The true cost of SOX compliance

* SOX Section 404 lacks guidance

Section 404 of the Sarbanes-Oxley Act leaves much to be interpreted when it comes to financial controls, and even more to be interpreted around required IT controls. One IT manager told me he thought it was an interesting coincidence that the infamous "Internet 404 Error - File Not Found" shared the same digits as the SOX internal controls section. Over the past several years of implementing controls to comply with SOX Section 404's IT specific guidance has been a "file not found" situation. Lack of specific direction can lead to overzealous interpretations.

As part of a management training program at EDS, I was told about a psychology study where grade school children were observed in the playground. When there was a fence clearly defining the boundaries of the playground, the children took full advantage of the entire fenced-in space, feeling comfortable within the boundaries that were set for them. Where there was no fence, children tended to stay much closer to the school building and did not use the entire playground. The lack of defined boundaries caused very conservative behavior from the children as they felt much safer near the school building. The moral of the story for management practices is to make sure your team has clearly defined boundaries for their authority so they will make the most of it. Without clearly defined boundaries, most people will not exercise their full authority and less growth and innovation will happen.

Given the lack of specific guidance on SOX Section 404, the resulting effect has been for auditors to be very conservative in defining what must be validated, preferring to err on the side of looking at too much rather than too little. They are hanging very close to the "school building" by making sure they check everything. This has thrown the cost-benefit ratio into a tailspin. The costs of compliance are way out of wack with the benefits to investors.

According to a recent article in The Washington Times, before SOX was enacted, the SEC estimated compliance costs at around $91,000 per company. But the most recent Manufacturer Alliance survey shows average costs in the past year for 40 MAPI companies was $1.613 million for external audit fees for Section 404 compliance, plus about $1.894 million for internal work for compliance. Clearly there is a big difference between the efforts anticipated by the SEC for validating compliance and the actual efforts put into practice.

Many groups have been working to suggest reforms and more specific guidance for applying SOX Section 404 to IT operations. The Institute of Internal Auditors has published guidance for accounting controls and is in the process of developing guidance for IT controls. GAIT or Generally Accepted IT Principles is an emerging guidance for applying internal controls to IT. Current practices have been to apply COBIT (Control Objectives for Information Technology) to internal operations and SAS70 Audit principles to outsourced operations. For many organizations, particularly smaller companies, this has been expensive overkill.

Hopefully we will soon see a combination of guidance and reforms that will bring some sanity to the situation, balancing costs with benefits. IT organizations and their outsourcers have plenty on their plates without having to overly apply internal controls to every process that might remotely apply to SOX Section 404. Watch for more specific direction that will better clarify what is necessary for compliance and what is outside the scope of Section 404.

Sorry, but I do not see any help in sight for those other 404s you run into while surfing the 'Net...but you can check out this site for some fun links to creative 404 Error pages.


Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022