Monday, January 25, 2010

Cleaning the Soup

Compliance



Currently, my company is being audited in the wake of the new Sarbanes-Oxley laws. These laws were created in the wake of Enron to ensure that corporations aren't baking their books.

So, basically, I have to start writing some sort of documentation on this shit.

I'd rather eat my own hat, but since I'm not wearing a hat, let's go ahead and take a look at a memo I just received.



There is the opportunity for confusion that can arise during a Section 404 audit, based upon the differing vocabularies of inexperienced audit team members and those of technologists. To help mitigate....



It goes on to explain that you should use a list of Terms in place of the type that might be misunderstood (read: land the company in hot water).



Here's the list.



Use:



Management makes ongoing determinations of business risk and documents these decisions where the level of risk could impact operations or the financials.



Don't use:



Well, yeah, they asked me to look at the financials and all that shit, but I decided to eat this sandwich. Fuck, this is a good sandwich. They melt the cheese and put peppercinis on it and...what did you want again?



Use:



While an initial pass might see this as a gap, a more thorough understanding of our operations can identify a series of compensating controls that reach the same end.



Don't use:



Whoa, we really fucked this one up. Good lord!



Use:



Management has deemed this level of documentation to meet our control objectives while not impacting the efficiency of our operations.



Don't use:



The last time we documented anything it was when we were explaining our way out of the fact that we expensed some hookers in Omaha.



Use:



Management is working to build upon our current and already acceptable control environment.



Don't use:



We talked about doing that, but then I decided to go buy this sandwich and then forgot about it. Now, I think I'm going to surf the net for porn and hope that someone puts it together for you folks. Man, honey mustard has got to be the best idea since dijonaise.



Use:



We have a series of detective controls in place that accompany our preventive controls.



Don't use:



I have no clue how to stop an employee from funneling money to an overseas account.



Use:



Our controls are well designed and operating effectively.



Don't use:



This one dude I know used to have this program that, get this, could copy financial accounting records and download them into this...oh, shit, you're that dude from that auditing thing. Oh, I'm fucked now. Look, I'll give you the rest of this sandwich if you don't tell anyone what I just told you.



Use:



Access controls, internal controls.



Don't use:



The porno police.



Use:



We are building evidentiary materials for controls that have been in place for a period of time.



Don't use:



C'mon, man, pleeeeeeeeeeeaaase don't tell my boss that I'm the guy that told you that shit about Manny. OH FUCK, I JUST FUCKED MANNY OVER!!!



Use:



I'll need you to connect with my manager on that.



Don't use:



Shit, Manny already has two felonies. Christ, this is not happening. Hey, whatchu know about THIS?! Yeah, I'll gut you like a fish with this letter opener if you don't promise to keep your yapper shut about anny-may.



Use:



Discussing systems that impact and can map back to the financials.



Don't use:



Discussing that one chick you banged last night.



Use:



Management has determined the scope of our testing, self-audits, controls, etc.



Don't use:



Yabba Dabba Do!



Use:



Adequate levels of governance and oversight; management sign-off.



Don't use:



It's your fault! You walked into the letter opener! Oh, shit, man! Oh, shit! I just killed the accountant dude. Fuck, Freddy, we're going to Aruba.

No comments: