SOX Appeal

Two separate oversight bodies responsible for financial reporting and auditing rules under the Sarbanes-Oxley Act (SOX)--the Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board--took steps in late May to streamline and clarify the act's requirements.

On May 23, the SEC approved new guidelines for interpreting section 404 of SOX, instructing companies to focus their controls on those issues that present the greatest risk of affecting their financial reporting. According to the SEC, those changes will allow companies to eliminate unnecessary controls while tailoring their efforts.

On May 24, the Accounting Oversight Board, which reports to the SEC, approved a new standard for outside auditors that mirrors the SEC guidance approved the day before. The new framework, known as Auditing Standard No. 5, directs these outside firms to take a risk-based approach in determining what aspects of a business must be included in their audits. The new standard must now go to the SEC for final approval.

"Under the old rules, people are trying to find everything that could possibly go wrong with financial reporting and include it in their SOX controls, even if it's very low-risk," says Patrick Taylor, CEO of internal auditing software vendor Oversight Systems. "For most businesses, that means most of their IT infrastructure is part of SOX. Odds are that people are doing things that they'd rather not be doing right now, and this will give them a chance to rethink those."

Also significant, however, is what hasn't changed. Although the SEC has repeatedly extended its April 2005 deadline for public corporations with less than $75 million in market capitalization, it rejected further extensions for compliance in its May announcement.

The likely impact of these changes on overall IT spending is unclear. While smaller public companies may increase spending to comply, larger ones may take the opportunity to loosen some controls and cut attending IT costs. On the other hand, companies may take advantage of the increased flexibility to reconfigure or refocus their IT spending rather than reduce it.

"Compliance issues have driven the recent focus on financial controls, but companies are seeing a real business benefit from them," says Roger Bottum, vice president of marketing at compliance software developer Axentis. "They want to cut back in those areas where they've been forced to overkill, but they're still increasing their investments."