« Guy Kawasaki | Leadership and The Ego - Egonomics | Main | ebizQ | SOA Software Extends SOA Governance to Microsoft BizTalk »

September 15, 2007

BPM Today | Taking a Risk-Based Approach to SOX Compliance

Five years after the Sarbanes-Oxley Act became law, many companies are still struggling to meet regulatory compliance requirements. Indeed, SOX and other regulations are time-consuming, costly, and, for some, a stressful reality of doing business in a post-Enron world.

Public companies have spent billions of dollars in efforts to comply with new government regulations over the past five years. This year alone, according to AMR Research, companies will spend $6 billion on technology products for compliance.

There is at least some relief in sight, though. Thanks to the recent changes to SOX, companies and auditors alike now have more flexibility to reassess and even redesign existing compliance practices. It's an opportunity to ease the burden, according to compliance gurus, by taking a risk-based approach.

Taking a risk-based approach involves determining which aspects of a business need to be included in an audit versus just trying to find everything that could possibly go wrong and including it in SOX controls.

SOX Basics

For those not yet familiar with the Sarbanes-Oxley Act, a quick review is in order. The Enron and Worldcom accounting scandals led the government to implement a new regulation, one that would forever change the corporate landscape in the United States. That regulation was SOX, which is also known as the Public Company Accounting Reform and Investor Protection Act of 2002.

SOX went into effect in July 2002, mandating new rules in financial reporting and auditing for publicly traded companies. The Securities and Exchange Commission administers SOX to regulate corporate financial records and assign penalties for noncompliance. SOX outlines the types of data that must be recorded and for how long. It also deals with issues such as falsifying data.

In July 2007, the SEC voted unanimously in favor of a new auditing standard and other measures to increase the accuracy of financial reports while reducing unnecessary costs, especially for smaller public companies. Auditing Standard 5 will make Section 404 audits and management evaluations more risk-based and scalable to company size and complexity, according to the SEC's own estimations.

A Risk-Based Approach

So where do you begin? Corporations attempting to leverage Auditing Standard 5's flexibility need to be able to identify what components of the corporate SOX compliance program are going to result in material weakness, according to David Smith, senior compliance analyst at Symantec.

The process starts with a risk assessment that takes into account the impacts of threats and vulnerabilities -- and the controls used to mitigate them -- on systems that directly relate to financials. "Audit Standard 5 tells auditors to scope two areas that either by themselves or when aggregated with other controls would result in or could potentially result in material weaknesses," Smith explained. (continued...)

Link: BPM Today | Taking a Risk-Based Approach to SOX Compliance.

Posted at 12:47 PM in Web/Tech |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/2024480/21624827

Listed below are links to weblogs that reference BPM Today | Taking a Risk-Based Approach to SOX Compliance:

Comments

Great article. i wrote a few BLOG entries on Compliance at http://scanguru.blogspot.com

Posted by: Steve | December 01, 2007 at 08:39 PM

Post a comment

If you have a TypeKey or TypePad account, please Sign In