July 6, 2008

Death, taxes, and Sarbanes-Oxley


My company is part of a group of companies that jointly form a very large corporation that's a leader in our manufacturing field here in Asia. So of course the shareholders decided to take the company public in the United States to make even more money.

All that probably wouldn't have make any difference to us little ants^H^H^H^Hemployees, but then the American law dictates that foreign companies must follow the Sarbanes-Oxley Act (better known as SOX) if they are to be listed in the United States. One day early this year, I got an e-mail telling me to be prepared for Sox audits that are to be completed before the middle of the year.

How hard could it be? I mean, there's even a Sarbanes-Oxley For Dummies book and I've read all about SOX after Enron and Worldcom happened. But when the SOX consultants actually came in and started asking for documentations and evidence of everything we do, I realized how much trouble I was in. The consultants didn't seem to have any idea about the workings of manufacturing plants as opposed to banking or financial institutions, and they expected us to change our working ways within weeks. The SOX consultants are also hired by the corporate headquarters and had trouble communicating with our non-English speaking employees (all of them).

Eventhough SOX is mostly about finance and accounting, IT also plays a major part in these modern days where everything is computerized. The biggest hurdle for my little IT team was that programmers must not talk to users (only system analysts can) or touch the database (only database admins can), and there has to be a separate IT manager who is not the sysadmin to approve everything that everyone is doing what they're supposed to do. This all sounds nice and secure for very large corporations with infinite manpower, but we only have a very small team handling a very large number of users and projects, and of course, I'm the sysadmin slash IT manager slash Mr. Fix-it-all.

The second hurdle was that they expected all of my users to have individual accounts for every user. This again sounds nice and secure in theory, but in our manufacturing plant where users have to key in the manufacturing data, how are we supposed to expect every user to log off after every data entry?! And we have subcontractors (temp workers) that come in and go on a day's notice. How can the IT Dept. possibly keep up with them to generate accounts when even the HR Dept. has trouble keeping up with the temp workers?

The third hurdle was that they wanted a fully computerized helpdesk system where the users have to describe in detail their IT service request including the scope, definition, reason, and detail of the request. Most of my users are computer illiterate!

This article (which is also the title of this post) sums up my feelings nicely.

Strangely enough, the best thing that I got out of all this was that the local SOX consultant we hired was a babe.

No comments: