Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

New Rules May Ease SOX Audits

Proposed guidelines could lower SOX costs, lessen auditors' influence

New guidelines for auditors of Sarbanes-Oxley compliance could take effect later this week, lowering the cost of SOX initiatives and reducing companies' dependence on auditors to interpret SOX requirements.

The Public Company Accounting Oversight Board (PCAOB) -- a private, nonprofit entity that gives guidance to the many auditors who evaluate SOX compliance -- on Thursday is scheduled to vote on a range of new recommendations, many of which will make it easier and less expensive for companies to meet the legal regulations.

"These changes could have a very profound effect on the whole compliance effort," says Chris Davis, manager of compliance knowledge management at Cybertrust, which offers security and compliance tools and services. "It's going to take some of the pain away. It's not morphine, but it could at least be Tylenol with codeine."

"If it passes, it will allow companies and auditors to worry more about the things that matter when it comes to financial fraud," says Patrick Taylor, CEO of Oversight, which makes software for analyzing the accuracy and security of financial transactions. "Companies will be able to focus their attention on the more common paths to fraud, such as changes to the general ledger and revenue recognition, and not worry about unlikely paths, like backup."

Since its passage in 2002, SOX has been an incredible drain on corporate IT and security resources. The chief problem is that the law, which is designed to keep public companies from cooking their own books, is extremely vague in its requirements, particularly with regard to IT.

"The original provision is only one paragraph long, which left it open for a lot of interpretation," Davis says. "Most people chose to interpret it very broadly and deeply, which made it a pretty expensive proposition." The question of compliance has been left largely to SOX auditors, who have developed their own methods and rules for determining a company's conformity with the law.

And up to now, auditors have been very strict. "For example, the current guidelines require the auditor do a walk-through of every transaction path that might result in a change to financial data," says Davis. "In a large company, you can imagine how many transaction paths there are."

But the PCAOB's proposed changes to the audit standards would allow companies to perform a risk assessment of their systems and practices, and then focus their efforts on the most likely paths of financial fraud, instead of trying to close every possible loophole.

"They're saying, 'let's stop and think about this,'" says Taylor. "Most financial fraud is going to occur in a rush, right at the end of a reporting period, when the company finds out that it's going to have some problems with its numbers," he says. "Those are going to be changes that somebody makes to the general ledger, which are relatively easy to detect.

"Contrast that with, say, backup," Taylor explains. "To commit financial fraud through a backup system, you'd have to gain access to the backup data, and then you'd have to have the knowledge to alter it. Then you'd somehow have to crash the operational systems so that the backup data would be put in place. That's a lot more complex, and a lot less likely, than making simple changes in the general ledger. And the audit process should reflect that."

The PCAOB's proposed changes could do just that. The governing body is proposing to allow companies to conduct a risk assessment, which will help them identify the most likely avenues for financial fraud. Auditors might then require more stringent compliance in those areas -- such as sophisticated forensics that allow auditors to find out who made changes to the general ledger and when -- while allowing less likely fraud avenues, such as backup tampering, to come under less scrutiny.

The PCAOB also is considering some other new guidelines, such as allowing auditors to accept compliance data from trusted third parties, rather than collecting it all themselves. "That's the kind of thing that could make the difference between an audit lasting two weeks or lasting two months," Davis says.

And the PCAOB is considering adopting more detailed guidelines for how SOX audits are conducted, Davis observes. "There have been some concerns because there's no real accreditation for SOX auditors, as there are for [Payment Card Industry] standards," he says. "This would help set some common standards for what a SOX audit entails and what qualifications an auditor has to have."

The proposed guidelines also relax the requirements for smaller companies that are subject to SOX. While it doesn't lift those requirements, it acknowledges that smaller companies have simpler processes and technologies and therefore should not be put through the same rigorous audit procedures.

Experts concede that even if the proposed guidelines do pass, they will still leave a lot of interpretation to auditors, particularly with regard to the IT security requirements. "We'll get a lot more specificity on the business requirements, but not on the IT requirements," Davis predicts.

— Tim Wilson, Site Editor, Dark Reading

  • Cybertrust
  • Oversight Systems Inc. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-22
    A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
    PUBLISHED: 2019-10-21
    Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
    PUBLISHED: 2019-10-21
    The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
    PUBLISHED: 2019-10-21
    In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
    PUBLISHED: 2019-10-21
    In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.