Recent Rants by Robin

There she goes again...

Copyright of Robin Basham, 2006, all rights reserved.

Thank you Tianna for the excellent summary of this proposed bill.  What an outstanding week you've contributed to on the Sarbanes-Oxley listserve. (See U Rock!)

"In 2002 my company was approached by a peer to review a bill that would potentially affect the reporting over internal controls as they existed in IT.  My client, I later learned, was Siemens, and the two part question was:
"Can we use CobiT® to meet the requirements of Sarbanes-Oxley?"  And
"How does one put the control of IT into scope?"

Working with KPMG, E&Y, PwC and Deloitte, the last few years have given me opportunity to see how large organizations would implement the answer to this question.  My statement regarding support for the Competitive and Open Markets that Protect and Enhance the Treatment of Entrepreneurs Act is not a criticism of SOX.

The math of "scope" in a fortune five hundred would have likely excluded testing from business units of a certain size or less.  In a typical audit, I've seen companies elect business areas as out of scope where the revenue attributed to that area was less than figures as proposed in the ""COMPETE" bill.   Limiting a business group from 404 test rounds did not pardon those operations from responsibility.  It was simply a limit of testing cycles based in the likelihood that specific business services, if incorrectly monitored, could results in any type of financial misstatement.  If anything, this temporary reprieve would be met by greater demands on those business units to make up for productivity lost by teams involved in SOX. 

I have always found the law to be unfair in its impact to smaller business, and as a result, felt the level of audit by smaller businesses was forced to a watered down value at best.  While all of our projects involved public traded corporations, a few of those companies would be characterized as "small."  In every company where revenue was under 100 Million, I witnessed enormous staff turnover, poorly managed and abandoned strategic projects and reduced quality of customer service.  Even with improved processes, the level of time off core business tasks was in many cases catastrophic.  If the effort to supply evidence exceeds the business capacity to deliver and remain in service, complying with the act becomes a risk in of itself. 

All legitimate businesses comply with regulations, meet SAS requirements, financial reporting requirements and "oh by the way" have to use their resources effectively enough to earn a profit.  No, I don't believe it will help my own business, a compliance and audit consultancy,  if this law is repealed.  As has been the case about every three years for the last two decades, our focus will adjust to the needs of the time.  I still stand by the belief that if a law forces small business to produce controls that exceed the bounds of their capabilities, something's gotta give.  We have to set achievable goals and focus on methods to make the implementation of process and controls achievable.  You can't audit quality into a company or a country. 

The focus needs to be on the products, the processes and the programs.  We have to put money into the creation of quality and not the insane pursuit of yet another check list.  We must improve our foundations and make it easier to be in business, not harder.  We are literally beating children for not achieving the lessons that were ours to instill in the first place.  Our culture needs to facilitate, reinforce and reward the successful implementation of standards.  The overuse of audit breeds liars and will force many to give up on dreams in spite of excellent moral and business character.

On the flip side, automating controls, visibility over operational practice and good business cultures have never been bad things.  They were not new or even evolved by SOX.  Ethics and process will continue to be powerful tools to all areas of family and business, regardless of any change in this law.

Sarbanes-Oxley is not the only regulation affecting business.  Even if we take the Sarbanes-Oxley Act out of U.S. Code, fraud and criminal behavior will continue to result in jail time.  Inefficient operations will still close business.   The market will still demand reasonable assurance of longevity through planning and controls.  We as a culture, will still have been dramatically changed by the events of these last three years.

Regarding the million or so newly born IT auditors, I believe many of them will return to their technology capacities as existed before S-OX.  We lost a half million jobs in telecom between 2000 and 2003.  Less restrictive practice will free budget to bring a few of those displaced moms and pops back from McDonalds management to their rightful place in the IT work force. 

The result of our economic downturn has IT so lean we could kill most small companies with a cold.

Business based in delivery of product vs. dollars spent in the scrutiny over potential mismanagement of product, has to stay in balance.  Audit is a cost.  Like any tax, you have to earn it before you pay it.  As revenues go down, we get fewer tax dollars, and the cycle just spirals faster down.  This country, while needing market respect and trust, still has to focus on a balance of government that doesn't fail to support our constant need to deliver new product.  At the end of the day, no one cares how organized a corporations files were as they cart the servers and office furniture to the foreclosure auction.

