Repeal SOX? No; Modify SOX? Yes
Luther Martin made a case for the repeal of SOX in a post last week. His case was based on a 1947 ruling by Learned Hand that, in effect, said the cost of mitigating risk should not exceed the cost of the risk itself. Martin goes on to compare the cost of SOX compliance to the potential risks to make his case.
I agree that costs for SOX compliance have been unnecessarily high. The compliance law was intentionally vague in what controls it would measure, which has led to a lot of guesswork by IT departments and auditors alike as to what are reasonable controls to audit. Companies were also ill-prepared to face the first few rounds of SOX audits, so a lot of manual effort was required.
However, the SEC, through the PCAOB, is putting a lot more emphasis on ensuring greater consistency in SOX audits. On the IT side, many organizations have implemented automated solutions to identify and manage information on key IT controls. These investments should significantly reduce the cost of SOX and other regulatory compliance audits, as well as provide other benefits to ensuring the security, availability and performance of business services provided by IT.
I disagree with his estimates for potential fraud. $1 million is too low, in most cases. Most fraud cases that are disclosed have the potential to reach into the tens of millions.
Eliminating SOX would be a step backward. A better course of action would be for legislators, the SEC, and PCAOB to follow the lead taken by credit card companies with the PCI DSS or NERC with its new standards. These regulations are more comprehensive (PCI still needs to work on physical security measures as evidenced by the recent PIN pad fraud at Stop n Shop) and specific in exactly what they will require and audit, giving organizations a real roadmap to achieve compliance objectives.
One area where I do agree with Mr. Martin is in making sure organizations don't lose sight of information security, just for the sake of compliance. As he says in his post, "While SOX addresses risks that are perceived to be important, at least by the US government, many information security projects can address risks that are very real. But with the reallocation of funding from information security to compliance, many of these real risks are going unaddressed."
Can and should SOX be updated and better defined? Yes. Should it be eliminated? No
Contingency plan templates created by www.training-hipaa.net can jump start HIPAA, Sarbanes Oxley (SOX), FISMA, ISO 17799 and many other regulations/standards contingency plan project which includes risk assessment, business impact analysis (BIA), business continuity plan (BCP), disaster recovery program (DRP), emergency mode operation plan (EMOP), data backup plan, testing and revision procedures and many other projects. These templates can also be used by IT departments of different companies, security consulting companies, manufacturing company, servicing companies, financial institutions, educational organizations, law firms, pharmaceuticals & biotechnology companies, telecommunication companies and others. Any organization large or small can be use these templates
http://www.training-hipaa.net/template_suite/enterprise_contingency_plan_template_suite.htm
Posted by: compliance advisor | September 18, 2007 at 07:41 AM
Unfortunately, a simple law/Act for the protection of all stakeholders has been blamed for the intentional ignorance and misinterpretation.
A structured corporate governance based on risk based top-down approach conforming to COSO/ERM framework is needed depending upon the environment of the individual corporation and upon its governance maturity model to ensure reliable recording and reporting of financial statements.
You don't need elaborate IT or other systems to implement these basics. IT/systems are optional tools, not the end.
Posted by: Subhash Manchanda, CIA | March 13, 2007 at 09:21 AM