Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Google   

RBAC as a Weapon against SOX Perversions and Kafkaesque Bureaucratization of IT

News See Also Recommended Links Critique Recommended Papers Solaris Zones
RBAC IT Skeptic Lysenkoism Corporate governance costs Humor Etc

Road to hell is paved with good intensions

Proverb
Franz Kafka writings demonstrate a prescient knowledge of how it feels to be involved in a SOX compliance project!

All SOX-related games played by big accounting firms for fun and profit are based on arbitrary interpretation of the section 404 of SOX (Sarbanes-Oxley - Financial and Accounting Disclosure Information), the section that has nothing to do with IT, because the law itself was designed to prevent Enron type fraud by high level executives, not fudging of data in Oracle databases by some low level schmuck. 

But SOX interpretation by Big Five was pretty similar to  installing the regime of Kafkaesque bureaucracy in IT systems of all large US corporations. Bill Joy once proposed an elegant explanation for the apparently inevitable metamorphosis of cool start-ups into hideous corporations, which he called the Bozo2 Principle.

Wizards, he said, hire other Wizards. Bozos hire Bozos. As a company grows rapidly, it is inevitable that some Wizards will slip and hire Bozos, given the scarcity of the former and plenitude of the latter. However, once a Bozo has been hired, he hires another, and "everything beneath them turns Bozo after that." (This is related to Steve Jobs' famous: "A people hire A people. B people hire C people."). As in IT SOX-inspired managers by definition are type B people, the fact which actually means that for the long-term survival of the corporation it might be useful to can the most enthusiastic of whose who  participated in SOX compliance efforts, preferably the next day after compliance documents were signed ;-)

In some way it looks like the major reversal of Cold War results with one brilliant stroke of pen: entrenched "red bureaucracies"  of the former Eastern Europe Communist Block extracting revenge  from the grave  by imposing their "rules of the game" on major US corporations using Big Five as a fifth column :-).  Suddenly Franz Kafka "Trial" looks like a very contemporary book.

 Here is the section 4040 of SOX for reference:

Section 404

Management Assessment Of Internal Controls

I would like to stress it again that with all this noise about SOX compliance one of the few things that make sense in IT is the adoption of RBAC.  Most of SOX activities resemble Y2K-style activity with the same bozos in charge of the effort. They also represent a very expensive and superficial effort that benefits mainly (or exclusively) large auditing firms and (to a lesser extent) companies with semi-useless or harmful security products that effect may be why IBM paid so much money for ISS with their semi-useless IDS products ;-)

But good, type A managers can play their cards more intelligently that regular PHBs and try to add technologies which time has come, but which would never be implemented unless they are in SOX compliance bandwagon with its financial excesses ;-). Role-based access control (RBAC) is definitely one of such technologies. 

Persuading higher level managers to implement RBAC under SOX-compliance sauce is relatively easy (in fact, SOX does not even specify what are "adequate internal control", nor which solutions organizations must implement in order to meet that requirement). Using RMAC as "adequate integral control" solution makes a lot of sense.

RBAC aside it might be also beneficial instead of addition direct compliance measures to consider some kind of Security Monitoring that helps to increase effectiveness of existing controls without implementation of additional costly and/or paralyzing measures.  One of the few useful direct compliance measures might be  End of year assessment might also benefit from presence of additional reporting tools.

Solaris Zones can greatly complement RBAC implementation by ensuring real separation of duties. Solaris zones essentially allows application owner to control it own lightweight virtual machine and as such greatly reduce conflicts in access control in Unix environment. The problem of "too much privileges for application owners" which is essentially irresolvable in ordinary Unix environment no matter how many documents are produced or meeting conducted can be finally at least partially addressed in a way that minimally hurt (and even can in a way benefit) all parties involved.

Notes:
  • Those pages are written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected.
  • This is a Spartan WHYFF (We Help You For Free) site. It cannot replace the best teachers and the best books.
  • The site contain some obsolete pages as it develops like a living tree... Some links on older pages are broken. Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link.

Search Amazon by keywords:

 Google   
Open directory
Research Index
 

Old News ;-)

[Aug 17, 2007] On Wall Street - A SourceMedia and Investcorp publication

From OWS Magazine | April 2007 Issue

By Milton Ezrati

... Audit costs have risen dramatically. According to "The Nature and Disclosure of Fees Paid to Auditors"--a study published in The CPA Journal by accounting professors Ariel Markelevich, Charles A. Barragato and Rani Hoitash--auditing fees have jumped an estimated 80% since SOX became law.

There have also been questions about what SOX has done to board efficiency. Research quoted widely in academic and professional literature shows that larger boards are not only expensive, but they're also generally less effective than smaller ones. Furthermore, SOX seems to have increased board turnover, which Linck, Netter and Yang estimate has risen to almost three times its rate during the years just before the law was passed. Many experts also question the merits of SOX's tendency to turn boards more toward oversight than to their other crucial function: offering business advice to the companies they serve.

These impositions have hurt American investors and markets in several ways. Many firms, for instance, have gone private. According to a General Accounting Office (now known as the Government Accountability Office) survey of available academic research, the number of firms that went private jumped by 80% the first year after SOX was enacted. And that number has continued to grow (albeit at a slower pace).

As a variation on this theme, evidence points to an increase of firms "going dark." This is a practice in which firms avoid SEC filings by deregistering their securities, though they continue to trade in the over-the-counter (OTC) market. While going dark--like taking a company private--doesn't necessarily hurt the economy or financial markets, there's an implied inefficiency when the move is largely made to avoid regulatory burdens.

Probably most unsettling is that SOX-related costs have been pegged as the reason many firms have chosen to list outside the U.S. Before SOX, American exchanges captured some 90% of all foreign equity offerings.

In 2005, the last year for which complete data was available, the reverse was true. None of the Top 10 listings occurred on an American exchange, and 22 of the Top 25 listings occurred outside the U.S. In addition, 2005 saw 129 major new listings overseas, compared to only six for the New York Stock Exchange and 14 for the Nasdaq.

[Aug 17, 2007] Union Urges Auditors to Dig Deeper for Exec Options Excesses workforce.com

This is the usage of SOX within its intended window of applicability.

Sarbanes Oxley narrowed the reporting window for option grants in a way that was designed to make options backdating harder. Grants were supposed to be reported within two days of the grant. But there are signs that the abuse continued even after the law was passed. Now, the AFL-CIO is putting pressure on audit firms to go back and scour the books, especially around the time the law was enacted, for possible abuses. The union argues that auditors need greater access to executives and boards to ferret all this out and that auditors examine more documents and board minutes. This is yet another reason to go overboard when you grant options. Leave no room for suspicion. The reality is that there are many cases that will not be prosecuted. Still, you want to leave nothing to chance. If you have nothing to hide, invite your auditor in. 

[Aug 17, 2007] Sarbanes Oxley Outfoxing SOX

This is an example that even with the limited window of applicability SOX is not that efficient. It might well be the redirecting it to IT compliance is a shrewd maneuver, putting a nice smokescreen between the facts and the law... 

Sarbanes-Oxley banned sweetheart loans to greedy executives. So, corporations are giving them free money instead. Greedy corporate executives were briefly constrained by Sarbanes-Oxley, the federal legislation passed two-and-a-half years ago in response to massive abuses at Enron, WorldCom, and others. But wily CEOs are now devising clever new methods to circumvent one of SOX's most popular provisions: the ban on sweetheart loans to executives and directors.