There she goes again... (June 19, 2006)

In response to persons asking why CobiT is not free and why they can't just forward a copy of the database to users in our group:

I have a business model that enforces this copyright while showing companies how to adapt CobiT® and all frameworks to their compliance architecture. (www.pbandsp/tools/fcm.html )

In some conditions, clients have distributed internal portals to their entire company, leveraging the framework but not reproducing it for commercial or non-audit and compliance related work.  Where individuals wanted to own private copy of any CobiT® materials, they can buy it, but the only persons who were required to purchase an on line license were those in the audit and compliance group.  Consider that the cost of that license works out to about a dollar a day.  The cost for CMM improvements is sometimes quoted as 20K per employee.  (another topic)

Terms of use for ISACA web service CobiT On-Line is very clear.  One login is one user.

Where a data model is used, there is always a means to legally use that model. We can't post ISO data models.  We certainly can buy and use them.  What is beyond reproach is the reproduction without attribution or payment back to ISACA. 

Do we also expect all the AICPA resources to download for free?  We have, through ITGI, built an enormous culture of free distribution.

If anything has been made true by the events and outcomes of the last year, it is that we give away too much.

My philosophy and approach has been aligned to quality management and reduced operations costs.  I use ISACA, OMG and OASIS to help my clients achieve a cost effective model.  When products leverage these frameworks, they add value to the compliance process, but those products have to serve their own core purposes.  Unless it is an audit tool, such as the Methodware ERA product line, these frameworks are no more than a list of recognized criteria.  They are useful in the manner of how they are applied.

I don't get why people think CobiT should be free.  Try convincing Verizon that the LERG or any telecom service should be free.  Explain to McGraw Hill why any book that is required text for public education should be bound and published for free.

Compliance should be easy...  There, I said it, "s-h-o-u-l-d be easy".  Compliance should be a by-product of business and systems process. To achieve this, however, will be very hard. We are successful when compliance is taken for granted and business doesn't even know it is there.  Organizations must invest in building compliance into all methods of service delivery.  Compliance visibility and audit process must become organic to the culture, embedded in our products, a part of service delivery and a means to reduce costs, not increase costs of service.

Microsoft knows this.  So do all the major software and hardware players.  It would seem the ridiculous rush to produce FUD driven "Compliance Products" has now lost its frenzied appeal.   YEAH!

ISACA is making tremendous strides to produce cost effective usable materials.  Consider purchasing training materials for SAS70 at CPABIZ as an item of comparison.  It is an expense that I consider mandatory to my profession.  Consider that a single benchmark study, such as the one provided by ITPI, can cost as much as several thousand dollars.  Research is a luxury built upon funding.  If we are to remain leaders in our industry, we can't ask why our products aren't free.

Why?  Because it's really that hard to manage all the people talent and processes to produce good works.

So the question I ask each day is "Why isn't compliance easy?"

 

 

 

 

 

 

Copyright, Robin Basham, 2006

Headlines

CobiTQuiz

PB&SP meets training requirements for COBIT® training -December 2005

Phoenix Business and Systems Process, Inc. listed as sponsoring member to ISACA - February 2006

PB&SP and IP Services announce formal partner agreement...IP Services
leveraging the talents of Kevin Behr, CTO...just for a start

IP Services

The IIA proposes Generally Accepted IT Principles

The IIA’s Advanced Technology Committee has issued an exposure draft on Generally Accepted IT Principles (GAIT) (PDF, 561KB) in an effort to ensure that auditors have the tools and understanding necessary to better evaluate and manage risks related to internal controls for financial reporting. Read more!

mks
MKS Announcing record year and new partners in 2005

Merant Partner, Phoenix Business and Systems Process noted for third year in a row.

Maintaining our record of 100% success in aiding our clients for third party SOX audit and SAS 70 Examinations, we add AON RiskConsole to the score ...full story

AON

Please turn off cookies: These are important information sites, but your personal viewing is tracked by option to CMP Media.  We support reading and considering news information from this source. "COOKIES OFF and SKIP THIS ADD" plus verification on any email entry to avoid email spam agents, are just some of the ways CMP media makes news reading more pleasurable and secure.

Top ten search terms from the TechWeb TechEncyclopediatop-ten-cmp-mediaCopyright © CMP Media LLC

Year end from US-CERT

PB&SP provides CPE training for Change Management, COBIT® and Security - Letter from the President