Taking a Risk-Based Approach to SOX Compliance

[Sunite]

Taking a Risk-Based Approach to SOX Compliance
By Jennifer LeClaire
September 14, 2007 10:42AM

   Digg It!   Bookmark to You are not allowed to view links. Register or Login
With the fruits of a risk-based approach being less work, greater levels of compliance, and fewer headaches with regulators, why isn't every company using these methods? Auditor variance is one issue. But Richard Noguera, director of Risk Management-Compliance at McAfee, said a solid controls framework could meet that challenge.

Related Topics
   SOX
   Compliance
   Sarbanes-Oxley
   Symantec
   McAfee

Latest News
   AMD Intros Quad-Core Spider Platform
   Google Mulls Bid for Wireless Spectrum
   Amazon Unveils Kindle E-Book Reader
   Dell Launches Iconic All-in-One PC
   Recycling Electronics Boosts Pollution
Advertisement

Advertisement

   Five years after the Sarbanes-Oxley Act became law, many companies are still struggling to meet regulatory compliance requirements. Indeed, SOX and other regulations are time-consuming, costly, and, for some, a stressful reality of doing business in a post-Enron world.

Public companies have spent billions of dollars in efforts to comply with new government regulations over the past five years. This year alone, according to AMR Research, companies will spend $6 billion on technology products for compliance.

There is at least some relief in sight, though. Thanks to the recent changes to SOX, companies and auditors alike now have more flexibility to reassess and even redesign existing compliance practices. It's an opportunity to ease the burden, according to compliance gurus, by taking a risk-based approach.

Taking a risk-based approach involves determining which aspects of a business need to be included in an audit versus just trying to find everything that could possibly go wrong and including it in SOX controls.

SOX Basics

For those not yet familiar with the Sarbanes-Oxley Act, a quick review is in order. The Enron and Worldcom accounting scandals led the government to implement a new regulation, one that would forever change the corporate landscape in the United States. That regulation was SOX, which is also known as the Public Company Accounting Reform and Investor Protection Act of 2002.

SOX went into effect in July 2002, mandating new rules in financial reporting and auditing for publicly traded companies. The Securities and Exchange Commission administers SOX to regulate corporate financial records and assign penalties for noncompliance. SOX outlines the types of data that must be recorded and for how long. It also deals with issues such as falsifying data.

In July 2007, the SEC voted unanimously in favor of a new auditing standard and other measures to increase the accuracy of financial reports while reducing unnecessary costs, especially for smaller public companies. Auditing Standard 5 will make Section 404 audits and management evaluations more risk-based and scalable to company size and complexity, according to the SEC's own estimations.

A Risk-Based Approach

So where do you begin? Corporations attempting to leverage Auditing Standard 5's flexibility need to be able to identify what components of the corporate SOX compliance program are going to result in material weakness, according to David Smith, senior compliance analyst at Symantec.

The process starts with a risk assessment that takes into account the impacts of threats and vulnerabilities -- and the controls used to mitigate them -- on systems that directly relate to financials. "Audit Standard 5 tells auditors to scope two areas that either by themselves or when aggregated with other controls would result in or could potentially result in material weaknesses," Smith explained. (continued...)

1  |  2  |  3  |  Next Page >