In the old days, companies regularly made loans to the likes of Dennis Kozlowski, the former CEO of Tyco who's currently on trial (for the second time). He received a $61 million relocation loan pre-SOX. Bernie Ebbers, the former WorldCom chieftain who's also now on trial, owed his company just over $400 million at one point. Largely because of these abuses, Sarbanes-Oxley outlawed such favorable loans.

But now companies have realized they can avoid the ban if they give money away to their top executives instead of loaning it. The amounts aren't as eye-popping as the loans made to Ebbers et al., but hey, it's free money. These giveaways are disclosed with varying levels of clarity in the company's SEC filings and are almost always on top of the other compensation and routine perks that top executives receive. Here are some of the new strategies...

[Mar 11, 2007] Business Pushes Back Against Regulation Financial News - Yahoo! Finance

The price of SOX is the loss of competitive edge

Bloomberg and Sen. Charles Schumer, D-N.Y., released a report in January saying that the burden of tough regulation is contributing to New York City's loss of its competitive edge in the financial services industry to cities like London and Hong Kong. Unless remedies are made, they warned, New York's -- and thereby America's -- leadership in global finance will be eroded, reducing jobs and chilling the U.S. economy.

[Feb 10, 2007] Curiouser and Curiouser!

How the protection of law was lost is a fascinating piece about the state of the modern American justice system.  It begins with a consideration of the impact of Sarbanes-Oxley and a brief history of how previous attempts at financial regulation have lead to this point.  As the article says:

Reformers assume that rules can substitute for character, and they ignore the unintended incentives created by rule making.
 
which could be read as the more familiar:

The road to hell is paved with good intentions.

[Feb 10, 2007] GOVERNMENT FAILURE VERSUS MARKET FAILURE Preliminary draft--not for quotation  by C. Winston

See also SOX Related Links

milkeninstitute.org Page 1. GOVERNMENT FAILURE VERSUS MARKET FAILURE Clifford Winston Brookings Institution November 2005 Preliminary draft -- not for quotation

John Berlau on Sarbanes-Oxley on National Review Online

This is clearly a threat to overall economic vitality. Alfred C. Eckert III, CEO of the GSC Partners investment firm, also worries that both Section 404 and the law's mandates for boards of directors will lead to the "bureaucratization" of large American firms: "We're going to have people who are much more bureaucratic ... and who are frightened and will react in always the most conservative course and will rely on process dictated by lawyers rather than good business judgment." Eckert warns that if Bush and Congress ignore these effects of Sarbanes-Oxley, Bush's planned tax and Social Security reforms will not come to full fruition. "[Sarbanes-Oxley] will make capital more expensive and lower the rate of growth of America. It's very simple."

EDITOR'S NOTE: This piece appears in the April 11, 2005, issue of National Review.

Early this year, an unusual full-page ad appeared in the Wall Street Journal and other financial newspapers. The ad attempted to refute claims from businessmen about the costs imposed by the mandates of the Sarbanes-Oxley Act, the "corporate reform" law Congress passed in 2002 after accounting scandals hit Enron, Worldcom, and other companies. Yes, procedures stemming from that law "are neither simple nor inexpensive," the ad said, but the costs are well worth it if the result is restored investor confidence. "The [law's] greater goal and promise," the ad proclaimed, "is that the rigorous demands of compliance can lay the groundwork for improved and more reliable financial reporting, leading to a higher level of public trust."

The ad's message itself was not unusual; it mirrored the standard response the law's defenders give to complaints about cost. A Washington Post editorial intoned, "The nation's corporate chieftains . . . complain about the cost of this new regulation, not pausing to mention the cost of Enron-type scandals." But what this newspaper ad shows is that not all corporate chieftains oppose this law. The expensive ad was not paid for by a pension fund or another group representing the investors the law was intended to serve: Its sponsor was, rather, PricewaterhouseCoopers, the multi-billion-dollar accounting firm making a bundle in fees for doing all the audits the law has ended up requiring of business. By creating so many hurdles for public companies, the law has birthed a golden goose for those who audit them. And ironically, despite the media and legislative clamor to "get" the big accounting firms after Enron imploded, it's the Big Four accounting firms that have turned out to be the big winners from Sarbanes-Oxley.

THE BIG FOUR VS. AMERICA

"Auditors who lost their jobs when Arthur Andersen folded in the wake of the Enron scandal now find themselves up to their ears in work . . . auditing local businesses that are racing to meet Sarbanes-Oxley regulations," the San Jose Mercury News reported in December. According to BusinessWeek, PricewaterhouseCoopers has hired more than 1,600 new auditors and 400 temps from English-speaking lands to perform the extensive audits of businesses. The Big Four are hiring big-time, and have stepped up their recruiting efforts on college campuses: BusinessWeek says KPMG has upped its college recruitment by 40 percent in the last two years. Accounting is now a hot major. A headline in the magazine Practical Accountant summed up the accounting frenzy: "Cash in on Sarbanes-Oxley; reform unleashed a plethora of new and varied engagement opportunities."

But what's good for the Big Four isn't necessarily good for America. Other businesses, and ultimately the economy as a whole, are footing the bill for this regulation-driven auditing boom. Mounting evidence shows that the accounting-industry growth generated by Sarbanes-Oxley is coming at the expense of productivity, new jobs, and innovation in the general business world. A survey by Korn/Ferry International found that the law cost Fortune 1000 companies an average of $5.1 million in compliance expenses last year. For middle-market public companies, the law firm Foley & Lardner found that the act has increased the "cost of being public" — everything from audit fees to director insurance — by 130 percent. Substantial man-hours have also been diverted to Sarbanes-Oxley from other, more productive tasks. The industry group Financial Executives International found that the average firm was spending at least 30,700 man-hours a year on compliance with this law. As a result, a number of small U.S. and big foreign firms are rushing to deregister from U.S. stock exchanges — a blow to the U.S. capital markets, and, in turn, to the smaller U.S. companies that depend on these capital markets for financing.

Still, despite business complaints, the administration and the congressional majority — who have other critics, ones accusing them of wanting to repeal the New Deal — show no signs of willingness to scale back what has been called the greatest expansion of federal corporate law since FDR. Congress passed Sarbanes-Oxley less than a month after Worldcom announced it was in serious trouble; it was also six months after Enron's bankruptcy, and three months before the 2002 midterm elections. The Senate, then under Democratic control, had crafted a sweeping corporate overhaul bill by Sen. Paul Sarbanes, Democrat of Maryland. The House had passed a more modest bill by House Financial Services Committee chairman Mike Oxley, Republican of Ohio. When Worldcom announced the earnings restatement that would lead to its bankruptcy, the Bush administration and congressional Republicans went into crisis mode and approved Sarbanes's bill with very minor changes; about the only thing the House Republicans added to the final bill was a provision increasing the jail terms for those convicted of corporate wrongdoing. The bill passed the Senate 99-0, and the House approved it with only three members voting no.

The final product, the Sarbanes-Oxley Act, goes against a 30-year trend of general economic deregulation under Republican and Democratic presidents. It undermines federalism, by going where the federal government has never gone before in areas of corporation law that had long been provinces of the states; UCLA law professor Stephen Bainbridge wrote in Regulation magazine that the act has ushered in "the creeping federalization of corporate law." It regulates the structure and functions of boards of directors, and prescribes the duties of specific employees and board members. Intentionally or unintentionally, the law takes a significant step toward the longtime goal of Ralph Nader and other leftists: federal chartering of corporations. Environmental and labor activists are looking at ways to use the law to launch "shareholder complaints" to force companies to bend to their agenda. As William Greider noted approvingly in a recent cover article in The Nation, this new leftist "reform impulse is different because it seeks to change the system from within, using workers' capital as the driving wedge."

Oxley and the administration are standing firmly behind the law and seem opposed to significant changes in it. When I recently asked Oxley's office for his current views on the law, I was referred to remarks he made early last year at an event with Sarbanes at Washington's National Press Club, in which he said that "the objective ways that you measure this seems to me on the positive side," and that the market had gotten better since the law was passed. As for compliance costs, he said, they "pale in comparison to the costs of corporate fraud that could have occurred without this legislation." Treasury secretary John Snow in a recent BusinessWeek interview praised Sarbanes-Oxley as "critically important legislation" and said Congress didn't need to modify the law.

Meanwhile, the law is fulfilling its promise to create, in President Bush's words at the signing ceremony, "the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt." Indeed, one section of the law threatens to become the most extensive day-to-day regulation of American business since FDR's National Industrial Recovery Act, the price-and-output regulatory scheme struck down by a unanimous Supreme Court in 1935. Just as the NIRA created industry boards that had to approve prices and output, Sarbanes-Oxley's Section 404 and its regulatory extensions mandate that the most minute bookkeeping practices have to be okayed by auditors.

PEEKABOO, WE SEE YOU

Section 404 requires that a business's executives sign off on the "internal controls" over financial statements and that the company's outside auditors "attest to" the soundness of these controls. The law also created the quasi-private Public Company Accounting Oversight Board to regulate accountants and set auditing standards. Although the Big Four initially opposed the tougher regulation this body would entail as well as the law's bans on consulting services that can be sold to an audit client, they quickly decided that having the board define "internal controls" as broadly as possible would likely more than make up for their losses. "We love the PCAOB and we love Section 404, especially given the other regulations in the law that affect us," says a staffer in the Washington, D.C., office of a Big Four firm.

The PCAOB, non-affectionately referred to as "Peekaboo" by many in the companies that are under its thumb, gave the accountants what they wanted: Last March, it defined internal controls as "controls over all relevant financial statement assertions related to all significant accounts and disclosures in the financial statements." It also defined the law's phrase "attestation" as a full-blown audit of each of these controls, just as the company's numbers have traditionally been audited. In practice, this means that such things as the technology used to derive accounting numbers must be audited every year by the accountants. The board states that "the nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting." This passage alarms public-company tech employees, because no technology is perfect, and even knowledgeable techies disagree about which is the best software. One public company's chief financial officer says this could mean that an auditor could label a computer with Windows 97, rather than an updated version, a bad internal control.

Daniel Goelzer, a member of the PCAOB, says this isn't likely: "I can't offhand think of a way that using an old version of Windows would make it more likely that your financial statements would be inaccurate." But he adds, "Maybe if there's something about the way that your Windows 95 interacted with the rest of the accounting software at a particular company, maybe it's conceivable." It's really up to the judgment of the individual auditor to decide whether a control passes muster, he says. "We have definitions, but I would certainly say to you that applying those definitions to a particular company requires judgment. That's why auditing's a profession, not a trade."

Yet it's a profession that the law is turning into a mini-regulator. And it's troubling when auditors have the power to second-guess management's best judgment on matters like technology, particularly when this power is combined with other parts of the law requiring "material weaknesses" discovered by auditors to be disclosed to shareholders and establishing criminal penalties for "willfully" disregarding proper accounting procedures. If management, which presumably knows the company better than anyone, has to go against its judgment of what's best to please an auditor, shareholders could lose out as well. And with every new business venture, there's a whole new set of internal controls. This could lead to a slowdown in business investment.

As if all this weren't enough for businesses to cope with, a whole bunch of interest groups now have their own definitions of "internal controls" they want to have imposed. The Oakland-based Rose Foundation for Communities and the Environment has called on the PCAOB to mandate that "independent auditors include reviewing the financial impacts of environmental conditions and environmental liabilities as part of their scope."

Many companies are hurrying to escape Sarbanes-Oxley by leaving the stock exchanges: According to a Wharton study, 198 American companies deregistered from exchanges in 2003, the year after the law was passed — nearly triple the number that deregistered in 2002. Prominent European firms, such as Siemens, are also considering pulling their U.S. listing because of the law. In 2004, the New York Stock Exchange had only ten new foreign listings.

This is clearly a threat to overall economic vitality. Alfred C. Eckert III, CEO of the GSC Partners investment firm, also worries that both Section 404 and the law's mandates for boards of directors will lead to the "bureaucratization" of large American firms: "We're going to have people who are much more bureaucratic . . . and who are frightened and will react in always the most conservative course and will rely on process dictated by lawyers rather than good business judgment." Eckert warns that if Bush and Congress ignore these effects of Sarbanes-Oxley, Bush's planned tax and Social Security reforms will not come to full fruition. "[Sarbanes-Oxley] will make capital more expensive and lower the rate of growth of America. It's very simple."

John Berlau is the Warren T. Brookes Journalism Fellow at the Competitive Enterprise Institute.

[May 10, 2006] Leader Get off the SOX compliance hamster wheel - silicon.com By silicon.com

Published: Tuesday 15 November 2005
 

Are you on the regulation hamster wheel, wheezing as you try to keep up with the latest edict dumped on you from above? Are you pulling out the system you put in last month because it doesn't comply with this week's ruling?

Regulation isn't going to stop anytime soon, unless we can find something more useful for all the bureaucrats to do - like breaking rocks.

But don't make the mistake of chopping and changing each time a new package of red tape drops off the regulatory production line.

Instead of rushing to comply each time, look for ways to jump off this nasty merry-go-round.

Migrating to new systems might have got you through SOX last year but what if the advice from the auditors is different this year - and requires yet more expensive changes when you'd rather be working on new projects?

If you are sitting there smugly because SOX didn't touch you, what about MiFID looming on the horizon? And what if European regulation tsars decide they want their own SOX to pull on too?

Instead of rushing to comply each time, look for ways to jump off this nasty merry-go-round.

Investment bank DrKW has realised this already. The key is to have the right environment in place to cope with every regulatory curve ball, rather than just deal with each one as it comes along. After all, what most regulation wants to create - consistent and secure processes and systems - is what most companies would aim for anyway.

Can you build your business processes and IT systems so they can bend to each regulatory whim without being broken by them? Try it - you'll save yourself a lot of effort in the long run.

[Jan. 7, 2005] MSNBC - Sarbanes-Oxley A sense of ‘siege’A Q&A with Treasury Secretary John Snow on corporate reform

As a former business leader, Treasury Secretary John W. Snow is well aware of difficulties that Washington policymakers can cause for Corporate America. So it's not surprising that when company chieftains complain about the costs of complying with the Sarbanes-Oxley corporate-reform laws, he listens.

In an interview with BusinessWeek Senior Writer Rich Miller on Jan. 4, Snow shared his thoughts on what should — and shouldn't — be done in response. Edited excerpts of his remarks follow: 

Q: Should Congress consider modifying Sarbanes-Oxley?

A: I don't think that's the real problem. Sarbanes-Oxley was critically important legislation that met a real need for the country at the time of those scandals ... Sarbanes-Oxley played a very important role in reaffirming the norms of good corporate behavior, and, in some ways, I think [it] was absolutely essential. Corporate capitalism depends on trust.

Q: Are the regulators enforcing the law too aggressively?

‘It's important not to criminalize innocent mistakes. The nature of business is that you aren't always going to be right ... We ought to make sure, to the extent we can, that the regulators, the litigators, the prosecutors, and so on are working in a way that isn't excessively duplicative or burdensome, creating untoward risks of multiple prosecutions and regulatory investigations.’


— John Snow> U.S. Treasury Secretary

Sarbanes-Oxley Trumps IM at Some Firms - Computerworld

Concerns about security, archiving prompt companies to unplug instant messaging systems
News Story by Thomas Hoffman

>AUGUST 08, 2005 (COMPUTERWORLD) - In another case of fallout from the passage of the Sarbanes-Oxley Act, some companies are disabling their instant messaging systems because of concerns that the technology's security and archival controls aren't strong enough to comply with the law, according to IT executives, lawyers and auditors interviewed last week.

Section 302 of Sarbanes-Oxley requires CEOs and chief financial officers to certify that their companies have established internal controls and are regularly evaluating the effectiveness of the control measures. Although vendors such as FaceTime Communications Inc. and IMlogic Inc. offer tools for storing messaging traffic and protecting against malware, users like Jefferson Wells International Inc. are erring on the side of caution by simply unplugging their IM systems.

Jefferson Wells disconnected its MSN Messenger system because of concerns that the company wouldn't be able to detect software viruses embedded in messages, said Scott Robertson, manager of corporate IT operations at the Brookfield, Wis.-based provider of technology risk management and other professional services.

"We never had the comfort level that we could scan instant messages appropriately," Robertson said. Another factor that contributed to the decision to disable the IM system last year is that many of the company's employees work at client locations, he added. Executives from Jefferson Wells didn't want to run the risk of having a virus or worm infect a customer's network.

Jefferson Wells is a subsidiary of Manpower Inc. The decision to unplug IM was made as part of the unit's evaluation of whether its IT controls met the provisions of Sarbanes-Oxley, said John Rostern, New York-based director of technology risk management at Jefferson Wells.

Since the system was disabled, the company's IT staff hasn't bothered to evaluate the available IM security tools because it isn't being pushed by workers to re-establish IM, Robertson said.

Steve Ross, a director at Deloitte & Touche LLP in New York and a past president of the Information Systems Audit and Control Association, said he knows of two Deloitte clients that have disabled their IM systems because of Sarbanes-Oxley concerns. Ross declined to identify the companies, saying only that one is a services company in the southern U.S. and the other is a large New York-based insurer.

Other corporate users are taking steps to strengthen the data security and archiving capabilities of their IM systems in order to satisfy Sarbanes-Oxley's requirements.

For example, Chevron Corp. is moving to block outside connections to an IM system used within one of its operating units, said Jay White, global information protection architect at the San Ramon, Calif.-based energy company. The expanded effort follows the adoption in June 2003 of controls for maintaining audit records and reducing security risks on the IM system.

"We manage our own IM system internally on our WAN, but the external connections have presented security [issues]," added White, who declined to identify the business unit involved.

Some observers contended that companies are overreacting to Sarbanes-Oxley by disabling IM. "You can't control a phone call, so I don't see what the difference is between IM and a phone call," said Diana McKenzie, chairwoman of the IT group at Chicago-based law firm Neal Gerber Eisenberg LLP. "To me, it's not logical."

Greg Hedges, managing director of technology risk at Protiviti Inc., a Menlo Park, Calif.-based company that provides internal auditing and business-risk consulting services, said some companies have disconnected IM systems under the pretense of complying with Sarbanes-Oxley instead of justifying those actions for business purposes.

"Sarbanes-Oxley is a wonderful vehicle for taking things out of people's hands," said Hedges, who added that some companies have applied the same rationale for disconnecting wireless systems.

But Ross said that viruses embedded in instant messages could cripple networks. "Given that [corporate] management feels the necessary controls haven't been implemented or can't be," he said, "unplugging instant messaging wouldn't be overkill

Sarbanes Action Plan

JUNE 02, 2003 (COMPUTERWORLD) - Imagine asking 40 CIOs in six cities what their biggest worries are these days. I'd expect to hear about freeze-dried IT budgets, unfinished projects, sinking staff morale or loss of corporate confidence.

I'd be way off base.

What I never would have guessed was the Sarbanes-Oxley Act of 2002, that Loch Ness monster of new financial reporting and disclosure requirements enacted by Congress in the aftermath of Enron and a string of other corporate scandals. Nobody quite knows how far-reaching its impact on IT infrastructures will be, but ignorance is the opposite of bliss here.

"The CIOs feel blindsided by this," says Cathy Hotka, principal of Cathy Hotka & Associates and former VP of IT at the National Retail Federation. In a recent series of CIO roundtables she moderated, Hotka was surprised to find SOX (as the finance types call the act) a topic of so much consternation among senior IT execs. "They know the CFOs have it on their radar screens, and they don't like that feeling. Nobody has a handle on this yet," she says.

Sarbanes-Oxley is reverberating throughout IT management like an eerie echo of Y2k, with compliance deadlines looming and businesses feeling threatened and uncertain about the extent of the potential damage (that is, legal trouble) if changes aren't made. As one of Hotka's CIO dinner guests observed, "I could end up spending $1 million to fix a $100,000 problem!"

"There's a tremendous amount of confusion" about what IT should be doing to ensure compliance with Sarbanes-Oxley, says John Hagerty, an analyst at AMR Research Inc. in Boston. A recent AMR poll of 60 companies found that while 85% are anticipating changes in system and application infrastructures, an equally whopping 80% are unsure of what the changes will be.

In light of all this free-floating anxiety, last week's news that the Securities and Exchange Commission had extended the deadline for Sarbanes-Oxley compliance another nine months (to June 2004) might seem like a welcome relief.

But senior IT managers should be using this gift of time to get their information engines in gear -- not to relax.

Step 1: Dive in and do some research. Online in our IT Management Knowledge Center, we've compiled a special topics page [QuickLink a3250] with all of our ongoing coverage of Sarbanes-Oxley and additional links to sister publication CIO magazine's recent series on legislative issues. We'll keep adding resources to that page, so let us know what kind of additional information you need. If you search on Google for "Sarbanes-Oxley and CIOs," you'll get more than 700 hits. Many are worth looking over for advice, checklists, additional resources and examples of what other companies are doing.

Step 2: Survey the vendor landscape. A number of them are circling their wagons and offering upgraded products or new features geared to tracking, safeguarding or guaranteeing data veracity. So far, the vendors include Oracle, Hyperion, SAS Institute and PeopleSoft, and there are also several vendors of reporting tools, supply chain software and document management applications with offerings.

Step 3: Formulate an action plan that includes a presentation to the CFO about the proactive measures IT is looking into (or, even better, ready to implement) to address a range of Sarbanes-related concerns:

[More action items are online at QuickLink 34225.]

Like it or not, IT will be at the heart of your company's Sarbanes solution. And if you're ready and informed, you'll be at the head of it.

Maryfran Johnson is editor in chief of Computerworld. You can contact her at maryfran_johnson@computerworld.com.

Economist.com Sarbanes-Oxley Sarbanes-Oxley law. It is costing plenty—but is it working?

THE Sarbanes-Oxley statute, which the United States enacted in an atmosphere of extraordinary agitation in 2002, is one of the most influential—and controversial—pieces of corporate legislation ever to have hit a statute book. Its original aim, on the face of it, was modest: to improve the accountability of managers to shareholders, and hence to calm the raging crisis of confidence in American capitalism aroused by the scandals at Enron, WorldCom and other companies. The law's methods, however, were anything but modest, and its implications, for good or ill, are going to be far-reaching.

