The U.S. Securities and Exchange Commission (SEC) has passed new interpretive guidelines that relax portions of Section 404 of The Sarbanes-Oxley Act of 2002.
The new rules, which apply to businesses with a market value of less than $75 million, focus on areas more prone to fraud while lowering the costs of SOX compliance for many businesses.
Section 404 of the SOX law requires publicly traded companies to continually reassess their internal controls, including technology tools that monitor access to financial systems to guarantee that external auditors can deliver accurate financial reports to investors.
The new guidelines should take some of SOX’s burden from the shoulders of businesses, SEC Chairman Christopher Cox said in a news release.
"Congress never intended that the 404 process should become inflexible, burdensome and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems without creating unnecessary compliance burdens or wasting shareholder resources," he said. "With the commission’s new interpretive guidance for management on the evaluation and assessment of its internal controls over financial reporting, companies of all sizes will be able to scale and tailor their evaluation procedures according to the facts and circumstances. And investors will benefit from reduced compliance costs."
While SOX has been the source of much griping since it’s passage five years ago, the new guidelines are good news for IT personnel, said Patrick Taylor, CEO and founder of Oversight, a vendor of intrusion-detection software. For instance, they no longer must document the regular updating of their anti-virus protection, he said.
"It's a long shot that a failure in an anti-virus system will lead to a fraudulent financial report," he said. "So, now it doesn't need to be a part of a SOX regime."
Small companies benefit most from the new guidelines, said Taylor.
"They will not have to do some of the more bureaucratic things, and many haven't even started," he said. "Every software and hardware vendor for SOX compliance has an angle 'critical' to SOX, and a lot of those stories will come off the plate," he said.
Get more IT security news. Click here for SC Magazine Blogs.
