Review sox globally an create light version 1788

  • Hello,%0AAlthough my nickname might give you a different impression, we don’t want to stop sox entirely, but rather review it.%0ASox is currently costing companies tonns of cash while IT-people, key users and end users are experiencing reduced flexibility of working and an extra 30 to 40% of work.%0ATherefore we suggest a global review of sox (involving major sox compliant companies worldwide) to get a new ‘light’ version of sox which will both allow sufficient security checks and flexibility of working.%0ASox-rules are built in the US, but currently apply in a lot of multinationals-headquarters outside of the us as well. Things like separation/segragation of duties might be good in theory but don’t always work in practice.%0ACultural differences regarding the way of working need to be taken into account - for example: not all organisations have a vertical structure where roles and people are a one on one relationship.%0AThanx,

  • Hello,
    Effort on previous SOX life cycle based on the ITGI recommendations(a global IT Governance institute with members coming from reputed IT organizations all over the world) had been an overkill. Lately, the requisite control framework has been determined and implemented efficiently. I have seen a very big shift towards truncation of original 62 controls by the ITGI to approximately around 40 controls presently.
    On the financial side also, due to the advent of ERM, redundancies have accordingly been identified.
    Therefore, changes have indeed occurred and you should discover in the current life cycle.

  • You need to ask yourself why sox is costing ‘tonns’ of cash.
    Is it an inherent problem with the legislation or is it a problem with the execution. If you look at the much maligned s404 it is actually a very short passage which says only that:
    a. the annual report should include an internal control report; and
    b. the auditors should express an opinion on it
    I don’t really see how you can make that requirement lighter without making it not required.

  • Also, there is a lot of press around this being onerous for small and medium sized public companies. I have no sympathy for this view.
    Companies which go public need to take into account a wide variety of requirements that are onerous - this is the cost of being allowed to take money from the general public.
    If you don’t like it - tough. Raise money from private investors instead.

  • What has caused companies to spend so much money on this is related to their failure to take responsibility and ownership of their business controls in the past. I see this in almost every organizatuion that I am involved with to some extent. There is constant pressure to do better every year, which in and of itself is not a bad thing. But how this gets accomplished is that each new idea that gets implemented generally has adequate support up front, but once it is operating as intended, the resources that are providing the monitoring controls (most are manual controls) are redirected to the next big idea and the process slowly starts to become inefficient or controls start to weaken. Without propoer monitoring of the controls and fixing them as they fail to work, issues arise. SOX put the focus back on the monitoring of financial controls.

  • Kymike and Denis,
    SOXStop was concerned about the IT compliance for SOX. You must give it to him on that because during initial stages, IT was an overkill. I have seen marked changes in Big 4 perceptions on ITGC. In 2004 and 2005 they followed the ITGI write-up of 2004 to include 60 Plus controls for SOX Sustenance.
    Experts, the likes of Gartner Group challenged this ITGI control framework which seems to be accepted by the Big 4
    During the year we changed our scoping for SOX, as a result, our controls were brought down to around 40 which was accepted our Big 4 auditors.
    I agree with you guys overall, because auditors are required to step into shoes of shareholder because of the opportunity, to make sure that the custodian ship of shareholders money is in proper hands, assets have been safeguarded, there is no misstatement in the financial statements published by management and legal frame work have been adhered (COSO Requirements). This is what is known as traditional internal audit not performed sacrosanctly in the United States prior to the Enron era, but SOX, stops short of meeting all COSO objectives.
    I hope that this helps.

  • You definetly haven’t been in a large organisation if you say that.%0AAn extra work load of 30% (just logging everything and having every step of change processes and implementation processes approved) will result in an extra cost of 30% for all systems maintenance which are related to FI.%0AAnd then I’m only talking about work in process that is going smoothly and not about authorisations - hiring more people to fulfill with the segregation of duties,… .%0AI’m not sure if you are familiar with the tool sollution manager for sap - a real sox tool that requires every change to be logged and approved multiple times by several managers; system owner, maintenance manager, review team, key users,… . This takes much more time then what companies used to have for approving changes, trust me… .%0AOn the other hand you will probably know that a review of sox for multinationals requires an entire team (usually several teams worldwide) which will stay there for about 2 to 3 weeks - imagine the cost of that.%0ASmall and midsize business might have a low cost - multinationals have a big direct and huge indirect cost on their hands.%0AFor example: the implementation of sox only was about 200 man-years… .%0AYou don’t want to start counting the cost of that… .

  • And tell me - who was actually doing fraud in Enron, Parmalat,…?
    The end user? No - it was the CFO, CEO, CIO,… and people under them.
    High level people who really want to fraud will not be stopped by sox - since I have the feeling that it’s not focussing enough on the top level authorisation and too much on the lower level in an organisation.
    It’s clear that something had to be done, but wasn’t that initially the task of big companies like kpmg etc? The companies who are now verify-ing your sox compliance made huge mistakes when doing their financial audits a few years ago.

  • Denis, you are right in the simplicity of 404. But the key is in your point b that the auditors must express an opinion. Bottom line is that means they are making the rules about how to interpret SOX and what it takes to ‘pass’. ANd, of course, the more complex the rules and the more difficult and time-consuming they are to implement, the bigger their fees.
    Now, as an independent consultant who has spent the last two years documenting and testing internal controls for compliance with SOX, I am certainly not complaining. Like many independents, it has been a windfall for me. But, the truth is that it really is more complicated and costly than it needs to be.

