After spending a lot of time and effort working with auditors and reviewing their internal controls, many large companies appear prepared for the November 15 filing deadline for Sarbanes-Oxley (SOX) Act, section 404. However, security executives have found that some are still scrambling and have run into unexpected issues during the compliance process.
"Most are ready," said Bill Swanton, a vice-president at Boston-based AMR Research. "They've been working for the last quarter or two with their auditors, going over the information, making sure there are no issues and that all of their controls have been working well for the past quarter."
Section 404 of SOX requires corporate executive management to attest to the effectiveness of the internal controls on their financial reporting. Larger public companies face the November 15 deadline and must file the attestations with their annual reports, said Swanton.
Specifically, companies need to make sure they have a good segregation of duties at both the business process and security levels, he continued. "And they're making sure that all the things that happen are auditable."
One CIO of a Fortune 500 global distributor of communication equipment, who requested anonymity, said his firm has spent a lot of time and money on tools to comply with section 404.
"We're working hand-in-hand with our outside auditors. Early on, they identified some key points we needed to address. We're spending time and effort to attack those points to ensure we're in compliance," he said.
"That ranges from physical security and the testing process to user [logical] access to systems."
He expects the company "will get a clean bill of health." While auditors are likely to find some weaknesses, he doesn't believe they will be material.
Dan Sawyer, principal at Portland, Oregon-based Prime Meridian Consulting Group, who has been working with companies on their 404 compliance, said large companies facing the deadline are in good shape, but he noted that the process is uncharted territory.
"The issue here is this is a new compliance standard and, as with most standards, the majority of the compliance criteria will be done on precedent," he said.
"With thousands of companies coming out of the gate at the same time, there's no precedent. There's simply a lot of confusion. But as we go forward, it will sort itself out."
Clearly, some companies are more prepared than others, observed Entrust chairman, president and CEO Bill Conner.
"There are a lot of companies learning that their information security governance or information security is lacking," he said. "Even for those who believe they are through the 404 this year, there will be a lot of focus on how to mechanize, administer, and manage compliance going forward."
In its own 404 compliance, Entrust benefited from the fact that it started an infosec governance program about two years ago, he said. "The 404 part that everyone is focused on is all about process," he explained. "We've been focused on the processes that we run the company on, as well as the IT and security behind that."
Ken Searl, CEO of Minneapolis-based security firm Prodigen, said many companies are scrambling to meet the deadline and did not realize how granular auditors would ask them to get on items such as access control.
"The C-level executives didn't understand how dramatic these new guidelines are," he said.
Many companies also are realizing that Section 404 requires them to have physical access controls in place in addition to logical access controls, said Tom Goldman, president and CEO of NetBotz.
"Companies have done a reasonably good job of taking care of the network side of the issue with virus protection and firewalls," he commented. "What they've done a poor job of protecting, which is specifically mandated by Sarbanes-Oxley, is that they have to physically protect it [assets] as well."
SOX compliance is driving enterprises to spend millions on IT security projects involving access control, authentication, and preservation of audit information, said Dick Mackey, principal at Sudbury, MA-based security consulting firm SystemExperts. But because the law is not specific with regards to requirements for internal controls, there is a wide variation in the way companies are interpreting compliance, he added.
In fact, it appears that many companies are working feverishly to get controls in place that meet guidelines set up by external auditors rather than guidelines set by SOX, noted Mackey.
And companies need to think beyond the November deadline and be prepared for the ongoing work and costs associated with SOX compliance, advised AMR's Swanton.
"Every quarter and every year, auditors will come back and want you to do more," he said. "This is an ongoing process. It will evolve and you have to do it every quarter, every year to make sure controls are still working, that as your business changes, your controls are migrating with it."
Overall, all the effort companies are putting into SOX compliance is accelerating the recognition of the importance of security, believes the consultant Sawyer.
"This has produced beneficial outcomes," he said. "Yes, it adds expense. But ultimately it adds efficiency and insight because of the value of the implementation."