Business Gets More Control Under Sarbanes Oxley Compliance

By Lawrence Walsh  |  Posted 2008-01-29 Print this article Print

Auditors must tie noncompliance to impact on financial reports. No impact, no violation.

If you think your enterprise is spending a lot on Sarbanes-Oxley compliance, you’re not alone. Last year, U.S. businesses spent about $6 billion on SOX, as the federal regulation is commonly known. While SOX spending has leveled off over the past couple of years, analysts say it’s firmly locked into 20 percent of the $30 billion annual corporate compliance costs.

SOX costs have not gone unnoticed by the Public Company Accounting Oversight Board (PCAOB), which was charged by Congress to enforce accounting regulations. The Board has seen how accounting firms have run up huge fees and forced its clients to spend millions of dollars on IT systems and controls they probably didn’t need.

Few outside the accounting community noticed, but last November that changed when the PCAOB adopted Accounting Standard 5 (AS-5), which completely changes the SOX audit process. AS-5 establishes a top-down approach to auditing and requires auditors to tie compliance directly to its impact on financial reporting.

“If you can’t link something to the financial statements, it’s out of scope.” explains Sharon Virag, the PCAOB’s technical policy implementation director. “We used to hear people talk about the financial-transaction flows through this system, so the system is brought into scope. Now, you only need to focus on the parts that apply to the risk.”

Congress passed SOX in 2002 as its answer to the accounting malfeasance that led to monumental corporate meltdowns at Enron, Global Crossing and others. Its authors—Sen. Paul Sarbanes (D-Md.) and Rep. Michael Oxley (R-Ohio)—put corporate executives’ necks on the line if their companies filed erroneous financial statements. The prospect of doing the perp walk on CNBC got every CEO ’s attention. SOX’s sole intention was to ensure accountability and protect investors from parking their money in companies that were cooking the books. But the regulation’s Section 404 used language to the effect that CEOs must ensure the integrity of the systems that process their data.

Whoa! That’s a big statement—one that everyone from the audit firms to the smallest technology companies has used to inject tech into the compliance conversation. Security, data protection, business intelligence software accuracy and even building locks and trash disposal fell into scope, which naturally drove up costs. Many enterprises have complained about compliance costs, while vendors pinged them with an endless stream of gadgets that would ensure rock-solid SOX compliance. Some have even quipped that the only ones benefiting from SOX are the auditors, since SOX would never have prevented Enron from happening.

The change from the previous accounting standard doesn’t mean IT security and controls are no longer a factor in SOX compliance. The big difference is that the burden now falls on the auditor, not the enterprise, to prove a deficiency is truly a compliance issue.

“For the first time, auditors are not going to be allowed a blank check for compliance,” says Connie Whitecotton, vice president and chief risk and compliance officer at Alfa Insurance, a $700 million insurance company in Montgomery, Ala.

For instance, a subset of IT vendors has claimed that a lack of auditing access to network servers and routers could be construed as a SOX violation because it impinged upon the integrity of the network. Under AS-5, the auditor must show how the lack of a control would affect the data and result in inaccurate financial reports. A big part of that equation is understanding risk. In this case, unauthorized router configuration changes—even if they result in network outages—would likely not change financial reports and would therefore fall out of scope.

“You can’t ignore the implication that you need to make sure your back end is corrected, because that could affect your financial reporting, but it doesn’t mean that all of security is brought into the mix,” Virag says.

The change couldn’t have come at a better time. AS-5 applies to all companies reporting their financial results after Nov. 15, 2007 , which is most of the companies announcing earnings around this time. Likewise, auditors and enterprises will have a year’s experience under the new standard when publicly traded companies with less than $75 million in revenue come under SOX’s umbrella in late 2008.

The key to all this, advises Whitecotton, is understanding risks and adequate controls. “We’ve got to understand it to contain the auditors,” she says. Advice well put.

Lawrence Walsh Lawrence Walsh is editor of Baseline magazine, overseeing print and online editorial content and the strategic direction of the publication. He is also a regular columnist for Ziff Davis Enterprise's Channel Insider. Mr. Walsh is well versed in IT technology and issues, and he is an expert in IT security technologies and policies, managed services, business intelligence software and IT reseller channels. An award-winning journalist, Mr. Walsh has served as editor of CMP Technology's VARBusiness and GovernmentVAR magazines, and TechTarget's Information Security magazine. He has written hundreds of articles, analyses and commentaries on the development of reseller businesses, the IT marketplace and managed services, as well as information security policy, strategy and technology. Prior to his magazine career, Mr. Walsh was a newspaper editor and reporter, having held editorial positions at the Boston Globe, MetroWest Daily News, Brockton Enterprise and Community Newspaper Company.

Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.