This article can also be found in the Premium Editorial Download "Information Security magazine: Winners of Information Security magazine's Security 7 Award."
Download it now to read this article plus other related content.
Mention the Sarbanes-Oxley Act (SOX), and the conversation is likely to steer toward giant multinational corporations and the need for broad and deep governance, risk and compliance (GRC) programs, and the chilling image of CEOs and CFOs doing the Enron perp walk. SOX forced many of these companies to re-examine and overhaul their financial controls and accounting systems, file all sorts of new reports, and pay tons of cash to the Big Four audit firms.
But thousands of smaller public companies are the ones feeling most of the pain. The cost of SOX compliance is disproportionate for these companies, both in terms of percentage of revenue and cost per employee, in some cases running into the thousands of dollars per head, as opposed to the hundreds for large enterprises.
"Larger companies have been built to have audits going on frequently. They are complex, so they have compliance programs," says Ed Moyle, a manager with CTG's information security solutions practice and partner at SecurityCurve. "That's where the bigger costs come in. Smaller companies have been focused on growing revenue, not focused on a compliance program, and it's very costly to retrofit."
SOX put a real burden on smaller firms. There were anecdotal reports of some companies delaying or even shelving plans to go public because of it. More strikingly, Kiplinger reported in 2006 that 100-200 companies--including some big names--were reverting to private ownership each year since SOX was
Developing an efficient SOX compliance program is the key for midmarket companies. The right approach can help cut unnecessary costs and give your company the most benefit from improved financial controls and the insight gained from examining your practices and monitoring your systems.
But it's still going to cost you, and, if you are a smaller company, it will cost proportionately more than large enterprises. It's unavoidable.
"You still have to comply and there's a lot of bureaucracy in compliance and you can't spread the cost across as much of a base," says Michael Rasmussen, president of Corporate Integrity. "So, there's still all the overhead of a larger company. While it does scale down some, it doesn't scale down proportionately."
|CFO at Top of SOX Org Chart|
Expert say an organization's chief financial officer usually runs SOX compliance; audits erase the possibility of conflicts of interest.
Your chief financial officer (CFO) is almost certain to be the person in charge of SOX compliance. Michael Rasmussen, president of Corporate Integrity, goes so far as to say it must be the CFO. In smaller companies, it's common for IT to report to the CFO; it's natural for finance and IT to come together under the CFO for SOX compliance. The CFO, he says, should "roll up his sleeves" and get involved in managing SOX compliance, because it's fundamental to his job.
Doesn't that raise the possibility of conflict?
"No," Rasmussen says. "That's why you have audit. Let the auditor be the independent validator."
SecurityCurve's Ed Moyle and Diana Kelley agree that SOX responsibility typically falls to the CFO, although conditions vary from firm to firm. The CFO understands the company's operations, the communications channels and can make sure the controls aren't interfering with the business.
"However, I'd caution small companies for collusion purposes," says Kelley. "If the CFO is the one doing anything funky with the books, that puts them in oversight of what's going on with IT checks and balances. So the COO--or the CEO if he serves operationally--should be observing."
SEC GRANTS 'RELIEF'
The Security and Exchange Commission (SEC) took note of the basic inequity of holding smaller firms to the same requirements as mega-corporations, and issued new guidelines in 2007. The SEC delayed initial compliance for companies with less than $75 million in public equity and reduced some of the forms and reports required.
These companies did not have to include a management assessment of their financial controls in their annual report until the fiscal year ending December 15, 2007 or later, and don't have to include an external auditor's attestation until the report on the fiscal year ending December 15, 2009 or later. What's more, companies going public don't have to begin compliance reporting until their second year as a public company.
The fresh SEC guidelines, the "Interpretive Guide for Management," issued in May 2007, were designed to give smaller businesses clearer direction--there is no instruction manual for SOX 404--on how to implement and maintain a compliance program to cut cost and make the management assessment program more effective. The Cliff notes version is available in a brochure, "Sarbanes Oxley Section 404: A Guide for Small Business" but after digesting that you'll need to get very familiar with the full document.
The guidelines stress that your management processes aren't bound by any one method or that of your external auditor. You should also take a risk-based approach that focuses on the areas of highest risk of "material misstatement" in your financial statements. This point actually goes a long way to reduce the scope of your program. Previously, companies were expected to address all areas of risk; now they can zero in on the ones that really count. Finally, your evaluation can be customized for your company's specific facts and circumstances--one size doesn't fit all, especially for small companies with their businesses processes, perhaps specialized markets or services and management structure.
The guide also provides better direction on appropriate supporting evidence and documentation, and for evaluating weaknesses in your controls. The guidelines do not replace internal control frameworks to be followed, particularly Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is the generally accepted framework for SOX (COSO expanded its original 1992 framework in 2004, with "Enterprise Risk Management--Integrated Framework").
However, Corporate Integrity's Rasmussen sounds a note of caution, lest you expect too much from these guidelines.