Since the new accounting rules and regulatory infrastructure that goes with them are still bedding in, it is too soon for a definitive judgment. (That time may never come, in fact: academics are still arguing about the pros and cons of the Glass-Steagall act of 1933, a similarly momentous initiative.) It is early days for academic appraisals, but the ones that have been ventured so far tend to the view that costs will exceed benefits. Meanwhile, many of America's businessmen are deeply unhappy, and with reason: the initial costs of the new law have been bigger than expected. And it can be argued that, when it comes to repairing American corporate governance, the law anyway addresses symptoms more than causes.

With time, no doubt, the law's balance of costs and benefits will improve significantly: some of the costs have been once-and-for-all. Right now, though, the balance looks pretty unfavourable.

Alan Greenspan, chairman of the Federal Reserve, spoke up in defence of the statute this week. It was faint praise. He said he was surprised that a law which had been passed so rapidly had worked as well as it has—less of an endorsement than it first seemed, since laws dealing with issues as complex as these and passed as “rapidly” as was Sarbanes-Oxley can normally be expected to fail abjectly.

Mr Greenspan also noted that the law will be fine-tuned as experience accumulates. Quite so. Next day, the Securities and Exchange Commission (SEC), along with the Public Company Accounting Oversight Board (PCAOB, created by the law), told accountants that they were being too inflexible, “overly cautious” and “mechanical” in interpreting the statute. They called for the exercise of greater discretion—something which, three years ago, the architects of the statute had seemed to frown on. Whether good or bad, therefore, SOX, as it has become known, is by no means as yet a settled regime, but a work in progress.

Its initial provisions are wide-ranging. As well as establishing the accounting-oversight board, the statute prohibits audit firms from doing a variety of non-audit work for their clients (in order to address some obvious conflicts of interest). It requires companies to establish independent audit committees. It forbids company loans to company executives. It calls on top executives to certify company accounts. And it extends protection for whistleblowers: no company may “discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee” because of any lawful provision of information about suspected fraud. (Tip-offs from insiders are by far the most common method of detecting fraud.)

The law's most complained-of provision, however, is its section 404. This makes managers responsible for maintaining an “adequate internal control structure and procedures for financial reporting”; and demands that companies' auditors “attest” to the management's assessment of these controls and disclose any “material weaknesses”. Draconian new criminal penalties await transgressors.

Worse than the disease?

The cost of all this is steep. According to one study that has attracted a lot of attention, the net private cost amounts to $1.4 trillion. This astonishing figure comes from a paper by Ivy Xiying Zhang of the William E. Simon Graduate School of Business Administration at the University of Rochester. It is an econometric estimate of “the loss in total market value around the most significant legislative events”—ie, the costs minus the benefits as perceived by the stockmarket as the new rules were enacted. In principle, this ought to reflect all the anticipated costs and benefits, direct and indirect, that impinge on company values. If this number were true, SOX would have to prevent an awful lot of unforeseen losses due to fraud before it could be judged a good buy.

To help see whether the estimate is plausible, can any more light be shed on different categories of costs? Direct costs are much the easiest to measure. A survey by the FEI, an association of top financial executives, found that companies paid an average of $2.4m more for their audits last year than they had anticipated (and far more than the statute's designers had envisaged). Deloitte, a big accounting firm, has said that large firms have on average spent nearly 70,000 additional man-hours complying with the new law.

This underlines a notable unintended consequence of the legislation: it has provided a bonanza for accountants and auditors—a profession thought to be much at fault in the scandals that inspired the law, and which the statute sought to rein in and supervise. The demand for accountants has surged to such an extent that the PCAOB has had to curb its own growth plans. In January, Thomas Hohman, the agency's CFO, told Accounting Today, “We would like more [experienced auditors], but we recognise this is a very tight employment market.” This shortage of personnel in a profession on whose shoulders the law has placed heavy new responsibilities is one of the uncertainties hanging over the act's future effectiveness.

Already reduced in number by consolidation and the demise of Arthur Andersen, the big accounting firms are now known more often as the Final Four than the Big Four, since any further reduction is thought unlikely. Section 701 of the new law instructed the General Accounting Office (GAO), the investigative arm of Congress, to look into the concentration of the accounting industry and its impact. The GAO, in its findings published in July 2003, said that there was a potentially unhealthy degree of concentration.

The Final Four—Ernst & Young, Deloitte, PricewaterhouseCoopers (PwC) and KPMG—audit 97% of all large companies in America. The GAO also noted that smaller accounting firms face “significant barriers to entry” and that “market forces are not likely to result in the expansion of the Big Four”. The American Electronics Association (AeA), which represents 2,500 companies and is an outspoken critic of the law, maintains that lack of competition “is significantly increasing the costs of section 404 certification”.

Last year a number of big companies switched to smaller auditors. AuditAnalytics.com, an online research company, reckons that the big firms lost more clients last year than they gained. After 25 years with PwC, Scientific Technologies, an instrument-maker with a turnover of $58m, switched to BDO, the largest of the pack pursuing the Final Four auditors. The company reckoned that the switch could cut its audit fees by 25-50%. Many firms have seen much bigger increases than that. According to AuditAnalytics.com, the fees paid by Advanced Micro Devices more than trebled last year. Bristol-Myers Squibb paid fees of $27.4m in 2004, more than twice as much as the year before.

The burden on smaller firms is a particular concern to the AeA and others. Regulators have already been obliged to bend the rules for them. Smaller companies were given extra time to file their accounts this year, the first in which they had to include section 404 reports. More such flexibility is likely in future. In December last year, the SEC set up a panel to review the act's impact on smaller companies.

The auditors emphasise that a good deal of the cost arises from a one-off learning process involved in first adopting the act's requirements. Samuel DiPiazza, chief executive of PwC and an enthusiastic advocate of the new law, says that the costs of applying section 404 were exceptional in the first year and will fall in due course. Eugene O'Kelly, the head of KPMG's American business, has said he reckons auditors' attestation fees related to section 404 should fall by 15-25% this year.

Less visible costs have also been incurred. Far harder to measure, these may be even larger than the direct costs—and would certainly have to be, if the total, net of private benefits, were ever to amount to anything like $1.4 trillion. Some non-American companies have threatened not to list in New York because of the cost of the legislation; others that have recently delisted from an American stock exchange are said to have done so partly because of Sarbanes-Oxley; and some 20% of public companies in a study by Foley & Lardner, a law firm, said that they were considering going private to avoid the costs of the act. It would be regrettable if a law intended to improve the quantity and quality of financial information available to investors led many companies to seek relatively unregulated forms or jurisdictions—but that does seem to be happening.

Another hidden cost which many business leaders complain of is the effect which the law will have in discouraging risk. Steps to discourage risks of the kind taken by Enron might seem entirely warranted—indeed, you might argue, that was the whole point of the law—but many of the statute's critics say that in threatening (as they see it) to criminalise ordinary business mistakes it goes too far. Small firms, put at a particular disadvantage by the added regulatory burden, also tend to be more inclined than big ones to take risks.

Be patient

What then of the benefits? PwC told the SEC, “The costs are tangible, quantifiable and immediate, while many of the benefits are intangible, harder to quantify and longer term.” Donald Nicolaisen, chief accountant of the SEC, echoed the sentiment: “I suspect that the costs are not easy to estimate,” he told an audience in October 2004, “but I know that it is even tougher to quantify the benefits.”

Michael Oxley, co-sponsor of the law, himself said earlier this year: “How can you measure the value of knowing that company books are sounder than they were before?” The chairman of the House of Representatives' financial-services committee acknowledged that the act, named after him and Senator Paul Sarbanes, imposes real costs on firms. It is, he said, “an investment for the future”.

This year, for the first time, companies have been filing the reports required by section 404. Fewer large companies are reporting problems with their internal controls than had been expected. Moody's, a rating agency, says that about 5% of the companies that it rates had reported material weaknesses up to April 1st this year, compared with the 10-20% that the market had been expecting. That figure might rise as smaller companies, which have been given an extension to their reporting deadline, start to file. There is also a fear that there may be a disproportionate number of problems with companies (typically retailers) whose financial year closed at the end of January.

Moody's says that the most serious control problems lie not with the reported delinquents, but with the late filers—the companies that were unable to get their reports to the SEC on time. This group includes notorious cases such as AIG and Fannie Mae, but also Delphi, a big car-parts manufacturer with close links to General Motors that has said it needs to restate its accounts back to 2001, and the Interpublic group of advertising agencies.

Moody's, a front-line consumer of financial reports, takes a positive view of the impact of section 404. In April it wrote, “We perceive that companies are strengthening their accounting controls and investing in the infrastructure needed to support quality financial reporting.” In the past, companies used to rely on their auditors for advice on many of their more complicated accounting issues. “Many companies,” says Huron, a consulting firm, in its latest review of financial reporting, “are just now realising how much they used to depend on their auditor, and that the burden is on them to adjust to a new reality.”

Because of Sarbanes-Oxley, firms now have to make accounting decisions for themselves. This has, says Moody's, “inspired companies to reinvest in accounting personnel”. It has also spurred many of them to look more closely at their business processes, the fountainhead of their raw accounting data.

At a discussion in April chaired by the SEC, the act was said to have had a “chilling effect” on the relationship between managers and auditors. A good thing too, you might say. Many of the problems at Enron remained hidden because the relationships between its managers and its auditors, Arthur Andersen, were far too warm, with accounting personnel even switching between the two organisations. A little chilling might be just what was needed. Big chunks of the act were explicitly intended to keep a distance between the two parties. Hence the limits on other services that auditors can provide to their audit clients, and the requirement that audit committees (the interface with the auditing profession) consist of independent directors receiving no other form of compensation from the company.

But will the law really help reduce financial fraud in corporate America—and by enough to justify its formidable costs? It might. It has certainly been a salutary reminder to corporate leaders that they are paid a lot of money because they are responsible for a lot of things—in particular, for ensuring that their companies' accounts provide investors with as honest a view as possible of the state of their organisation. At the end of April, Dennis Nally, the chairman of PwC (admittedly not a disinterested observer), said that he believes, over time, America will see “fewer incidents involving accounting fraud”.

Time will tell. But it is also possible that Sarbanes-Oxley will come to be seen as both too much and too little. In due course it might well be argued that the act was right to make the relationship between auditors and their “clients” more distanced and adversarial—but then went far beyond what was necessary in that respect by, among other things, imposing responsibilities on CEOs that they are not, in fact, in a position to discharge. At the same time, this argument might go, the underlying failures at Enron and the others were not accounting irregularities as such but other kinds of corporate-governance failure altogether, not even addressed by Sarbanes-Oxley. The first great post-SOX corporate scandal—you can bet there will be one—should be very revealing.

[May 19, 2005] Economist.com American capitalism

Damaged goods. The American economic model is doing all right. It could be doing even better

LOOKING around the world, you do not see many economies, least of all rich ones, doing as well as America's. In the inexhaustible capacity of its private sector to innovate, in its seemingly unquenchable desire to reinvent itself, the United States still leads the world, and reaps the material rewards of that leadership. Its brand of capitalism appears to have something going for it—so it may seem churlish, even perverse, to wonder how much better a country as successful as this might do if it really tried. And yet it could indeed be doing better. That's right: American capitalism is not beyond improvement.

In 2001-02, at the height of the Enron scandal, and amid the other corporate debacles that stained the reputation of American business, that would have seemed too obvious to be worth stating. But concerns about corporate probity have receded of late. This is for a variety of reasons. One of them, or so its designers hope, was the Sarbanes-Oxley statute, the measure conceived in response to those scandals. But that law is not in fact proving to be the unalloyed blessing that its creators envisaged. Meanwhile, other flaws in the American business model remain unattended to; they were simply not addressed by SOX (as it is now, not always affectionately, known). So, pleasant though it must be for the United States to contemplate the current performance of the continental European alternative, it would be wrong, as well as unAmerican, to be complacent. There is still some work to do at home.

Repent at leisure

The trouble with Sarbanes-Oxley is that it was designed in a panic and rushed through in a blinding fervour of moral indignation. This is not to say that the problems it addressed were imaginary. The calamities at Enron, WorldCom and the others warranted remedial action. And accounting failures—the focus of SOX's efforts—were undoubtedly among the things that went wrong. But it would be difficult to argue that mere book-keeping was the main thing. Yes, it is outrageous that the true state of those companies was disguised. But when firms collapse that way, it is usually because they have borrowed too much and squandered the money. Accounting impropriety may conceal those errors, for a time, but is hardly ever the main cause. Bad business judgment, with or without criminal intent, is far more often to blame. And bad economic policy can sometimes contribute to bad business judgment.

Sarbanes-Oxley was right to attack the long-recognised conflict of interest in the audit profession, and to put some distance back between a company's auditors (who are there to safeguard shareholders' interests) and its managers (who sometimes forget that that is their job too). This needed to be done, and in fact the act might have gone even further in this respect. But the statute, carried along by rage and by the desire of Congress to do something dramatic, ranged wider than was necessary to achieve that particular goal. Its daunting requirements on managers, with the threat of severe criminal penalties to back them up, are imposing substantial costs, direct and indirect, on American business (see article).

The book-keeping industry, having been fingered (wrongly) as the main culprit in the great scams of recent years, is suddenly elated: thanks to Congress, its incomes are soaring. On the other hand, many of the men actually running American business, not all of them robbers or frauds, are dismayed. Congress has made their job harder—and, ultimately, it is the economy at large that will bear the cost. Fortunately, some of this excess burden is already being lightened, as calls for a less rigid interpretation of the law are heeded. More “flexibility” of that sort, as it is called, would be welcome.

A world beyond audit

The rest of a suitably ambitious agenda for improving the performance of American capitalism might run as follows: genuine, as opposed to phoney, corporate-governance reform; tort reform; tax reform; and corporate-welfare reform. The Bush administration seems to be keen on some parts of this package, but is decidedly opposed to others.

The challenge for corporate-governance reformers is easily stated: to hold managers more accountable to shareholders. However, one can only expect so much of auditors, with or without SOX, or regulatory agencies, of which America has no lack. It would be more fruitful to pay attention to the market for corporate control. Nothing is better calculated to make managers concentrate on pleasing the owners than the threat of a possible takeover. Policy should aim to invigorate this market—whereas at present, through an unplanned accretion of statutory and judicial interventions, it does the opposite.

The Bush administration rightly advocates tax reform and tort reform, both of which are needed to iron out mangled economic incentives. But advocacy is no substitute for action. The tax system cries out for radical simplification—which is apparently not what Mr Bush intends. Recent changes to the taxation of dividends have helped to lessen the tax code's bias in favour of borrowing, but this harmful distortion has by no means been removed. It is one of the main ways in which policy leans on households and businesses to take bigger financial risks than they would if left to their own devices.

A fine way to deal with this would be to cut corporate taxes (against which debt service can be deducted, hence the pro-debt bias); and an excellent way to pay for that would be to launch an assault on corporate welfare—the $100 billion a year or so, conservatively estimated, of special-interest subsidies and handouts that the government pays to American businesses. Preferably, don't just cut that lot, eliminate it.

