SQLServerCentral / Editorials / SQLServerCentral.com / No More SOX / Latest Posts

RE: No More SOX

Jeff Moden — Thu, 04 Jun 2009 19:49:19 GMT

[quote][b]Datamama (6/4/2009)[/b][hr]... and btw - every great DBA I have ever worked with sounds just like you.Josie[/quote]Heh... thanks Josie :blush:. Every good one I've worked with sounds the same way. When I first started out, I didn't use to be that way and thought those types of DBA's were being a bit annoying and "controlling". Then, I lived through a couple of crises with them that could have easily been prevented. One of those easily preventable crises took 40 people 10 days to repair. It changed my whole outlook especially since I was up and at 'em for most of those 10 days. :-P

RE: No More SOX

geerobg — Thu, 04 Jun 2009 19:38:44 GMT

I absolutely love sox, both from a design and architectural point of view. Many lower level developers misunderstand the purpose of sox. It's not about audit logging infinitum, but rather the separation of business process oriented system access. If a system is well designed around logical business process it will lend itself wonderfully to the constraints of sox rules. Those that bemoan sox are generally trying to retro-fit a poorly designed system.Granted it's not sexy, but with internal audit moving up the corporate power ladder and filling a very large seat at the decision making table, we've been able to dramatically trim the sales cycle as CFOs scramble toward compliancy.They thought we were crazy when we ploughed our crop under, but we built it and they did come.

RE: No More SOX

Datamama — Thu, 04 Jun 2009 12:48:46 GMT

Jeff, WOW - you nailed it !! I'm a long time data architect and shared your 'experiences' with developers, managers and business 'types' who have no concept of the need for auditibility and data integrity.Thanks for laugh and btw - every great DBA I have ever worked with sounds just like you.Josie

RE: No More SOX

Mario Measor — Tue, 02 Jun 2009 05:46:51 GMT

I have been working as a software developer for a little over a year now for a company that is SOX compliant. I do think some of the steps required are annoying, but without the checks and balances, you wouldn't have a clue what some of these people did to the data and/or code. Sometimes I feel like I spend just as much time tracking changes and updating sharepoint issues, but two months down the road when someone asks me why, I can go back to the issue and get an idea of what I was thinking back then.I am come to believe that it is one of those necessary evils to keep some of the irresponsible people in check. I would like to say I don't need it myself, but without it I would eventually be lost in code changes.

RE: No More SOX

Jeff Moden — Mon, 01 Jun 2009 20:54:41 GMT

[quote][b]wldhrs (6/1/2009)[/b][hr][quote][b]Jeff Moden (5/31/2009)[/b][hr] "Its the Law" [/quote]A four word reason "It's the law".I soooo dislike misuse of the apostrophe in possessive case, particularly of the verb "to be".Probably a left over attitude from misuse of a comma causing a microcode load failure in the 308x.:Whistling:[/quote]We can certainly tell what you consider to be most important. What does that have to do with the subject at hand? Nothing. Get over the typo.:Whistling:

RE: No More SOX

wldhrs — Mon, 01 Jun 2009 19:16:10 GMT

Taking a less nit-picking and more productive approach though...[quote][b]Red Cat (6/1/2009)[/b][hr] [...] has done more to hamstring our productivity than just about anything I can think of [...] [/quote]I'm another who has preferred to read the various extant summaries rather than the full legislation, only like getting involved in that level of far too convoluted detail when it rreeaallyy affects me personally.But, what's the fundamental problem with applying auditable changes to a data structure?Oh.Money.Of course.If we don't have to spend money in order to ensure that we don't produce a six fingered, three eared, five eyed transgenic freak, than we should do just that. Yep, that's it, produce any number of six fingered, three eared, five eyed transgenic freaks, as long as it makes us more money than it costs us in this financial year.

RE: No More SOX

wldhrs — Mon, 01 Jun 2009 18:55:27 GMT

[quote][b]Jeff Moden (5/31/2009)[/b][hr] "Its the Law" [/quote]A four word reason "It's the law".I soooo dislike misuse of the apostrophe in possessive case, particularly of the verb "to be".Probably a left over attitude from misuse of a comma causing a microcode load failure in the 308x.:Whistling:

RE: No More SOX

rudy - Doctor "X" — Mon, 01 Jun 2009 09:26:31 GMT

Finally in print - Thanks Steve - ISO9001 ! (did my first one over 15 years ago)If you have ISO9001 then SOX is kind of dumb (although Jeff has lots of great reasons for it that I have experienced and agree with !)If you are not ISO9001 certified then yeah you better get SOX for your own good.I have been in ISO9001 shops, HIPPA shops and now I am in a partial SOX/non-SOX environment (we do not have ISO9001). So by my own words - we do need it !

