< Back

What is the single most challenging Sarbanes-Oxley issue today?

Alex Bakman
Founder and CEO
Ecora Software

How to cost-effectively sustain compliance From talking with our customers that struggled through the manual process of complying with Section 404, I hear that they simply could not afford to go through that process again from a time and cost perspective.

Many companies have now experienced what Sarbanes-Oxley means in terms of compliance. For most it was a time-consuming, intense exercise. The resources required to meet compliance deadlines exceeded most companies estimates. Big accounting firms tagged the average cost of compliance at $7.8 million.

If youre not hearing the collective sigh of relief, its because most executives realize that the challenge of sustaining Sarbanes-Oxley compliance will require substantial additional resources. Sarbanes-Oxley requires both annual and quarterly audits of managements assessments of internal controls. This means that the internal control tests and reporting need to be ongoing.

Preparing for the initial Sarbanes-Oxley audit opened the eyes of many executives to the relevance of IT to their financial information. Internal audit departments and financial management initially drove the compliance effort. However, once the scope of the Sarbanes-Oxley requirements were clearly understood, IT management became central to the compliance effort.

This involvement created a couple of interesting dynamics in the IT world; IT management was forced to understand and implement Sarbanes-Oxley requirements, and IT was put in the unfamiliar position of having independent, not-necessarily-technical auditors looking over their shoulders.

Ernst & Young estimated that ten percent of first-year Sarbanes-Oxley audit questions focused on IT controls. In year two and beyond, Ernst & Young projects that will grow to at least 25 percent. This places a significant burden on IT to develop processes and systems that automate their compliance efforts.

Add to that the requirement to link ongoing Section 404 monitoring to quarterly Section 302 reporting (Section 302 requires quarterly evaluation and reporting of changes to internal controls that could have a material effect on financial statements). Companies and their IT departments need to develop ways to keep the assessment of internal controls constant over time and cannot wait until year-end to evaluate changes.

With IT infrastructures growing ever more complex to meet business needs, changes, whether approved or not, are happening everyday. While you might be in compliance today, a critical change may knock you out of compliance tomorrow. IT executives understand that their IT infrastructures are dynamic. As a result, they are looking for automated solutions to reduce the manual time spent on tracking changes, testing and validating control, and constantly proving compliance.

Best practice frameworks such as ITIL, COSO, COBIT are all built around change and configuration management planning. Proper change and configuration management provides accurate and current IT infrastructure information in order to effectively plan, manage, and validate changes, which reduces downtime from planned and unplanned changes as well as improves security and meet compliance requirements.

By automating change and configuration management, IT departments can cost-effectively test, validate, and report on their IT controls and security settings to sustain compliance over time. Additionally, IT departments can significantly reduce their manual and repetitive tasks of IT control reporting and change tracking to generate the accurate reports auditors need when they need them  saving time, money, and resources.

About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY