« Why E-Commerce Still Isn’t Easy To Do | Main | A New Blog by HR Competency Expert, Robin Kessler »

What Sarbanes-Oxley, Lawyers, and Auditors Really Mean for IT Wed 24 Nov 10

Don't rely on a "higher authority" to justify your policies and procedures

A lot of IT folks routinely invoke a higher authority as justification of why we have to do something or a policy can't be changed.  This "higher authority" is usually included in one of 3 tried and true excuses:

  • We have to do that to comply with Sarbanes-Oxley.
  • The lawyers say we have to do that.
  • The auditors make us do that.

Question authority curiousyellow That bumper sticker from the late '70s urging us to "Question Authority" may have been right all along.  In reality those 3 reasons are just spurious excuses, not valid reasons for doing something.  Although the "required" action may actually be the right thing to do, citing an excuse such as one of these is wrong for a number of reasons.

Let's start by taking a look at each of the excuses.  The Sarbanes-Oxley law was enacted as a result of a number of corporate and accounting scandals.  IT often cites this as why we have to do certain specific actions.  I freely admit I haven't read all 745 pages of the bill but as best I can tell it doesn't get down to dictating specific IT related actions.  Nothing about how long your computer can be inactive before if automatically logs you off, nothing about how often you have to change your passwords and certainly nothing about all those other things we so often claims it makes us do.

What Sarbanes-Oxley does do is make us evaluate risk and develop mitigating controls.  Auto log-offs and frequent password changes are mitigating controls but Sarbanes-Oxley doesn't specifically call for these and therefore doesn't require specific time periods either.  We have these mitigating controls because someone in the company has evaluated the risk and decided these controls are appropriate.  Although this is a rather trite example it applies equally to all the other IT actions we insist on because of Sarbanes-Oxley.

Lawyers act as trusted advisors in our companies.  That is precisely what they do, they offer advice but except in rare cases they don't make decisions.  Our job as managers and leaders is to consider this advice but it is up to us to decide on a course of action.

We decide not the lawyers.  Don't believe me? Imagine yourself explaining a bad decision to your CEO and trying to use the "the lawyers made me do it" excuse.  The lawyers have over the years practiced and polished the "we're only advisors" speech and can deliver it with an ease and persuasiveness that will make your head spin.  You weren't hired merely to follow orders but to consider the situation carefully (which means listening to the lawyer's advice), weigh the options and then you make the decision.

Like the lawyers, auditors don't make business decisions either.  The job of the auditors is to evaluate our actions and controls to see if they meet certain standards of action.   Many auditors, especially the inexperienced ones we first deal with are not experts in IT.

The auditors are merely comparing us against a checklist someone higher up gave them without any real understanding of how appropriate that checklist is to any particular situation. Part of our job is to work with them to make sure they are using the appropriate checklist.

The next time someone uses one of these excuses there are a couple of things to keep in mind before charging off in a flurry of righteousness.  Although the justification may be spurious it doesn't necessarily mean the required action is wrong. After all they may have simply been using an easy excuse rather than wanting to explain the valid reasoning.

Also, remember to choose your battles. Do you really want to engage in a major political battle over whether the auto log-off should be 90 minutes instead of 30? If you're going to start a fight make sure it's worth winning and the inevitable wounds that come with the fight.

We as IT leaders need to stop our people from relying on these excuses to deflect questions.   First, it degrades our credibility.  My analysis is not ground breaking, others understand this implicitly.  If we use this excuse with them they naturally draw two conclusions neither which helps our credibility.  Either we don't understand the purposes of Sarbanes-Oxley, lawyers or auditors; or we're assuming they're dumb enough to accept our lame excuse and will just go away.

Second, and most importantly, allowing people to rely on these excuses destroys our critical thinking ability.  Our policies and actions are controls to mitigate risk.  As technology changes the control actions should change accordingly as the techology presents new and different risks.  We can't allow ourselves to get locked into thinking there is a rule that prevents us from using the new technology.  Our job is to figure out the best ways to utilize new technology while mitigating risks not finding giving lame excuses not to do something. 

Article_end_divider "Question Authority #4" photo by curiousyellow / CC BY-NC- ND 2.0 

This article is also posted on Forbes.com.  Feel free to join in the discussion either on this site or at Forbes.com

If this topic was of interest, you might also like these:

            Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed


TrackBack URL for this entry:

Listed below are links to weblogs that reference What Sarbanes-Oxley, Lawyers, and Auditors Really Mean for IT:



tell_a_friend Tell a Friend About Mike's Blog

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

My photos on
Mike Schaffner's items Go to Mike Schaffner's photostream

Free Subscriptions
  Free RSS Subscription

Free RSS Subscription

For An Email Of New Articles
Enter your email address:

Read On Your Mobile Device


Join the Conversation
Subscribe to Comments
  Free RSS Subscription

For New Comments Email
Enter your email address:

This is the personal blog of Michael W. Schaffner. The opinions expressed in this blog are soley mine and those of commenters. You should not infer that these opinions are the opinion of or have been endorsed by any current or former employer.

Please review the Privacy Policy.   I do love comments and trackbacks but I do reserve the right to remove any that don't comply with the Comments and Trackback Policy.  Rather than clutter up the front page with badges and statistics that are of little interest to anyone other than me I thought it would be best to establish a separate page for statistics and rankings.

Copyright © 2006, 2007, 2008, 2009 Michael W. Schaffner       You may copy or quote sections of this blog if you provide an attribution consisting of a reference to the Michael Schaffner and ''Beyond Blinking Lights and Acronyms" along with a hyperlink (if a web reference) to the blog posting.     

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.