Sarbanes-Oxley: Act promotes survival of the fittest

You might have seen the Darwin Awards site , whose sponsors salute the improvement of the human gene pool by posthumously honoring those who accidentally kill themselves in really stupid ways. Just as natural selection encourages the survival of the fittest human beings, free enterprise economies encourage survival of the fittest companies.

Enter the Sarbanes-Oxley (SOX) Act , created in the wake of the Enron and other corporate malfeasance scandals to clean up corporate financial reporting and governance. SOX got the attention of executives by threatening them with jail time, but confused IT managers by setting vague requirements for tightening internal controls.

Because the act doesn't specify IT controls in detail, most auditors are using the Control Objectives for Information and related Technology (COBIT ) to evaluate SOX IT compliance. But COBIT itself provides only control objectives; it's up to IT managers and architects to determine how to implement controls. And it's up to auditors to decide how deeply to look, and then judge if implementations are acceptable.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

You might have seen the Darwin Awards site , whose sponsors salute the improvement of the human gene pool by posthumously honoring those who accidentally kill themselves in really stupid ways. Just as natural selection encourages the survival of the fittest human beings, free enterprise economies encourage survival of the fittest companies.

Enter the Sarbanes-Oxley (SOX) Act , created in the wake of the Enron and other corporate malfeasance scandals to clean up corporate financial reporting and governance. SOX got the attention of executives by threatening them with jail time, but confused IT managers by setting vague requirements for tightening internal controls.

Because the act doesn't specify IT controls in detail, most auditors are using the Control Objectives for Information and related Technology (COBIT ) to evaluate SOX IT compliance. But COBIT itself provides only control objectives; it's up to IT managers and architects to determine how to implement controls. And it's up to auditors to decide how deeply to look, and then judge if implementations are acceptable.

Thus, SOX has created great confusion in corporate IT and compliance circles. The scope of compliance efforts and implementation approaches vary widely.

Some companies are taking the Act's mandate to document material weaknesses and create remediation action plans as a clarion call to effect comprehensive security programs and IT improvement. These companies are not afraid to launch ambitious risk mitigation efforts - such as identity management, systematic IT event auditing or process automation - even though those projects might require a few years to complete and will cause changes that must be reassessed during annual SOX audits.

But other companies seem to be contributing to the improvement of the corporate gene pool by floundering through their compliance efforts. Rather than seeking comprehensive security program and infrastructure improvement, these companies are generating piles of documentation at the last minute, then freezing much of the IT infrastructure to reduce the cost of next year's audit. Freezing the state of financial IT and internal controls is shortsighted, appropriate only as a short-term response until mitigation programs can get underway.

Don't doom your IT - and perhaps your company - to obsolescence, risk or worse in the name of reducing Sarbanes-Oxley compliance costs. Establish a systematic, comprehensive approach to the people, process and technology components of security programs based on sound risk management. Use the IT Governance Institute's "COBIT Security Baseline: An Information Security Survival Kit" and "IT Control Objectives for Sarbanes-Oxley" (both available at www.isaca.org) as good information sources. Also, monitor SOX's Public Company Accounting Oversight Board  for any new prescriptions on how auditors should interpret compliance with the control objectives. SOX compliance will become clearer. In the meantime, treat the challenge as an opportunity to evolve.

Read more about security in Network World's Security section.