RE: No More SOX

Chris Harshman — Mon, 01 Jun 2009 09:00:01 GMT

The need for better processes and controlls over things is a good goal, and SOX was good intentioned legislation. However, having worked before at a company that went through a SOX audit, I can tell you the implementation of that intent is what caused the problems that give SOX a bad reputation. There were a number of such audits, including the one at the company I worked at, that seemed to turn more into witch hunts.

RE: No More SOX

Kevin Wood-419472 — Mon, 01 Jun 2009 08:59:51 GMT

I agree with Red Cat. I have experienced the inefficiency and stupidity of inapplicable rules myself. And just wait until we get Cap & Trade, VAT and all the other wonderful things Congress has in store for us. Maybe, if SOX is overturned they won't be able to get away with it.

RE: No More SOX

Red Cat — Mon, 01 Jun 2009 08:40:05 GMT

WOW...so the fact that this one piece of legislation has been used by the accountants to musle arounf the entire US enterprise and lead to every decision on process improvement needing bounced off an auditor makes the majority of DBA's happy with it?I am an Information Architect who not only works on DB design on a cross app basis...but I also have to work with the Business Analysts and end users on a continuous (more than daily) basis. I can tell you this single piece of handy work by the US congress has done more to hamstring our productivity than just about anything I can think of. It single handedly lowered our cost of business to from several points lower than anywhere else in the world, to higher than everywhere in the previously high cost regions of europe.gesh...-Red Cat

RE: No More SOX

Someguy — Mon, 01 Jun 2009 08:18:26 GMT

You know, I hate multiple-window browsers. The previous link I posted just brought you back to SQL Server Central. Sorry...:blush:I edited the previous post and I'm putting the corrected link here, too.http://www.forbes.com/2008/09/29/mark-to-market-oped-cx_ng_0929gingrich.html

RE: No More SOX

KWymore — Mon, 01 Jun 2009 08:07:09 GMT

I agree that it shouldn't be necessary but unfortunately a great number of the idiots are the ones managing the budgets and making the final calls. SOX has forced alot of these people to slow down and give more thought to how the data is managed instead of just trying to do everything as cheaply and quickly as possible.

RE: No More SOX

gmadytinos — Mon, 01 Jun 2009 07:48:03 GMT

The need for SOX is in direct proportion to the amount of idiots (across all departments) who work at your company.SOX, like any formal methodology is there to babysit people who can't think for themselves.I think therefore, it has its place.

RE: No More SOX

KWymore — Mon, 01 Jun 2009 07:47:11 GMT

[quote][b]Steve Jones - Editor (6/1/2009)[/b][hr]This law definitely helps DBAS, or anyone that wants to better manage and control their environment, without such a fly-by-the-seat-of-my-pants attitude that used to predominate.[/quote]That is the biggest benefit that I saw as part of IT. We managed most of our systems this way before SOX and it bit us a number of times. The number of late nights working to fix our own errors and shortcomings were reduced after we ensured that our backups actually worked. Our reporting also became much easier to manage knowing that the data was cleaner and more transparent. Audit trails = Good!

RE: No More SOX

KWymore — Mon, 01 Jun 2009 07:37:19 GMT

At my old company, data was managed very haphazardly and pretty much anyone could get access to systems internally if they asked the right people. SOX made us tighten down our systems, document our systems and actually come up with back up strategies which were barely there before. It actually required admins and dba's to learn the systems that they were working with better and in turn exposed a number of large potential issues that we might not have found before. After the first 2 years of SOX audits, it just became another yearly ritual for us, same as year end reporting and routine maintenance. One can imagine how many public companies might have fudged the numbers in today's economy if SOX wasn't a concern.

