IT Compliance Institute, June 26, 2007:

Trends and Technologies

Changing SOX: Redefinition, Refinement, and Reform

Vague guidance and lack of bright-line definitions led to an era of expensive, ultra-conservative audits. As a result, and under the advice of their auditors, many companies are now reining in their SOX efforts. What’s changing? Experts detail the latest SOX guidance, new accounting standards, and optional risk-assessment methodology.

By Mathew Schwartz

Regulatory experts say that due to "incomplete guidance"—in other words, vague and poorly written rules—companies complying with the Sarbanes-Oxley Act of 2002 (SOX) have, on the whole, been overshooting the mark.

Critics contend that SOX auditors routinely classify too many aspects of a company’s IT infrastructure as financial-related, resulting in overly broad, lengthy, and expensive audits. Furthermore, by linking too many IT controls to SOX, companies and their auditors risk missing the big picture: actually preventing fraud, as opposed to just ticking off some checklist of SOX "best practice" controls. "We hear horror stories of people spending weeks trying to document who has keys to the server room and why, as opposed to looking at whether any of those servers were running financial applications, or applications that supply information to the financial applications," says Ellen Libenson, vice president of marketing at Symark Software.

As a result, SOX-related costs remain higher than many would like. In a June 2007 opinion column in the Wall Street Journal, Kenneth Wilcox, president and CEO of SVB Financial Group, a California-based financial services company with $529 million in 2006 revenues, alleges his company paid over $20 million to the Big Four accounting firms last year, an increase of more than five times what it paid in 2003. In particular, he says audits today are taking longer, requiring more personnel, and that auditors have an overly broad definition of "materiality"—what is actually relevant to SOX.

In response to such criticism, the Public Company Accounting Oversight Board (PCAOB), together with the Securities and Exchange Commission (SEC), has been issuing new guidance to better define the nature of SOX compliance, increase the law’s effectiveness, simplify audits, and reduce companies’ SOX-related costs.

What exactly is changing? The evolving "less is more" approach includes a revised standard for auditors, new and more detailed guidance, plus a supplementary framework for assessing risk. Overall, the changes are intended to focus SOX efforts on accounting and financial applications, and the controls which directly affect them. Many of the changes were made to decrease the SOX compliance burden for smaller companies, since regulators have delayed requiring many foreign and smaller companies to comply with SOX, pending streamlined compliance, and demonstrable cost reductions. Even so, in the words of SEC chairman Christopher Cox, the changes should help companies of all sizes "right-size the evaluation and assessment efforts of managements."

Defining Material

One sticking point with SOX has been the four paragraphs which comprise SOX section 404, requiring public companies to audit any IT controls which might lead to a "material weakness"—intentional or accidental—in their financial reporting. Auditors and executives frequently differ on their interpretation of material weakness, and many executives have criticized auditors for taking an overly broad approach, and auditing many IT controls with little perceived relation to financial information on the basis that a failure could, technically speaking, somehow impact the availability of a critical system.

To eliminate the confusion, in May 2007, the SEC finally defined the term "material weakness" as "a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis." Then to further focus auditors on what’s financially material, the same month, the SEC issued a new rule requiring auditors to only provide an opinion on control effectiveness, and to discontinue issuing a separate opinion on the effectiveness of management’s approach to controls assessment.

On a related note, the SEC is currently working with the PCAOB on its new Auditing Standard No. 5 (AS5), designed to replace Auditing Standard No. 2 (AS2), which auditors follow when assessing a company’s internal controls for SOX compliance. The PCAOB says the new standard—approved by the PCAOB in May, but still awaiting final SEC approval—is intended to further focus auditors on controls relevant to a company’s financial results. AS5 is designed to be principles-based and more streamlined than AS2. It is intended to focus the internal control audit on the greatest risks to a company, eliminate unnecessary procedures, make the audit more scalable, and simplify the text of the standard.

Know How to Scope

Even so, companies still report difficulty in knowing which IT controls should be within the scope of a SOX audit. In a survey conducted earlier this year by The Institute of Internal Auditors (IIA) of over 500 IT and internal auditors, for example, fewer than 3 percent rated either their—or their external auditor’s—ability to scope IT controls as "extremely efficient." In addition, almost half said scoping costs were too high, and more than three-quarters desired better scoping guidance.

In response, the IIA is has been working with the SEC and PCAOB to make scoping easier. In particular, this year it released the Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT), a top-down risk-assessment methodology designed to help management assess whether general IT control failures will directly lead to errors in financial applications. According to the IIA, "if a failure is likely, GAIT identifies the IT general control process risks in detail and the related IT general control objectives that, when achieved, mitigate these risks." At that point, a control framework such as CobiT can be used "to identify the key controls that address these IT general control objectives."

As that suggests, GAIT isn't a control framework -- COSO is one such example -- which the SEC and PCAOB require companies complying with SOX to utilize, or an IT governance framework such as CobiT (Control Objectives for Information and related Technology). Rather, "using a methodology such as GAIT provides a starting point" for helping a company determine "what is in or out of scope for its own IT general controls," says the chief IT auditor at Microsoft, who helped design GAIT. Notably, Microsoft is one of a handful of organizations—including General Motors and Intel—that adopted GAIT as a pilot program before its release, to help better focus SOX audits on identifying which IT control failures could lead to a financial misstatement.

E-mail Archiving for SOX Not Required

The new focus on financials should help companies streamline their approach to SOX, demonstrate the effectiveness of their approach to auditors, and also clear up some lingering misconceptions of scope. For example, Forrester Research analysts Michael Rasmussen and Paul Hamerman say one of the most frequent questions they hear about SOX is which records or e-mails the regulation requires companies to archive. Their answer: Do retain records relating to vital compliance information, such as change management sign-offs, employees’ signed security policies, and control documentation, and ensure those records are authentic, auditable, and cannot be repudiated.

Beyond that, however, SOX doesn’t explicitly require any e-mail archiving. That said, in terms of ensuring the veracity of a company’s financial statements, "it can be seen as a good control around board, executive, and audit communications."

In other words, as befits the new approach to SOX, remember to focus on controls which directly affect the accuracy of financial statements. Some controls, of course, will remain a top priority, including access controls, segregation of duties, and user provisioning, since they can help prevent fraud—the intent of SOX.

On the other hand, if an IT control doesn’t apply to SOX, then move on—and thank the new SEC guidance.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.