"With clarification comes some relief, but it's still a burden on the organizations," he says. "That's not going away."
YOUR SOX AUDITOR
The Big Four--Deloitte Touche Tohmatsu, PricewaterhouseCoopers, Ernst & Young and KPMG--have created a whole industry around SOX compliance, hauling in most of the fees.
But if you're a smaller public company, that doesn't have to include you.
The upside of hiring one of these giants is their extensive expertise and vast resources in all matters SOX. If they're good enough for Humongous International, they must be good enough for you, right?
Not necessarily. The Big Four will, naturally, send their sharpest and most experienced auditors to work with their biggest clients; it just makes good business sense to focus your best service on the clients paying the most bucks. Not to mention that if a company does have a rough audit, better it be a mom-and-pop shop than some high-profile, multibillion corporation.
For the same steep fee, your $25 million or $50 million company is more likely to get a bright, eager and very inexperienced auditor, perhaps a year or two out of college. That person may have graduated at the top of his or her class, and have a good grasp of the regulation and guidelines, but little or no understanding of the business you run, its operational and sales practices, and the market in which it is engaged.
If your company is new not just to SOX, but any regulatory requirements, you're going to want an auditor you can draw on for advice and guidance, not just to pass or fail on your controls.
"Where these auditors don't have the knowledge is on the operational side," says Moyle. "So, they may understanding the compliance process, but when it comes to understanding the business and how financial systems work and how they interrelate, there's a dearth of knowledge."
One result can be a near-fanatic focus on every possible level of every control, rather than focus on evaluating the effectiveness of key controls over areas of greatest risk. Diana Kelley, co-founder and partner at SecurityCurve, tells of the security director at a brokerage house whose auditor was fixated on the fuel supply for the backup generators for her data center.
"The data center had propone to fuel their backup power, but no backup for the propane," she relates. "And the auditor dinged her on that for SOX. It's a case of running down every possible check box without understanding compensating controls and other methods for providing resiliency."
Part of the problem is that SOX 404 and the guidelines are sufficiently vague to give audit firms a lot of leeway, and the wider the scope of the engagement, the more money they can charge. That's why it's important to work in close collaboration with your auditor early on in the compliance process and reach some understanding of the focus points and scope of the engagement.
"Auditors must be held in check," says Rasmussen. "They want to work very broadly because it means more work for them. Work with them and say, 'what can we come to agreement on; let's scope this together and come to some understanding.'"
The aim, Rasmussen explains, is to understand what the auditor is looking for, and getting him to sign off on a control structure that's reasonable for your company, "that's not going to just bury it."
You should also involve the auditor early because of the "break" small companies get in not being required to have auditor attestation until year two of compliance. Your management assessment can easily go awry the first year without an understanding with your auditor, and you can get badly bloodied when the auditor comes in later on.
Auditors aren't the only ones responsible for runaway scope. Sometimes IT managers use SOX as a pretext for pushing through pet IT or security projects that the CFO has turned down based on previous arguments.
In addition to getting the auditor involved up front, hiring an outside consultant makes sense at the outset. If your management team lacks SOX expertise and experience, or if they simply have too much to do helping run the business, a consultant can help you make good choices--including the right audit firm--and avoid costly mistakes.
Rasmussen advises small public companies to steer clear of the Big Four, because they are likely to get relatively inexperienced people. He says small companies will get better service and consistency with any number of the smaller, local audit companies that cater to SMEs and actually like doing business with smaller clients. He also suggests investigating mid-tier companies such as Jefferson Wells, Grant Thornton, BBO Seidman and Crowe Horwath, among others.
There are many online resources that can help midmarket companies with Sarbanes-Oxley compliance.
Unified Compliance Framework
BIG FOUR AUDITORS
MORE THAN SOX?
Your company may be on the small side, but you still may have to deal with more than one regulation. For example, if you take credit cards, you also have to deal with PCI DSS. If you're a financial services company, you're probably subject to GLBA. And just about every company must be leery of the 40-plus state data breach disclosure laws. Even if you're only subject to SOX now, it's a good bet that a year, or two years or five years from now, there will be other regulations that you'll have to deal with.
Rasmussen says redundant multiple assessment programs are often "what's burying organizations, large and small." You'll have hundreds of spreadsheets and questionnaires, often covering the same data and asking the same questions. GLBA, for example, involves identity and access controls around personal information, while SOX is going to be dealing with identity and access controls and separation of duties.
"There's a common infrastructure of controls that can be used for multiple compliance purposes," he says.
Better to develop a compliance program from the start, with a broad base of meta controls that you can map to particular requirements as they come along. Then you can fill the gaps as a particular regulation requires.
"Be prepared for compliance, not just SOX," says Kelley. "It's going to be a painful investment if you haven't been compliance aware. Do you want to spend that money heavily every time there is a new mandate?"
Neil Roiter is senior technology editor for Information Security. Send comments on this article to firstname.lastname@example.org.
This was first published in October 2009