1)Current SOx testing on the ERP side focuses on configuration related to segregation of duties (roles and responsibility assignment) and access/approval controls. But what about business logic and business rules for example- either as delivered or as configured? How do transactions work? How many different charts of accounts are set up? How is the org structure set up so that dollars and pennies can be booked but booked off to the side or off-balance sheet?

2)While at PwC, i heard more than once that there was no external auditor review of policies and procedures regarding patch application and testing/promotion to production of new code from the vendor. Why? 'If it's Oracle or SAP, then it has to be bug free out of the box." WTF? This was a handshake agreement amongst the firms that none of them would not call out these issues because if they started it would never end. Neither the firms nor their clients had enough staff to control this issue. Given the number of companies that would be called out on basic IT SDLC related and operations controls, everyone would look bad. Moratorium until companies could get a handle on it. Only best in class companies have tight procedures over these activities and if issues were found it would spill over all over the place. If the ERP software is buggy to begin with but you don't know where it's buggy and this is your GL, what comfort do you have that any financial reporting is right?

Add to this the fact that no one got or has received a material weakness for not having a disaster recovery/contingency plan documented, tested rehearsed because very few companies outside of those affected by 9/11 (I am assuming) have it, and you see what I'm talking about.

Thanks again for trusting me to deliver the news of the Big 4. I agree with your assessment that the Big 4, since the sale of their consulting businesses in 2001-2002 have not recovered on the IT side, regardless of their marketing and positioning. Even though Deloitte did not sell, they are still not a consulting firm on the same scale of other systems integrators and are still first and foremost an audit firm, with the independence issues having to take precedence in al cases over any consulting opportunities.

I have also noted on my blog that IT controls are still not on the radar at the requisite level in most Sarbanes-Oxley reviews. There have been material weaknesses and significant deficiencies related to IT cited only in the most egregious cases. Too much need to get the financial review right first and that has taken a long while. Not enough staff at either the firms or their clients to do it right, and therefore, a potentially "collusive" agreement between the firms to let a lot of stuff go until later, such as disaster recovery and contingency planning and really thorough, in depth reviews of ERP controls at the technical architecture and application level instead of at the functional/user level. Just as maybe the learning curve had been accomplished for the financial side and there may have been an opportunity to start looking at how systems support financial reporting, we are instead dealing with hew and cry to reduce costs. I suspect the next company failure will be because of a catastrophic failure on the part of critical systems to execute proper controls, either due to management fiat such as at Societe General or because the software is flawed or incapable of accomplishing the objectives an no one knows or cares.