Business Gets More Control Under Sarbanes Oxley ComplianceBy Lawrence Walsh | Posted 2008-01-29 Email Print
WEBINAR: On-demand webcast
Next-Generation Applications Require the Power and Performance of Next-Generation Workstations REGISTER >
Auditors must tie noncompliance to impact on financial reports. No impact, no violation.
If you think your enterprise is spending a lot on Sarbanes-Oxley compliance, you’re not alone. Last year, U.S. businesses spent about $6 billion on SOX, as the federal regulation is commonly known. While SOX spending has leveled off over the past couple of years, analysts say it’s firmly locked into 20 percent of the $30 billion annual corporate compliance costs.
SOX costs have not gone unnoticed by the Public Company Accounting Oversight Board (PCAOB), which was charged by Congress to enforce accounting regulations. The Board has seen how accounting firms have run up huge fees and forced its clients to spend millions of dollars on IT systems and controls they probably didn’t need.
Few outside the accounting community noticed, but last November that changed when the PCAOB adopted Accounting Standard 5 (AS-5), which completely changes the SOX audit process. AS-5 establishes a top-down approach to auditing and requires auditors to tie compliance directly to its impact on financial reporting.
“If you can’t link something to the financial statements, it’s out of scope.” explains Sharon Virag, the PCAOB’s technical policy implementation director. “We used to hear people talk about the financial-transaction flows through this system, so the system is brought into scope. Now, you only need to focus on the parts that apply to the risk.”
Congress passed SOX in 2002 as its answer to the accounting malfeasance that led to monumental corporate meltdowns at Enron, Global Crossing and others. Its authors—Sen. Paul Sarbanes (D-Md.) and Rep. Michael Oxley (R-Ohio)—put corporate executives’ necks on the line if their companies filed erroneous financial statements. The prospect of doing the perp walk on
Whoa! That’s a big statement—one that everyone from the audit firms to the smallest technology companies has used to inject tech into the compliance conversation. Security, data protection, business intelligence software accuracy and even building locks and trash disposal fell into scope, which naturally drove up costs. Many enterprises have complained about compliance costs, while vendors pinged them with an endless stream of gadgets that would ensure rock-solid SOX compliance. Some have even quipped that the only ones benefiting from SOX are the auditors, since SOX would never have prevented Enron from happening.
The change from the previous accounting standard doesn’t mean IT security and controls are no longer a factor in SOX compliance. The big difference is that the burden now falls on the auditor, not the enterprise, to prove a deficiency is truly a compliance issue.
“For the first time, auditors are not going to be allowed a blank check for compliance,” says Connie Whitecotton, vice president and chief risk and compliance officer at Alfa Insurance, a $700 million insurance company in Montgomery, Ala.
For instance, a subset of IT vendors has claimed that a lack of auditing access to network servers and routers could be construed as a SOX violation because it impinged upon the integrity of the network. Under AS-5, the auditor must show how the lack of a control would affect the data and result in inaccurate financial reports. A big part of that equation is understanding risk. In this case, unauthorized router configuration changes—even if they result in network outages—would likely not change financial reports and would therefore fall out of scope.
“You can’t ignore the implication that you need to make sure your back end is corrected, because that could affect your financial reporting, but it doesn’t mean that all of security is brought into the mix,” Virag says.
The change couldn’t have come at a better time. AS-5 applies to all companies reporting their financial results after
The key to all this, advises Whitecotton, is understanding risks and adequate controls. “We’ve got to understand it to contain the auditors,” she says. Advice well put.