Quick Links
Advertise with Sarbanes Oxley Compliance Journal
Features


< Back

Sarbanes Oxley : Governance : Thought Leader

The Blind Men and the SOX Elephant


By Webster B. Jones
Webster B. Jones
CISA,Corporate IT Audit
Excellus Blue Cross Blue Shield
Like the blind men describing an elephant, SOX is not the same thing to all functions within the company and therefore the Year 4+ decision of the SOX final resting place becomes difficult.

An old East Indian story is of the four blind men who describe the elephant based on their perspective of what part of the elephant they have touched. The one who touched the trunk announced the elephant is like a large snake; the one who touched the tail said it is like a rope; the one whose arms encircled a leg said an elephant is like a tree; and the one who felt the side was certain the elephant was like a wall.

As companies move beyond SOX Year 4+, three options have emerged: 1) make SOX part of the Compliance program; 2) move the SOX controls into Risk Management; or 3) continue the SOX offices as an individual entity.

For the Financial areas, which have the ultimate responsibility for assuring there is no material error in the financial statement, Risk Management provides good methods of documenting the numbers that were provided by the reporting organizations. SOX documents the traditional Finance manual controls over the final assembly of the annual report.

For IT, the biggest effort that SOX has generated is the finding of good evidence of the controls that have been in place within the IT communities as part of their historical "stewardship" of data. To IT this producing of evidence is Compliance just as documentation is to programming: a better process but not absolutely necessary to the actual processing of data.

For the Audit departments, the separate SOX office represents a leap forward as the company management finally recognizes the value of controls that Audit has proposed for so long. The SOX office shows direct relationship to the company business processes through audit programs that are completed to support the management statement that controls are in place and have been tested. The astute SOX office also becomes the defender of the coffers from the marauding External Auditor Goths. (Apologies to the Goths for the reference.)

Where SOX should reside, since it is not going away soon, depends on what SOX is to whom. Like the blind men and the elephant, the decision will depend on what part of SOX was touched - or what part of SOX touched the organization.





Webster B. Jones
CISA,Corporate IT Audit
Excellus Blue Cross Blue Shield
 Web Jones spent 20+ years in IT and transitioned into IT Audit in July 2002 just as SOX overwhelmed the internal audit departments. He has performed IT SOX evaluations and testing as an internal auditor and contractor for financial, manufacturing, pharmaceutical, telecommunications and software companies.

Currently with Excellus BCBS in Rochester, NY, the SOX experience will help establish the direction for the similar NAIC requirements due by 2010.

Although he has now relocated back to Upstate New York, he still often eats breakfast standing at the kitchen counter in fond memory of the 100% travel engagements.



About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY