About Gene Kim

I'm the multiple award-winning CTO, Tripwire founder, Visible Ops co-author, IT Ops/Security Researcher, Theory of Constraints Jonah, a certified IS auditor and a rabid UX fan.

I am passionate about IT operations, security and compliance, and how IT organizations successfully transform from "good to great."

SEARCH BLOG
RECENT SPEAKING SCHEDULE

7/30 - BSides Las Vegas- Las Vegas, NV
Mobilizing the PCI Resistance: Lessons Learned from Fighting Prior Wars (SOX-404)

9/20 - itSMF USA Fusion 2010 - Louisville, KY
Avoiding Audit Fatigue: Achieving Compliance In A Multi-Compliance World

9/24 - PCI SSC North American Community Meeting - Orlando, FL
Scoping SIG Update

9/24 - Interop New York - New York, NY
Creating Effective Security Controls: A Ten Year Study of High Performing Security Organizations

10/24 - NACD Corporate Governance Conference - Washington, DC
How IT Can Help (And Hinder) Boards

Twitterstream
« Mobilizing The PCI Resistance, Part IV: When Bottom-Up SOX-404 Audits Go Bad. Really Bad. | Main | Mobilizing the PCI Resistance, Part II: First Let's Re-Examine The SOX-404 Problem... »
Wednesday
Jun162010

Mobilizing The PCI Resistance, Part III: Quantifying The Huge SOX-404 Problem...

Previously, I wrote in Part I about "Upset about the subjectivity and ambiguity in the PCI DSS compliance standards? My #BSides submission on the answer...", and in Part II, I wrote about the problems that management and auditors faced in 2005 and 2006 for the IT portions of SOX-404.

In Part III of this series, I will continue walking through the January 2006 GAIT summit slides, and show you the objective evidence that there was a real problem that needed to be solved, and our vision of what the solution was.


Jan 2006 GAIT discussion.jpg

The Damage Of Bottom-Up Auditing

Actually, let me rewind a bit.  I didn't realize it at the time, but in 2005, I heard a great presentation by Patrick Gunderman that hinted at the magnitude and scale of the SOX-404 IT audit problem. Back then a Senior Manager in the KPMG audit practice.  He showed a slide that blew me away.

KPMG Gunderman.jpg

gunderman IT findings 1.jpg

In the slide above, KPMG found that "The estimated percentage of deficiencies identified show IT controls accounting for the most (34 percent), followed distantly by revenue (13 percent), procure to pay (10 percent), and fixed assets (10 percent)."

What this means is that auditors were spending time digging around IT infrastructure, and finding lots of deficiencies.  Then for each one, management would either have to remediate, or argue with the auditors that it wasn't worth fixing, because an IT control failure would not result in an undetected material error.  Now, if the Enron and Worldcom failures were caused by rogue DBAs, then maybe this level of scrutiny was warranted.  But, something definitely doesn't seem right...

It’s estimated that as much as $3 billion was spent in the first year of SOX-404 to fix IT controls to remediate these findings. Ultimately, most of these findings were found not to be direct risks to accurate financial reports and did not result in a material weakness.  This is because they followed a bottom up versus a top-down, risk-based approach.

At the January 2006 GAIT Summit, we had publicly traded companies present how this problem was affecting them and their need for a better way.  Universally, they talked about the huge IT audit effort and fees associated with SOX-404 that was totally disproportionate to the risk.

These companies included (in no particular order), Goldman Sachs, Marathon Oil, Microsoft, Hewlett Packard, Chevron Phillips Chemical, Business Objects and so forth.

One of the most compelling data points was presented by Fawn Weaver at Intel.

fawn weaver intel IT audit effort.jpg

This slide shows how 50% of the SOX-404 compliance effort was IT-related, which was generating almost 80% of the findings.  Yet, none of those findings represented a real risk to an undetected material error.  (So again, why was all that work performed?  It shouldn't have been.)

In my next post, I will write about how bottom-up auditing happens and our vision behind GAIT.  Next, I will write about the politics of GAIT, and how we assembled the constituencies, what was in it for them, and how I learned to use one of the most valuable tools in my career.

All of this helps (at least, in my mind) inform the PCI problem statement, as well as the strategy of how we can solve it.

References (18)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    The most hard task facing volunteer arrangements is to mobilize the neighborhood also its resources for important endure. Accompanying economic tensions causing numerous non profits to diminish their budgets, it is flush extra crucial than already to consume the resources interior your community to guarantee the continued fame of your company. ...
  • Response
    Response: Neundenker
  • Response
    Response: Neundenker
  • Response
    Response: Zhou Hua
    Mobilizing The PCI Resistance, Part III: Quantifying The Huge SOX-404 Problem... - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Mobilizing The PCI Resistance, Part III: Quantifying The Huge SOX-404 Problem... - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: Anthony Alles
    Mobilizing The PCI Resistance, Part III: Quantifying The Huge SOX-404 Problem... - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    means of one hour in the fall so that you can gain another amount of daylight over the early on night time.
  • Response
    Response: veterans day 2014
    Tax withheld finance calculator. Toggle remaining... Contains the payee furnished some type of Tax File Sum (TFN)? Guaranteed; Simply no... Contains the payee mentioned your current Tax Free Endurance
  • Response
    Response: time change 2014
    Brightness Retaining Occasion – also known as "Summer Time", "DST" or perhaps "Daylight Individual benefits Time" – can be a method of creating outstanding usage of your current sunny days to weeks on the inside days to weeks.
  • Response
    A lot like your hard earned money Act in response 2013 okayed by way of Federal government linked with people, that over the web duty finance calculator can be applied tax charges having country.
  • Response
    Response: xbox live codes
    The third part is awesome!
  • Response
    Response: Lazaro Weeber
  • Response
    Response: superiorpaper
    Excellent resource for my job. Really your new superiorpaper tips are usually inspired personally, it is a extremely impressive essay paper writing, I proud it so much intended for giving your valuable thoughts and very well wished far more threads this superb essay writing threads.
  • Response
    Response: superiorpaper
    Excellent resource for my job. Really your new superiorpaper tips are usually inspired personally, it is a extremely impressive essay paper writing, I proud it so much intended for giving your valuable thoughts and very well wished far more threads this superb essay writing threads.
  • Response
    Response: taxes
    How avoid 1 taxslayer 49 regarding taxi calculation.
  • Response
  • Response
    The handy remote control includes a special code that's from the garage door opener once it really is programmed.
  • Response

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>