Also, the lack of definitive regulations has delayed much of the current enforcement; SOX requirements may be loosened in the near term. It seems, too, that the SEC is giving public companies the room to fix problems that are identified during examinations.
Implementing strong financial controls requires a change in process, culture and technology. This shift takes time, and the SEC hasn't gotten around to chasing folks yet.
To be clear, examinations are happening every day, and not many folks are "passing." In many cases, it has very little to do with security controls. The burden of financial controls and ensuring the integrity of financial reporting is stymieing many organizations, especially the small ones. "Passing" is also still somewhat subjective, meaning your grade may depend on your examiner and probably what side of the bed he/she woke up on that day. A lot of the industry has agreed on COBIT as an acceptable framework for Sarbanes-Oxley compliance.
Regulations are in place to make sure that organizations do the right thing. Whether SOX is enforced or not, it's probably a good idea for a company to have tight financial controls in place. An organization should also make efforts to protect customers' private data, regardless of HIPAA, GLBA or PCI.
Dig deeper on Sarbanes-Oxley Act
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.