>I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, >or indeed for rational process to take place in the daily operation of IT.
Absolutely agree. Although the smart companies are now just giving SOX lip service and ignoring it pretty much entirely. The company I work for now, has all kinds of memos issued saying they support SOX, hotlines, etc but it doesn’t impact real work.
When SOX hit, the company I worked at, the Accounting dept came out with the required SOX doc and it was non negotiable. They had worked with an auditor that knew nothing of IT and it showed. I had to attend a week long class on how to fill out the dozens of new SOX forms (all manual paper forms) that were to be kept in notebooks!
I was told that ALL CHANGES had to go on the CEO change calendar and that we would become very familiar with the assistant that scheduled the CEO change meetings. All changes had to have the 10 pounds of forms and 10+ signatures before you could implement. There also had to be “separation of duty” which meant if you were making the change, someone else had to implement it I said “great, your gonna hire another IT group – one to implement and another to install and test”. Of course, they never did this and this “separation of duty” was never followed.
It was COMPLETE AND TOTAL NONSENSE designed by people who had no clue what they were doing or what the real world was like. Yeah, I need to put a hotfix on a server to fix a problem – I’m gonna wait 2-3 months to get on the CEO change calendar and have a meeting with the CEO But trying to talk to the accounting morons was useless – they insisted every change had to follow their written in stone procedure
After a few weeks of complaining, the process was “refined” by having Small, Medium and Large changes and Large changes were only the changes had to go thru the above process. The difference being the number of “elements” in the change – but “element” wasn’t defined by the accounting/auditing people. The solution became that all IT changes were SMALL since there was only 1 datacenter so 1 element changing!
The fact is that SOX was doomed to fail because you can’t impose rigorous rules on US companies if foreign companies don’t have to follow the same rules – it is a Global world out there and adding huge overhead to your domestic companies just mean more outsourcing and more domestic bankruptcies as they can’t compete with slimmer/trimmer overseas companies.