and detailed document make them happy. But, IT auditee has a very different view, IT main focus is maintain availability of the system, most of them did not care about whether all process should be written in paper, should be signed, approved and others SOX auditor jargon.

If SOX auditor pressure come from deadline and the IT auditee pressure is from IT board that need IT process run effectively. I’m sure, at the end no one happy. I have found several auditee that become paranoid with all part of SOX auditor, whether their appearance or their style.

3. Never ending control frequency
SOX auditor: No sir, frequency for this control is daily, and for that review is monthly, and also you should prepare for quarterly review. And don’t forget that each control has its own frequency

In SOX, every control that we created has a different control e.g. control for program changes it event based, so when you have a change request then you should follow that SOX rule you have been made. Control for incident monitoring is daily, so everyday you should record the incident that happened.

Ok, seems everybody happy. But look at this simple problem: The parameter review is made monthly from SOX auditor view, but IT auditee thinks that the parameter review is semi annually, and that is more than enough. After very debatable discussion everybody agree to put a semi annually, but at the end some part didn't agree, since they thinks its no longer suitable.

4. Global problem local hell
SOX said that every company that listed to NYSE should follow the compliance; every subsidiary company that owned by the company also should follow. What that mean? This means that making the local or subsidiary company becoming hell. Everybody now that local subsidiary company has different way perform the businesses compare to the head quarter. Implementing SOX is just the same as moving a very big problem to each subsidiary.

5. A Story of never ending process
SOX auditor: So you must prepare this 1000 pages report each month
IT auditee: Ok, but we need more engineer to perform this
Management: Agree, we will hire more engineer to prepare the report
SOX auditor: Regarding that you should hire more supervisor to supervise the report making
IT auditee: Ok, if it’s what you want
Management: Than we can hire new supervisors to supervise
SOX auditor: But how is the integrity? You should made the supervision department

See the idea? That you will never finish at this never ending process. Your management could hire another engineer, create new department for SOX compliance, and release new policies. But at the basic, it’s a never ending process

Ah that it’s. I’m pretty sure, that you have more list than I do. Do you have any comments?