RE: No More SOX

Steve Jones - SSC Editor — Mon, 01 Jun 2009 07:36:12 GMT

Very interesting. I was expecting to see more complaints about SOX, but maybe I'm not out of touch as a DBA. This law definitely helps DBAS, or anyone that wants to better manage and control their environment, without such a fly-by-the-seat-of-my-pants attitude that used to predominate.I guess the DBAs don't want this repealed.

RE: No More SOX

Hugo Shebbeare — Mon, 01 Jun 2009 07:24:36 GMT

Glad to see from above the support for Internal Controls, certainly makes not only the DBAs life easier, but also, more importantly, the strength of an organisation's systems' integrity.I went into detail on this already here, with an anecdote or two:http://www.sqlservercentral.com/blogs/hugo/archive/2009/02/15/the-importance-of-the-segregation-of-duties-with-respect-to-internal-controls.aspxHere in Canada, we have (aka C-SOX) Bill C-158 - unfortunately, most developers here have to be convinced that [b]this is the law[/b] and not just 'overhead' to make their lives difficult.

RE: No More SOX

Someguy — Mon, 01 Jun 2009 07:06:14 GMT

This was an interesting editorial for me because prior to this I had only heard Sarbanne-Oxley critisized for the "Mark to Market" provisions. See link below as an example:http://www.forbes.com/2008/09/29/mark-to-market-oped-cx_ng_0929gingrich.htmlApparently SOX is more complex than this single issue. Thanks for the enlightenment.I haven't had time to read the whole act (and I don't feel too guilty about that - it seems most of Congress doesn't have time to read their own legislation nowadays). Might it be that it is a series of provisions that need to be considered individually? Perhaps those of you who have implemented applications in response to the act could further enlighten us...

RE: No More SOX

Andrew Peterson-472853 — Mon, 01 Jun 2009 07:02:41 GMT

We do need SOX, but corporate executives hate it. It limits their ability to softly manage their short term reported financials, and makes them responsible. In one of my past careers (I am a CPA) I audited the financials of many companies. If you remember the collapse of Enron and Arthur Andersen, I can tell you from firsthand knowledge that it was only a matter of time before a major accounting firm imploded.

RE: No More SOX

Mike Hinds — Mon, 01 Jun 2009 06:32:35 GMT

SOX gave us a start to prepare for what was to come. As mentioned by all above, we now have the law on our side when we ask for controls, and the time and materials to implement them.The regional bank I work for was hit by eastern European hackers a year ago. SOX helped in two ways: 1) We were partially prepared for the intrusion, and as such the actual damage to customer data was limited. Law enforcement gave us a huge P/R boost in assuring our customers that we had been well prepared. 2) Many staff were prepared to respond quickly and appropriately, by having done many of the steps in lesser intensity over the last five years.

RE: No More SOX

Tom Fischer — Mon, 01 Jun 2009 06:15:25 GMT

Have to (strongly) agree with the ambiguous Mr. Moden. :-) One of the downsides of SOX that I’ve witnessed has been its casual interpretation to justify requests. For example, one manager used SOX to justify hiring another DBA. Another involved requesting hardware upgrades.

RE: No More SOX

Jeff Moden — Sun, 31 May 2009 23:52:47 GMT

Heh... sorry... I'm holding back... I should tell you how I really feel. ;-)

RE: No More SOX

Jeff Moden — Sun, 31 May 2009 23:36:07 GMT

SOX actually made my life a little easier. I no longer have to argue with a bunch of people about locking down the Production Servers. I no longer have to listen to interminable dribble and explain over and over about why I don't believe Developers should have anything other than Read Only access to the Production Servers, if that.Now, I have a "3" word reason that they can't argue with. "It's the Law". Period. End of Story. Next problem please. And, oh yes, take your whiney hiney and your boss' gotta-have-it-now-'cause-I-dunno-how-to-write-a-schedule PITA attitude down the hall and put your cruddy, performance challenged, inaccurate, untested, POS code through a code review and some decent Unit and UAT Testing before you give it to me for promotion to Production. Make sure you have a backout plan, too, sonny. :-PTruly Yours,BSOFH on SOX steroids :hehe:p.s. That goes for your bloody undocumented, just-as-performance-challenged GUI code, too! :-D

No More SOX

Steve Jones - SSC Editor — Sat, 30 May 2009 22:25:04 GMT

Comments posted to this topic are about the item [B]No More SOX[/B]