IT security consultant Jim Reavis may have recently offered a big-time scoop to readers of his blog. Citing unnamed sources, he reported that Symantec is in talks with some of its investors, an indication that the security giant may be considering a return to private status. In the RiskBloggers.com entry, Reavis opines that “a couple of years sans the [Sarbanes-Oxley Act of 2002] will allow the execs to focus more on the business and aligning their healthy security and storage product portfolio with market needs.”
Whether the rumors prove true — Symantec has a no comment policy on such topics — the speculation is notable, if for no other reason than the date the blog was written: mid-July, just a couple of weeks shy of July 30, the day Sarbanes-Oxley turned five years old. Drafted as a means for corporate accountability in light of financial reporting scandals at Tyco International and the now defunct Enron and WorldCom, the largest corporate mandate of this decade is all grown up...right?
Think again, experts say. While SOX did successfully shift the burden of risk responsibility onto executives, the law has turned into an animal of its own with a legion of unintended consequences, both negative and positive, that few could have ever imagined. So while CEOs and CFOs have successfully dodged prison bars and major fines, firms are still feeling the law's unexpected effects in a big way — a half-decade later.
“It's had more wide-ranging impact than anyone could have expected in 2002 when it was passed,” says Steven Adler, program director, IBM Data Governance Solutions, based in Armonk, N.Y.
Detractors say the legislation, especially Section 404 — the internal controls provision — is myopic in scope, created during a time when lawmakers were rushing to restore integrity in publicly traded companies and to help regain stockholder confidence.
Instead, they say, the guidelines have resulted in onerous costs for businesses — especially smaller entities — through unnecessary documentation and product purchases. This, in turn, stymied risk-
taking, research and development and competitiveness, much of which lingers to this day. The number of companies launching initial public offerings (IPOs) has slumped, and some public firms have decided to go private. Is Symantec next?
On the other hand, proponents say the mandate has driven collaboration within organizations, as SOX cast light on the importance of IT departments, leading to a stronger management commitment to security. This, in turn, has resulted in streamlined and automated technology controls. And, as a result of the better understanding of these security controls, many companies have embraced the concept of corporate governance and risk management, while adding strategic value to their bottom line.
Documenting the documentation
SOX may have its share of critics, but nobody can deny the guidelines were not taken seriously from the start. Lloyd Hession, CSO, global financial services, at BT, an IP networking services provider, says there were obvious big winners in boardroom battles, namely accountants, consultants and IT workers. How would anyone successfully trump a SOX-related project, Hession wonders, “when they're claiming what they do keeps the boss out of jail?”
But all of those project approvals have led to exorbitant costs through auditing fees, documentation and questionable product purchases, experts say. And the costs have yet to relent, according to an AMR Research study released in February, which said companies will spend $6 billion to comply this year.
Meanwhile, a May report from Financial Executives International shows that some progress has been made, especially for those firms with centralized operations. The study concludes that Section 404 spending fell 23 percent from 2005 to last fiscal year. Still, as the study points out, 78 percent of respondents believe costs have outweighed the benefits.
“We're seeing a lot of folks who just can't afford it,” says James Sayles, chief compliance adviser at Ecora Software, a Portsmouth, N.H.-based compliance solutions provider. He says most firms face external auditing fees of $250 to $300 per hour, not to mention the $125-to-$150 charge most IT consultants charge prior to any audit.
So what is causing all of these billable hours to accrue? Experts say many companies have applied a granular, bottom-up approach in which they document every control, instead of the key few controls, such as change management, access and security, says Ellen Libenson, vice president of product management at Symark, an Agoura Hills, Calif.-based provider of identity management solutions.
“There was a myth that more is better,” adds Steve Schlarman, chief compliance strategist at Reston, Va.-based Brabeion Software and a former director in PricewaterhouseCooper's Advisory Practice. “A good control is a good control. You don't need 300 controls documented if you have 50 really good ones.”
Because Section 404, a passage totaling just over 150 words and open to much interpretation, requires companies to report the adequacy of their internal controls, many firms have assumed that they had better document everything.
“People went overboard,” says Prashanth “PV” Boccasam, founder and CEO of Approva, a Reston, Va.-based compliance solutions provider. “People would go in and even document the fact that they documented the documentation. And that's no fun, both for the people that were reading it or doing it.”
