CHICAGO -- As of March, publicly held companies have spent an average of $4.4 million to meet mandates within the Sarbanes-Oxley Act. Large companies have devoted at least twice that amount, mainly to find and fix flaws in internal controls before annual reports are submitted to the Securities and Exchange Commission.
Meantime, organizations are creating new C-level titles such as chief risk officer and chief governance officer to oversee this surge in spending. And the ranks working under them are swelling with IT security professionals.
All this to essentially keep the company out of the headlines and the boss out of jail.
"It's no wonder Sarbanes-Oxley has elevated the role of compliance in the boardroom," said Dan Blum, senior vice president and group research director for Utah-based analyst firm Burton Group, during Monday's Information Security Decisions conference in Chicago. Among the penalties for gross SOX violations: imprisonment for the CEO and CFO.
Delegates say that single piece of legislation, created to address accounting fraud, is transforming enterprise security, even at privately held or government-run organizations. SOX currently applies only to public companies and foreign-based enterprises that list their
Although designed to hold executives more accountable, it's the IT department feeling the squeeze to ensure the integrity of all financial data in annual reports. That's creating a corporate cultural shift, placing more resources, but also more responsibility, on technologists.
"Sarbanes-Oxley was never intended to create a huge burden on IT," Blum said during his keynote. "That was a huge accident, almost."
A poll conducted at the conference showed nearly half of 475 delegates [48%] say SOX compliance is under control at their organization. But 25% admit their company is still struggling. A similar number, however, are optimizing compliance at this stage.
Blum told the audience to embrace SOX for the security improvements it can bring -- and even the flaws it may expose. That means coming to terms with both internal and external auditors who typically take a conservative approach to compliance issues.
The best chance of passing an audit begins with establishing a risk management framework, using those created by the Committee of Sponsoring Organizations [COSO] and others for guidance. Companies must also set up a control framework and document all processes and changes. It's the new paper trails that a few delegates said were most time-consuming.
Frustration also stems from auditors and IT security practitioners interpreting SOX risk management differently. It doesn't help that many internal audits are being conducted by unqualified IT staffers pulled into the task due to staff shortages. Be aware that a common mistake, Blum said, is companies assigning risk thresholds that fall short or exceed auditors' expectations, leading to underestimated or unneeded remediation costs.
That doesn't mean those internal controls aren't effective -- or harmful. Last year 582 firms had to disclose material weaknesses or significant deficiencies in internal controls, according to Blum. Nearly all of those companies suffered a drop in their stock upon disclosure.
The key, however, is to learn from mistakes and capitalize on what worked, the analyst advised. And, be wary of vendors touting tools that meet many SOX needs. "Vendors made lots of extravagant claims of SOX-relevance," Blum said. "But in reality, there isn't a tool you can buy to achieve compliance."