This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
"After seeing what happened with Enron and Arthur Andersen, consulting firms were a little gun-shy about taking any semblance of a risk-based approach to audit," says Mike Nelson, president of SecureNet Technologies, an information security consulting shop in San Ramon, Calif. "They wanted to audit every single control to the nth degree. But, in the last year or two, the Public Company Accounting Oversight Board (PCAOB)"--the nonprofit created by the passage of SOX to oversee auditors--"has focused more on the areas of the enterprise that represent the highest risk of threat."
Subsequent SOX audits have made companies more savvy. "We have reduced our key controls by one-third, from 75 to about 50," cutting audit fees in half, says Hamid Mashouf, vice president of technology at bebe, the San Francisco-based women's clothing company, which has completed three audits. "We ratcheted back because some were not needed."
Even as SOX implementation work has waned, assessment is going strong.
"We think there are more than 6,000 non-accelerated filers out there, so the bulk of the marketplace for SOX compliance is in front of us," says Rick Dakin, president and founder of Coalfire Systems, a Louisville, Colo.-based auditor.
Ultimately, SOX set the stage for organizations to meet
| more federal requirements. "My FISMA business is heating up," says Nelson. "SOX is cooling down."
Amy Rogers Nazarov is a freelance writer based in Washington, D.C.
Send comments on this article to firstname.lastname@example.org.
This was first published in January 2008