SOX Me, BabySOX Me, Baby

If you work in the IT department of a publicly-traded company, you're probably familiar with Sarbanes-Oxley. If the very sight of that name causes an annoying facial tic and makes you want a cigarette, and if your company also happens to use open-source software, we need to talk.

For the blissfully ignorant, Sarbanes-Oxley is the government's response to the wave of Enron-esque corporate accounting scandals a few years ago. The law (colloquially known as SOX) imposes strict new reporting and accountability requirements on publicly-traded companies. This includes not just financial reports and regulatory filings, but also, in practice, every business process and system that affects the integrity of the data used to produce those reports. And this very definitely includes a firm's IT operations: From software and servers to networking and storage systems, if financial data moves into, onto, from, or through it, you can bet a firm's internal SOX auditor will take an interest in it.

Those auditors have one goal in mind: to ensure that a firm can pass a real-life government SOX audit. They are looking for problems that could get a company delisted or land its executives in jail. They have no sense of humor, they do not want to hear excuses, and you're best advised not to let them hear you talking about cathedrals, bazaars or the "community" that built your firm's database server.

Some people have questioned whether these drill instructors in pinstripes would take one look at open-source software, realize what it's all about, and start throwing around pink slips like confetti in a victory parade. Earlier this year, for example, analyst and occasional Linux Pipeline contributor Rob Enderle took an extremely skeptical view of whether open-source software could survive an internal SOX audit.

For many IT departments affected by SOX, a key compliance deadline (the cleverly-named "Section 404") passed this week. It seems to me that if the worst-case scenario had come to pass, we would have noticed all of those Fortune 500 dumpsters piled high with open-source products. Even so, there might have been some interesting, if less dramatic, encounters between IT departments using open-source software, zealous SOX auditors, and corporate executives eager to avoid a free trip to Club Fed.

Please note: I'm not asking anyone to spill the actual contents of their firm's internal auditor report. That, too, will get you a bunk next to Martha Stewart--cruel and unusual punishment, indeed.

So, do you work for a firm that got SOXed this year? Do you have stories or opinions to share about the relationship between SOX and open-source software in your company? Drop me a line, I'm dying to hear all about it. If you'd rather keep your name and your company out of it, just let me know.