Solutions also have proved costly, especially when many vendors used the guidelines (and the associated penalties) as a sales pitch for products that were not necessarily needed to reach compliance. such as encryption or intrusion prevention systems, experts say.
Hession says BT, already a defense contractor and regulated utility, was a compliance veteran when SOX took effect, but many corporations were not as lucky. They decided to buy unneeded products instead of relying on proven internal control and governance frameworks, such as COSO or COBIT.
“It came down to doing the basics well,” Hession, a ConSentry Networks customer, says, explaining that maintaining logs, having a process in place to review those logs, and not using shared passwords go a long way toward reaching compliance.
The soft costs
Of all the consequences of SOX that remain, indirect costs may be posing the biggest problem, particularly in the areas of risk-taking and research and development (R&D), experts say. A June University of Pittsburgh study reveals that a database review of 4,239 U.S. corporations showed that R&D significantly dipped post-SOX.
And remember the days when going public was the vogue move for emerging companies? Well, apparently, a lot has changed, and it seems SOX may be at least partially responsible.
The study shows that companies relying on R&D declined going public with increasing frequency after SOX.
“The idea is that [American companies] are not taking the same risks and they're saving that money for dealing with compliance issues and litigation,” says the blogger Reavis, who is managing partner of the Reavis Consulting Group and a former executive director of the Information Systems Security Association. “The CEO of the past may not be the risk warrior of the future. That person is more of a bean counter.”
It should be noted that IPOs in the U.S. appear to be rebounding. In May, the National Venture Capital Association reported that venture-backed IPOs posted their strongest month since 2004.
When a law threatens prison time for CEOs, it is no surprise that all divisions of a company — namely, business and IT — are working together to solve the puzzle that is SOX. Jason Lish, senior manager of application and SAP security at the Tempe, Ariz.-based Honeywell Aerospace, says the security, business control and finance teams still meet twice a week to discuss the mandate.
Even accountants are getting respect. “We used to view auditors as evil,” he says. “Now I think we realize the value. Whenever they come in, we're curious about what they're going to discover.
It's really things we have to address from a SOX or security standpoint.”
This new cooperation has one major downside. “Sometimes you don't know who should be taking responsibility,” Lish says. “There are so many hands in the cookie jar.”
Still, without many realizing it, the collaboration has led to better overall operational awareness and corporate governance with the goal being long-term value for shareholders, a benefit that can prove far greater than passing an audit checklist, say experts.
Also, many SOX projects that did get the green light helped automate compliance, something end-users say trimmed costs and sped up the process. “We can streamline SOX just like everything else,” says Lish, an Approva customer. “At the start, we actually had to pull people off other projects. We sent people around the world to touch all of our data centers.”
SOX also has prepared organizations for other requirements, such as the Payment Card Industry standards, although those are much more prescriptive in nature. “SOX has kind of set a precedent for holding companies accountable to certain requirements,” says Brabeion's Schlarman.
Five years after SOX took effect, two distinct voices remain, despite some headway being made on reform. If anything, time has done wonders, say those forced to grapple with the regulations, and — for better or worse — acceptance has emerged.
“It's not like my heart drops every time I hear ‘SOX' anymore,” Lish says.
Since the Sarbanes-Oxley Act of 2002 was enacted, Section 404 — the section of the law requiring an annual evaluation of internal controls — has caused the greatest grief for IT security
The provision has been “very granular and requires documentation for minute issues,” says IT security consultant Jim Reavis. “It needs to be interpreted to go after more egregious offenders rather than well-meaning companies.”
But the confusion appears to be on the cusp of reform. In late May, the federal Securities and Exchange Commission announced new interpretative guidance for Section 404. The new guidance “will enhance compliance...by focusing company management on the internal controls that best protect against the risk of a material financial misstatement,” the agency says.
The new guidelines will be aligned with the Public Company Accounting Oversight Board's Auditing Standard No. 5, designed to tailor audits to the size of the company so to avoid unnecessary procedures.
“Congress never intended that the 404 process should become inflexible, burdensome and wasteful,” SEC Chairman Christopher Cox says in the May announcement.
James Sayles, chief compliance adviser at Ecora Software, says the new standard — set to take effect in November — will increase clarity and help companies save money. “The response I've been getting has been overwhelmingly positive,” he says.
— Dan Kaplan