The Securities and Exchange Commission (SEC) voted today to simplify the auditing process for Section 404 requirements of the Sarbanes-Oxley Act of 2002.
Five SEC commissioners unanimously voted to make checking for security controls more risk based and less "obsessive compulsive," according to SEC Commissioner Paul Atkins.
Security experts said the changes should help organizations concentrate more on implementing controls than documenting their efforts.
"I think there are really pretty big changes coming," Phil Livingston, vice chairman of Approva and former CEO of Financial Executives International told SC Magazine.com today. "I think there is going to be major relief for organizations."
In the past, auditors had two opinions - one based on controls and another based on management's approach to establishing controls, Livingston said. Now they will use one cohesive opinion, requiring less testing to streamline the process.
"The way they do it now is pretty convoluted and dumb," he said. "The process has been pretty inefficient, and the SEC wants money to be spent on the controls themselves, not on frivolous testing."
Click here to email Ericka Chickowski.