SOx Sucks

A few years ago a handful of companies, notably WorldCom and Enron but plenty of others, faked up their books and defrauded investors and their own employees of billions of dollars. This despite requirements that the books of companies be audited by an independent accounting firm.

It turns out that in some cases the big accounting firms were more interested in keeping the client than in protecting investors. They allowed the fraudulent behavior continue, so that WorldCom and Enron would continue to pay them for their other services. Not really the independent audit that was needed.

The government stepped in, and passed the Sarbanes-Oxley act, lovingly called SOx. What this did was to provide a vast set of new accounting requirements demanding that companies be able to prove that every important number in every system was properly protected and any monkey business would be traceable. This is a gigantically complex undertaking for a business. Also added was an audit of the audit, and a review of how every number is checked and double-checked. The US government for the first time takes a direct role in looking at corporate ledgers.

A system my department developed and hosts has now been declared to be SOx-related. That means that the server it sits on has to be extra-super-secure, and that we have to document checking the security of the server periodically. (Different aspects of the security have to be checked at different intervals.) Every change to a line of code has to be documented as well, and justified, and audited. Likewise the database has to be extra-super-secure. I’m a big fan of secure, actually, so for the most part I’m totally down with all this. Extra-super-secure is many times more of a hassle than secure, but if someone monkeyed with the numbers in this system, our CEO could go to jail. So, yeah, best to be careful.

Getting the servers set up properly was not really that difficult. Actually, I wasn’t allowed to configure the servers, because I was the only one able to test if it had been done right. Every setting has to be tested by someone other than the one who did the work. Then the test document I create is audited by my boss before being sent over to the Internal Audit department.

Documenting the security of the servers to the satisfaction of the law just plunged me into several long, long days of bureaucratic hell. I had templates for the documentation from the IT department’s setups, but those docs had some surprising holes and some parts that were simply badly written. I spent several hours trying to figure out how to meet a requirement in those docs that was simply wrong. An IT expert probably could have identified the problem at a glance and said, “I expect the writer meant this…” I am not an IT expert, and honestly I like that sort of arcane activity almost as little as I like paperwork.

So, yeah, this was a perfect storm of things I don’t like to do, and I underestimated the time it would take me to do them, which led to a lost weekend and almost every waking hour for a week devoted to the task. Now my work goes on to be audited, and it’s hard to imagine that after a push like that there isn’t an error somewhere.

Here’s the thing: as I was doing all this, I wasn’t mad at the government. Red tape driving up taxes and costing companies millions of dollars usually will make me call for revolution. This is all deadweight on our economy. But who I’m really mad at is Enron et. al., and I’m ready to murder the leadership of the major accounting firms whose dereliction led to this whole fiasco. They owe me. Bigtime.

1