SOX Changes To Increase IT Flexibility

Sarbanes-Oxley Act

On May 23, the Securities and Exchange Commission approved rule changes and new guidelines for interpreting section 404 of the act, instructing companies to focus their controls on those areas that present the greatest risk of affecting their financial reporting. According to the SEC, these changes will allow companies to eliminate unnecessary or very low impact controls while tailoring their efforts to their own specific circumstances.

On May 24, the Public Company Accounting Oversight Board, which reports to the SEC, approved a new standard for outside auditors that mirrors the SEC guidance approved the day before. The new framework, known as Auditing Standard No. 5, directs these outside firms to take a risk-based approach in determining what aspects of a business must be included in their audits. The new standard must now go to the SEC for final approval.

"Under the old rules, people are trying to find everything that could possibly go wrong with financial reporting and include it in their SOX controls, even if it's very low risk," according to Patrick Taylor, CEO of internal auditing software vendor Oversight Systems. "For most businesses, that means most of their IT infrastructure is part of SOX. Odds are that people are doing things that they'd rather not be doing right now, and this will give them a chance to rethink those."

"Congress never intended that the 404 process should become inflexible, burdensome and wasteful," said SEC chair Christopher Cox in a written statement. "The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company's internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources."

Sponsored post

The likely impact of these changes on IT spending is unclear. None of the changes require that companies or auditors undertake specific changes to their current practices; they merely give them additional flexibility to reassess and redesign them if they wish.

To the extent that specific IT expenditures are compliance-driven, for example, the rules may give companies an opportunity to loosen their financial controls and cut attending IT costs. The motivators for many compliance-related IT investments, however, are not so clear cut.

"While compliance is one driver for [our] solutions, there are many others," according to Tamra Muir, vice president for worldwide VAR and distribution partners at business-intelligence software vendor Business Objects. "We continue to see a growing demand across enterprises of all sizes for BI solutions in many functions including finance and corporate governance, but it is certainly not limited to these."

Increased flexibility may also reduce upgrade, re-engineering and new implementation costs, freeing up resources currently sunk in administrative and legal overhead for use in IT projects.

"Right now, if your AV or backup systems are included in your SOX controls, it's really hard to change anything," notes Taylor. "You have to run everything through that oversight and approval process, which make selling and adopting new technology much more difficult. This could give people more room to innovate."