This last recommendation is one that George Bush will be especially reluctant to accept. Mr Bush is the classic instance of a conservative politician who confuses support for particular businesses with support for enterprise in general. These seemingly similar ideas are in fact directly contradictory. The way to support enterprise—American enterprise, the best in the world—is to be as unEuropean as possible. Mr President, look at France. Notice their economic policies. See how they subsidise this and protect that. Do we have to spell it out?

New laws to drive '04 security agenda - Computerworld

WASHINGTON -- The need to comply with an array of complex data laws will dominate the security agenda in 2004, according to attendees at the Computer Security Institute conference here last week.

As in previous years, IT security managers expect to spend considerable time and resources fending off destructive intrusions and insider threats.

But the most daunting challenge will be dealing with laws such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, California's SB 1386 privacy law and international data integrity and privacy laws, they said. As a result, the emphasis will be on issues such as:

"As far as my business and industry in general goes, the single biggest driver is compliance with all the new data and privacy laws," said Michael Kamens, global network security manager at Thermo Electron Corp., a $2 billion manufacturer of scientific equipment in Waltham, Mass.

As a publicly traded U.S. manufacturer with multinational operations, Thermo has to deal with compliance issues ranging from Sarbanes-Oxley to a Chinese encryption requirement that involves filling out forms in Mandarin. "It is requiring me to quadruple the effort that I have to put in on a daily basis to ensure that my company is in compliance and that I'm safeguarding its good name," Kamens said.

United Government Services LLC, a Milwaukee-based provider of administrative and consulting services for publicly funded health care systems, is governed by 400 security requirements issued by the Centers for Medicare and Medicaid Services. Meeting all of them will be a "very large driver" of security efforts next year, said systems security officer Todd Fitzgerald.

For the most part, the efforts will focus not on technology improvements but on implementing security policies and management processes to ensure regulatory compliance. "It's a process that will involve spending a lot more time working with management and end users, educating them on what the security risks are," Fitzgerald said.

Third-party connectivity issues are a priority at St. Jude Medical Inc. in St. Paul, Minn.

As a $1.6 billion manufacturer of cardiovascular equipment, with 15 facilities worldwide and customers in 120 countries, St. Jude has to make sure it avoids liability for security breaches involving its supply chain or business partners, said David Stacey, global IT security director.

"Regulation is a massive issue, and most organizations are clearly not ready to deal with the myriad issues and details involved," said Ben Rothke, a senior security consultant at Thrupoint Inc., a management services company in New York.

Complying with data regulations will mean turning traditional notions of the IT security function and its role within organizations upside down, said Terri Curran, director of research at the Center for Digital Forensic Studies Ltd. in Auburn Hills, Mich.

"CSOs in the near future are going to have to get more creative about things like privacy, risk acceptance, forensics, industry-related regulations, and state and federal laws that are really going to affect them," Curran said.

Former White House cybersecurity czar calls for security audit standards - Computerworld

OCTOBER 20, 2003 ( COMPUTERWORLD ) - LAKE BUENA VISTA, Fla. -- Former White House cybersecurity expert Richard Clarke yesterday urged for stronger standards for security audits of U.S. companies, saying congressional action is needed.

"The Securities and Exchange Commission thinks it can [require audits] under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard," Clarke told reporters at the opening of Gartner Symposium ITxpo 2003 here. Clarke is now a private security consultant, serving as chairman of Good Harbor Consulting LLC in Arlington, Va. He joined Good Harbor in July.

"You've got to have a relatively specific standard ... with some real probability that someone will show up at the door to audit. That will take a congressional act," he said.

Clarke also said standards should encourage automatic audits, so network probes could quickly determine security levels, "instead of bringing in PriceWaterhouse for $500,000" to do the audit.

Similar to banking audits, only 90% of what will be audited should be known, so companies won't prepare for audits and nothing else, he said.

Clarke, who resigned from his U.S. government cybersecurity role in January after serving in three administrations, made his comments after being asked about Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act security requirements. Both federal mandates require companies to provide security certification. But "what do they certify, and who is going to say that they are wrong?" Clarke asked.

He also criticized Homeland Security Secretary Tom Ridge's recommendations for security certification as ineffective. "Frankly, it was Tom Ridge's idea that there be a Y2k-like statement [about security protection steps] to the SEC, but if that happens, it is going to be at such a high level of aggregation that you are never going to know what it means," Clarke said.

Asked if cybersecurity failures could have caused the power blackout in Canada and the Northeast in August, Clarke ticked off a string of power outages and attacks on energy systems globally in recent months, including the loss of power throughout Italy in September. "We don't know what caused any of these so far," he said. "We do know that Norway and Israel at least are saying there were cyber-hacking attempts to bring down the power grids in their countries.

"If the Aug. 14 outage was not caused by a hack attack, could it have been?'' Clarke said. "Could you bring down the power grid with a hack attack? I fully believe the answer is yes."

Clarke also endorsed new technology from PGP Corp. in Palo Alto, Calif., and is expected to take part in a presentation on behalf of that company today at the symposium. PGP last month announced the first version of its Universal product, which is designed to automatically provide end-to-end e-mail security. The burden of protecting critical information resides on the network and not a user's desktop, reducing the security burden on end users, Clarke and company officials said.

Generally, IT managers need to make security encryption as automatic as possible, he said. "The key here is whoever makes the decision to use encryption in the organization [so] that after that, it becomes automatic," Clarke said. "Establishing elaborate systems [for security] is a pain in the ass, frankly, and they require lots of people to run them, and that's why they don't work and why people don't do them."

Clarke also noted a humorous personal problem with unsolicited commercial e-mail, saying that last week he got a spam from himself. He said it was obviously because somebody or some program had spoofed his e-mail address and then sent the spam with his address back to him.

Clarke said it would be "really easy" for e-mail users to start their personal "do not call" lists for e-mail by taking any of several programs now available to allow e-mail only from certain people, which could be combined with e-mail encryption to provide a private system

Spotlight on Sarbanes-Oxley Rulemaking and Reports

Sarbanes-Oxley mandates lead to IT certification push - Computerworld

CEOs and chief financial officers who are obligated by the Sarbanes-Oxley Act to stand behind the financial accounting controls used by their companies are increasingly asking operating units, including IT, to certify that they have put adequate safeguards in place.

"I'm hearing a lot of discussion about that," said Chris McLaughlin, global director of financial services marketing at FileNet Corp., a Costa Mesa, Calif.-based software vendor that sells document management tools for use in Sarbanes-Oxley compliance projects.

With CEOs and CFOs now being held accountable for the accuracy of the financial reporting at their companies, "they are looking for ways to distribute that responsibility downward through their organizations," McLaughlin said. That includes asking IT managers to certify the systems used to process financial data, he added.

Some companies are doing internal audits using certification standards such as SAS 70 to give their IT operations the equivalent of a Good Housekeeping Seal of Approval.

SAS 70—known formally as the Statement on Auditing Standards No. 70, Service Organizations—was developed by the New York-based American Institute of Certified Public Accountants.

In addition, some outsourcing vendors have started offering SAS 70 audits to their clients. That was an unexpected windfall for Energy Absorption Systems Inc. after the Chicago-based maker of highway crash barriers hired an application service provider (ASP) earlier this year to manage its finance applications.

"We see them as another group to help us improve on our internal controls," said Bob Latek, senior vice president and controller at Energy Absorption Systems.

Latek, who spoke at an IT conference for CFOs last month (see story), said that letting the ASP run the certification process should help his company cut its Sarbanes-Oxley compliance costs in half "and save us a lot of time, too."

