Risk management, controls key to SOX

Good information security professionals don't need a regulation to tell them it's important to protect their business. But, overprotecting the business? That's another matter.

Section 404 of the Sarbanes-Oxley Act's (SOX 404) focus on internal control has been a welcome call to action for some; others say it goes too far. A variety of companies and industry associations presented the Security Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) with a litany of complaints and suggestions at the SEC's public roundtable last month.

The backlash against SOX 404's high documentation, testing and audit costs probably will lead the PCAOB to rein in overzealous auditors. The SEC also might provide more relief for small companies, which already obtained an extension of their compliance deadline to July 2006.

Beyond such changes, few would advocate throwing the baby (SOX's investor protections) out with the bath water (excessive SOX 404 audits). Besides, SOX 404 compliance brings its own rewards for companies, if scoped correctly.

PCAOB's current guidelines call for companies to develop internal controls based on risk management considerations - what risks to accept, avoid or transfer before rushing in with protective measures. Moreover, the cost of protections should be proportionate to the consequences they prevent or other benefits they bring to the business. If SOX is causing your company to increase emphasis on risk management, that's a good thing in itself.

SOX risk management runs a bit sideways to traditional risk management, which focuses on preventing major losses. SOX doesn't care, so to speak, whether the company loses money, as long as it accurately reports on losses. Therefore, SOX remediation should pay the most attention to locations, systems and applications that deal directly with large amounts of financial information. Companies should make sure that auditors do the same.

Along with scoping, companies must develop a control framework for SOX. This framework, consisting of control objectives and control activities, should be based on the nature of the business and its information security program. It should contain no more and no less than is required to protect resources in scope for SOX compliance.

While SOX compliance is expensive, much of the effort is reusable. Every company should be doing risk management, for example. Many control activities - such as deploying firewalls, access controls and audit logs - represent best practices you should be following anyway.

SOX 404 itself is unlikely to go away. Companies should treat its mandate as an opportunity to strengthen risk management, information security and compliance to a growing body of regulations - not just SOX. The trick is to document control frameworks for SOX and any other regulations in such a way as to limit the scope of SOX audits but reuse appropriate security practices and control activities across the business.

Blum is senior vice president and research director with Burton Group, an integrated research, consulting and advisory service. He can be reached at danjblum@yahoo.com.

Learn more about this topic

Getting ahead of Sarbanes-Oxley

Network World, 09/20/04

Compliance pressures still mounting

Network World, 03/21/05

Security management vendors promise to keep customers in compliance

Network World, 04/04/05

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.