Will your accountant be setting corporate IT policy sometime soon? My recent articles about using SQL Server Profiler during application development raised a lot of interest in and debate about how to give developers controlled access to Profiler (and the requisite sa password) in production and quality assurance (QA) environments without giving away the keys to the kingdom. And some readers said they're particularly concerned about how the U.S. Public Company Accounting Reform and Investor Protection Act of 2002, aka the Sarbanes-Oxley Act, will affect their IT environments. Although Sarbanes-Oxley doesn't regulate information technology, IT is the foundation for the financial processes that the law regulates.
Here's one reader's comment: "Your comments about integrating developers more into supporting production systems have some merit. However, Sarbanes-Oxley will rain on that parade. Because of this legislation, auditors are forcing the complete segregation of the production and QA testing environments from the developers to ensure no changes are put into those environments without the proper approvals."
Gartner Research calls the Sarbanes-Oxley Act "the most sweeping regulatory reform of publicly traded markets since the Securities and Exchange Act of 1934." Sarbanes-Oxley's wide-ranging set of new laws is a response to the Enron, WorldCom, and other accounting scandals that roiled financial markets in recent years. In principle, the act is primarily targeted at publicly traded companies with the aim of making corporate accounting procedures more transparent to investors. That's a noble goal. However, I worry when bean counters have the authoritative and final decision about who can have access to an administrator password.
Do you have any idea what Sarbanes-Oxley legislation means to your IT department? The above comment came from a reader whose organization's IT security policy is being set by a team of auditors who, quite frankly, aren't trained to implement proper security measures. I spoke off the record with a colleague who has a fair amount of experience helping companies design Sarbanes-Oxley compliance plans. He said that some internal and external auditor groups are being overly aggressive in their interpretation of certain sections of Sarbanes-Oxley. These different interpretations can lead to inconsistencies where one group of auditors tells a company, "Yes, Bob can have the sa password," and another set of auditors tells the company, "Heck no, Bob can't have the sa password."
Part of the problem lies in the law's ambiguity. Take for example the phrase "real time" in the following excerpt from the law's Section 409 Simple: "SEC. 409. REAL TIME ISSUER DISCLOSURES. Section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m), as amended by this Act, is amended by adding at the end the following: `(l) REAL TIME ISSUER DISCLOSURES- Each issuer reporting under section 13(a) or 15(d) shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest."
In researching this commentary, I perused a number of Web sites to find out what "real time" in this section means—only to find out that no one really knows. Most IT folks interpret "real time" to be just that: a constant flow of information with a response time measured in milliseconds if not faster. Some real-time control systems have response-time requirements in the nanosecond range, which is a billionth of a second. I sure hope Congress doesn't expect that. But apparently, no one knows for sure what constitutes "real time" under the new law. You can find the full text of Sarbanes-Oxley at http://vscpa.com/Advocacy/SOtext.htm , and the most relevant sections for IT teams are nicely summed up in "How CIOs Should Prepare for Sarbanes-Oxley" at http://www2.cio.com/analyst/report2271.html.
Sarbanes-Oxley's intent is laudable. But I suspect that IT professionals in many public companies are in for a few years of Dilbert-like antics and bureaucracy as the implications of Sarbanes-Oxley on IT departments are sorted out.