  • StopSOX
    We understand your frustrations.
    But, your company maynot be following the cost saving strategy on SOX Compliance.
    I have heard about the SAP tool manager. My co-brother who is working as a SAP system administrator is pretty happy. Please note that he is not into SOX compliance. Basically his efforts are mainly operational by virtue of being SAP professional. This tool has other benefits such through history of changes he can identify to pinpoint the cause of the current bug. It pays to be organized and getting organized through technology is the best option. A stitch in time saves nine.
    Regarding your team issue, SOX does not rigidly require that you send a corporate team to audit all over the world. You can implement a CSA (control self assessment) methodology whereby you make the resident employee perform control testing based on samples and test scripts provided by the centralized location. This model is being followed by IBM. The system can be monitored through automated SOX solutions such as Certus, which are expensive upfront but a good sustenance tool for years to come.
    I can go on and on.
    It is agreed that richies bitchies were behind the frauds for Enron, Adelphia and Worldcom. Don’t you think that SOX has stopped the recurrence because of a deterring section 906 penalty of 20 years. This has also made external auditors move back to risk and control based audits that they abandoned in the 1990’s.
    So SOX was a welcome change. Ofcourse, it turned out to be a milking cow initially, but the cost is far fetched.

  • What has caused companies to spend so much money on this is related to their failure to take responsibility and ownership of their business controls in the past. %0AGreat discussions 🙂 %0AI particularly thought Kymike’s point is key. What often happens is a failure to plan, research requirements, and get good up-front training for SOX requirements. Both planning and education make a vital difference . Also, if the overall SOX coordinator or external auditors aren’t on the ‘right page’ with the true requirements, inefficiencies can be further excerebated :(%0AI’ve personally seen both good and bad IT implementations related to SOX 404 and other standards. A bad implementation of SOX will add that extra burden of 30% or more. %0AExecutives should continually question the efficiency of SOX, just like any other business workflow. They should evaluate SOX workflows, documentation requirements, sample testing, and other aspects to ensure the team is doing the right things and not accept all rules or requirements at face value.%0AI agree with our original poster that SOX is going to add work and costs to an organization. But if it ain’t done right, the company has made things much worse for themselves. %0ABelow is a recent related thread:%0A

  • That was a great heated discussion.%0A4 years gone and the lawmakers themselves are not certain what they want out of the ACT. 😄 %0AI fully agree with Stopsox. I am pretty sure, everybody looks at the acknowledgement/ credits section of any Global standard/ Guideline document( like Cobit). 99% of the credit goes only to guys from BIG Four.%0AMoral of the story. BIG FOUR WANTS their business to grow, and they generate their own business by Designing standards which they alone can follow.%0ALike stopsox puts it, more than the money, it is the effort required from the end users, that kills the spirit.%0AWonder, why SEC does not explicitly brings out a statment on relying on Specific quality standards( like ISO, BS etc) and waive few sections of SOX compliance in lieu of them.%0AWhoaaaaaaaa that would take away some business from big four.%0ALets continue to suffer from SOX…%0ACheers

  • A lot of whingeing on here.
    Well boo hoo guys. Public companies, or rather their officers, owe a duty of care to the stockholders of whose money they are custodians - and they have profited very nicely from this over the years.
    Most of the things you are complaining about here are NOT REQUIRED by SOX. The people running up the biggest costs on SOX are the ones that abdicate responsibility and think that they can discharge their responsibilty by hiring one of the Big 4 to the work for them.
    Companies who truly address the requirements can improve control within their businesses and derive real tangible benefits. Believe it or not there were companies out there who were already well-controlled and had virtually no cost of SOX compliance - and I can think of one of the top 5 largest US Companies for who this was the case.
    You can criticise the Big 4 for having been overcautious in the firsst years of SOX - who can blame them? They are a far tastier target for class-action lawsuits than the real culprits because the have deep pockets and PII.

  • But these companies with state of the art controls were a handful only.
    SOX indeed brought in lots of required overhaul and the foreign corrupt practices Act of 1977,COSO and COBIT became must do for US Corporations.

  • SOX has indeed been the catalyst for a lot of things that companies should have been doing already.

    • COSO has been around since Ronnie Reagan was in the White House.
    • COBIT’s been around for more than a decade. But I think many IT managers/CIOs saw an opportunity to action a lot of things on their wish list - I certainly have seen plenty of unnecessary remediation.
    • Auditor’s have been trying to get their clients to improve controls over business processes and IT for a long time. But I think they have used SOX to get itmes that have been on management letters for years actioned.

  • Who cares? Europe and foreign markets will continue to benefit from a poorly thought out knee-jerk reaction from the US. Those of us raking in the money in the audit firms and big businesses can count our blessings.

  • It’s only a matter of time before something very similar comes in Europe as well.%0AI have to agree 100% with what Denis is saying.%0AThe biggest cost for us were the auditors who had to have a few extra hours in the company going over the controls. The work itself didn’t cost much.

  • There is abosultely no way that an equivalent to section 404, the key element of SOX that is upsetting the business commuity as it drains resources and lines the pockets of accountants, will be introduced in Europe.
    I thought Canada did the very same by passing something akin to SOX but without 404?
    I also question whether there is the same commitment to/momentum for such a draconian Act as SOX in Europe when we read that the UK are deliberately taking action to prevent SOX hitting the London Stock Exchange should the NYSE buy them out.

  • Draconian, eh?
    My dictionary says that draconian means ‘Exceedingly harsh; very severe’. Which provisions of SOx are actually draconian?

  • FYI
    Canada and Japan have their own SOX version. Did anybody ask a question why did they go for such a law? Europe is not far away.
    All the best.

Log in to reply