posted 19 years ago
I haven't worked on it - but my wife's job has been 50% SOX for the last six months at least.
At her place of work, it involves a big bunch of bureaucratic rules that tend to make getting work done more difficult without, in my opinion and her opinion, making things any safer.
For example, she's no longer allowed to log on to the production servers. That means that when there's a production problem, she can't troubleshoot it directly. Unfortunately, the people in operations aren't trained for this kind of thing - when she wrote procedures for handling some common issues, their manager noticed that the procedured involved their logging in to Unix machines and said, "they can't do that - they'll mess something up. It's too dangerous." So she gets to walk them through the troubleshooting, on a phone, getting them to do exactly what she would have done. Meanwhile if someone wanted to insert fraudulent data, they would just join the operations group instead of the programming group, and the only thing that might give them away is that they actually know how to log on without help.
Of course the auditors come in and say everyone has to have a different password for every different machine, and they have to change every couple months, and they have to be letter/number combinations that are difficult to remember. So instead of one person having the passwords, everyone's going to write them on post-it notes on their computer and anyone who wants to commit fraud will be able to do it from other peoples' accounts instead of their own.
The fact is, the fraud that cost investors billions of dollars at Enron and Worldcom wasn't done by programmers, or even hackers, breaking into computers - it was done by a relatively small number of medium to high level executives. Vigorous prosecution of the people who actually committed large dollar amounts of fraud (as opposed to the people who make good political targets because they are newsworthy for one reason or another) is what will help. Then again, Sarbanes-Oxley doesn't actually mandate any of this idiocy that's making my wife's life miserable; that's coming from auditors trying to justify their overinflated fees.