6

With Regard to Sarbanes Oxley and particularly The Japanese version thereof: Is it true that in order to comply with (J-)SOX you must have a support contract - and therefore a responsible party - for any software used within the enterprise? If that is true, does that disqualify nearly all open source software?

The reason for asking is that I firmly believe that there is no relevance whatsoever. Yet our IT department frequently vetoes requests for open source software on the basis that without a support contract it doesn't comply with J-SOX requirements. To my knowledge J-SOX has no bearing on whether you have a support contract for software you use. What does seem to matter is anything having to do with financial reporting. Which most of the time doesn't come into play within the realm of open source software.

Is there a foundation for these rejections on the basis of J-SOX*? Or is our IT department just being lazy and trying to get out of supporting software they don't understand?

*I understand that there is an argument to be made that the IT department doesn't have resources to support such software, but blanketing that rejection under J-SOX seems preposterous to me.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
sholsinger
  • 161
  • 3

3 Answers3

10

The basic principle of SOX (I can't speak to the Japanese version, but I'd put my bet that it carries over) is that the officers of the company must attest that they are aware of the company's action and are responsible for those actions. This is usually done by having a consultant come in and document what the company is doing. The focus of SOX is on control over things that affect financial statements.

Your inventory tracking system, accounting system, ordering system, etc. all fall into this scope. Your DHCP server doesn't.

SOX does not require support contracts for any system. SOX does not excuse you in cases of vendor supplied systems that are not understood. Buying Oracle, having it supported, and making a mess of it all will hurt -- your expensive support contract won't provide any absolution. Unfortunately, SOX is more misunderstood than anything else, and I'm in continual awe of the scope of things that companies believe it requires.

The prevailing attitude that occurs here is something along the lines of, "Better safe than sorry." Fact is that throwing extra unnecessary requirements onto yourself and claiming they're regulatory doesn't earn you any brownie points, it just costs you more. Unfortunately, I think you have an uphill struggle convincing your company of that.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
5

Most open source vendors (i.e. businesses and people that sell open source software in some capacity) make money through support contracts. The obvious examples are Red Hat, Novell, IBM, etc.

So even if a support contract is required, open source is still very much fair game.

Matthew Flaschen
  • 340
  • 1
  • 7
4

There is nothing specific about IT support contracts in SOX or J-SOX, however some of the wording around compliance with controls and reporting could make it easier for IT to just veto requests rather than go through the extra effort required. They may feel that having to support open source will cause them headaches, or make them responsible.

That said, as per Matthew's answer, if you can clearly demonstrate to your IT team that there is a vendor offering a support contract on the open source product you want, then that should at least call them on that argument. If they can offload some responsibility onto a third party, most departments feel happier.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320