New Rules May Ease SOX Audits

Proposed guidelines could lower SOX costs, lessen auditors' influence

New guidelines for auditors of Sarbanes-Oxley compliance could take effect later this week, lowering the cost of SOX initiatives and reducing companies' dependence on auditors to interpret SOX requirements.

The Public Company Accounting Oversight Board (PCAOB) -- a private, nonprofit entity that gives guidance to the many auditors who evaluate SOX compliance -- on Thursday is scheduled to vote on a range of new recommendations, many of which will make it easier and less expensive for companies to meet the legal regulations.

"These changes could have a very profound effect on the whole compliance effort," says Chris Davis, manager of compliance knowledge management at Cybertrust, which offers security and compliance tools and services. "It's going to take some of the pain away. It's not morphine, but it could at least be Tylenol with codeine."

"If it passes, it will allow companies and auditors to worry more about the things that matter when it comes to financial fraud," says Patrick Taylor, CEO of Oversight, which makes software for analyzing the accuracy and security of financial transactions. "Companies will be able to focus their attention on the more common paths to fraud, such as changes to the general ledger and revenue recognition, and not worry about unlikely paths, like backup."

Since its passage in 2002, SOX has been an incredible drain on corporate IT and security resources. The chief problem is that the law, which is designed to keep public companies from cooking their own books, is extremely vague in its requirements, particularly with regard to IT.

"The original provision is only one paragraph long, which left it open for a lot of interpretation," Davis says. "Most people chose to interpret it very broadly and deeply, which made it a pretty expensive proposition." The question of compliance has been left largely to SOX auditors, who have developed their own methods and rules for determining a company's conformity with the law.

And up to now, auditors have been very strict. "For example, the current guidelines require the auditor do a walk-through of every transaction path that might result in a change to financial data," says Davis. "In a large company, you can imagine how many transaction paths there are."

But the PCAOB's proposed changes to the audit standards would allow companies to perform a risk assessment of their systems and practices, and then focus their efforts on the most likely paths of financial fraud, instead of trying to close every possible loophole.

"They're saying, 'let's stop and think about this,'" says Taylor. "Most financial fraud is going to occur in a rush, right at the end of a reporting period, when the company finds out that it's going to have some problems with its numbers," he says. "Those are going to be changes that somebody makes to the general ledger, which are relatively easy to detect.

"Contrast that with, say, backup," Taylor explains. "To commit financial fraud through a backup system, you'd have to gain access to the backup data, and then you'd have to have the knowledge to alter it. Then you'd somehow have to crash the operational systems so that the backup data would be put in place. That's a lot more complex, and a lot less likely, than making simple changes in the general ledger. And the audit process should reflect that."

The PCAOB's proposed changes could do just that. The governing body is proposing to allow companies to conduct a risk assessment, which will help them identify the most likely avenues for financial fraud. Auditors might then require more stringent compliance in those areas -- such as sophisticated forensics that allow auditors to find out who made changes to the general ledger and when -- while allowing less likely fraud avenues, such as backup tampering, to come under less scrutiny.

The PCAOB also is considering some other new guidelines, such as allowing auditors to accept compliance data from trusted third parties, rather than collecting it all themselves. "That's the kind of thing that could make the difference between an audit lasting two weeks or lasting two months," Davis says.

And the PCAOB is considering adopting more detailed guidelines for how SOX audits are conducted, Davis observes. "There have been some concerns because there's no real accreditation for SOX auditors, as there are for [Payment Card Industry] standards," he says. "This would help set some common standards for what a SOX audit entails and what qualifications an auditor has to have."

The proposed guidelines also relax the requirements for smaller companies that are subject to SOX. While it doesn't lift those requirements, it acknowledges that smaller companies have simpler processes and technologies and therefore should not be put through the same rigorous audit procedures.

Experts concede that even if the proposed guidelines do pass, they will still leave a lot of interpretation to auditors, particularly with regard to the IT security requirements. "We'll get a lot more specificity on the business requirements, but not on the IT requirements," Davis predicts.

— Tim Wilson, Site Editor, Dark Reading

  • Cybertrust
  • Oversight Systems Inc.
  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5