Anthony Noble, director of IT audits at Viacom Inc., said that at the next meeting of the company's divisional CIOs in January, he plans to raise the issue of whether the New York-based parent company of MTV, CBS, Blockbuster Video and other entertainment businesses should conduct IT certifications.

Noble said he understands the potential usefulness of such certifications as a sort of "life insurance policy." But he added that he's skeptical about the way some big auditing firms are using SAS 70 as a sales tool to generate incremental business through Sarbanes-Oxley consulting deals.

Ed Trainor, senior vice president of information systems at Paramount Pictures Corp., a Hollywood-based Viacom unit, said IT certifications "are a commendable thing to do for a variety of reasons." However, they "require a considerable investment, and the benefit must be weighed against other needs and priorities for scarce resources," added Trainor, who is also president of the Chicago-based Society for Information Management.

The SAS 70 Type II report that companies can use to document the effectiveness of their internal IT controls will have to be updated to meet requirements specific to Sarbanes-Oxley, such as quantifying the extent of testing done on financial systems, said Lynn Edelson, a Los Angeles-based consultant at PricewaterhouseCoopers.

Gold Wire Technology News & Events Press Releases

Formulator Three PLUS Assures the Integrity of the Infrastructure that Runs the Enterprise; Quickly Demonstrates Process Compliance, Enhances Access Control Security, Reduces Risks & Downtime

 Formulator® line of appliances adds standards verification features to meet today’s stringent regulatory and standards compliance requirements such as Sarbanes Oxley Rule 404, AICPA SAS–70, ISO 17799 and FFIEC. The new Formulator ThreePLUS software also incorporates UNIX server access control, expanded network device support, and new modular software packaging. Formulator helps business officers quickly verify and demonstrate process compliance for access control, change accuracy and data privacy as mandated by external and internal regulations.

With Formulator ThreePLUS, operating executives can secure essential infrastructure, minimize the risk of control errors, accelerate the resolution of exceptions and improve availability. They can easily demonstrate and document the effectiveness of their underlying business processes and, through this single integrated platform, assure the integrity of the infrastructure — UNIX servers and network devices — that supports critical enterprise missions. Customers now using Formulator include Bear Stearns, automotive applications service provider ADP Dealer Services, a major office supply retailer, Fortune 1000 enterprises and Federal government agencies. Formulator ThreePLUS is available now and sold directly by Gold Wire Technology.

Today’s tighter regulatory climate demands that CFOs, CIOs, corporate security heads and network operations executives go beyond putting controls in place; they now must demonstrate they are enforcing and verifying compliance with a widening set of standards and regulations. Yet decentralized networks are inherently challenging to configure, monitor and control — exposing the business to expensive compliance breaches, security incidents, and revenue-impacting downtime caused by human error.

Gold Wire Technology’s Formulator ThreePLUS assures that network and security personnel can demonstrate tight control of a large, multi-vendor server and network device infrastructure. It consolidates access to the systems that comprise the infrastructure -- pre-verifying that desired changes conform to security standards, generating real-time “Who/What/When/Where” forensics of operator access and configuration changes, and then correlating this data with complementary network-wide event data. Formulator ThreePLUS reduces operator-induced network vulnerabilities and speeds corrective action in the case of disasters or mistakes -- increasing availability. The system lets executives focus on managing their business, knowing that their teams can demonstrate compliance verification with minimal effort when required, and that effectiveness and enforcement is standard operating procedure.

What’s New in Formulator Version ThreePLUS

Network configuration tool upgrade targets Sarbanes-Oxley compliance - Computerworld

Gold Wire Technology Inc. today announced a software upgrade for its Formulator line of network configuration management appliances, adding features that it said can help users meet the requirements of the Sarbanes-Oxley Act and other regulations.

Waltham, Mass.-based Gold Wire also said the new release will be able to track configurations of Unix servers in addition to its existing support for network devices made by vendors such as Cisco Systems Inc. and Nortel Networks Ltd. The upgrade is available now; pricing for Gold Wire's Formulator 200 systems starts at $22,000, plus a per-user license fee of $275.

Jim Sherer, director of ASP operations at ADP Inc.'s Dealer Services unit in Hoffman Estates, Ill., said he plans to test the new Formulator release within the next month. The company, which provides computing services to 6,500 auto dealers in the U.S., has been using Gold Wire's current version since February to track changes to systems that are maintained by 1,700 technical support workers.

The new regulatory compliance component is "extremely important" to ADP Dealer Services as it seeks to run required security audits on its systems, Sherer said. Gold Wire's technology should help the ADP unit track end users and check whether they have proper authentication, he said.

In addition to the regulatory features, the upgrade gives users increased reporting capabilities, Sherer said.

Gold Wire is part of an emerging group of network configuration management vendors that also includes Voyence Inc., AlterPoint Inc. and Rendition Networks Inc., said Glenn O'Donnell, an analyst at Meta Group Inc.

"They're all trying to demonstrate a way to do configuration better, since it's a horribly manual state of affairs right now with lots of errors and inconsistencies," O'Donnell said. He added that Nortel's Optivity technology and Cisco's CiscoWorks software can manage configurations for their respective devices but not for a diverse network.

Users struggle to pinpoint IT costs of Sarbanes-Oxley compliance - Computerworld

Sarbanes-Oxley readiness costs can be hard for companies to pin down, partly because complying with the new financial reporting law isn't a one-time event like Y2k, several IT managers said last week.

Eastman Chemical Co. hasn't even tried to evaluate the IT costs associated with its Sarbanes-Oxley Act compliance initiative, because the work is viewed as "an ongoing effort," said Mark Montgomery, director of administrative operations support and technology systems at the Kingsport, Tenn., company.

Montgomery and other executives said Sarbanes-Oxley's requirement that companies annually document and attest to the effectiveness of their financial controls means compliance work will have to be done on a continual basis.

"A lot of people have this mind-set that it's a one-time project," said Kyle Didier, vice president of finance at Regis Corp., a Minneapolis-based operator of 9,700 hair salons in the U.S. and Europe. But Didier added that he expects Regis to test its internal financial controls as an ongoing process, using software called Certainty that was developed by Movaris Inc. in Campbell, Calif.

Regis has been working on Sarbanes-Oxley readiness for the past nine months and expects to complete the documentation and testing phase by the end of December. Didier said the company expects to spend slightly more than $100,000 on IT over the course of its compliance effort. That includes both software and manpower costs, he added.

John Van Decker, an analyst at Meta Group Inc. in Stamford, Conn., said most companies currently are focusing on Section 404 of the law, which spells out the requirement that CEOs and CFOs certify the effectiveness of the financial controls they have in place. Companies with market capitalizations of $75 million or more have to comply for fiscal years that end on or after June 15, 2004. Smaller businesses and foreign-owned companies have until April 15, 2005.

Financial Executives International, a Florham Park, N.J.-based association of corporate finance managers, surveyed its members last May on cost estimates for complying with Section 404. On average, the 83 respondents said they expect to spend $480,000 on software, consulting services and employee training in advance of the compliance deadlines.

Mark Nagelvoort, vice president and internal control manager at Hudson United Bank in Mahwah, N.J., said the subsidiary of Hudson United Bancorp expects its IT costs tied to Sarbanes-Oxley to come in at less than $500,000, though he declined to be more specific. That includes the bank's use of a software tool called SOXA Accelerator from HandySoft Global Corp. in Vienna, Va., plus expenses for 10 IT staffers who will spend between 5% and 10% of their time working on Sarbanes-Oxley readiness.

"We're saving significant dollars because we're utilizing almost all in-house personnel," Nagelvoort said. And because the banking industry is highly regulated, much of the information that Hudson United needs has already been documented for internal and external auditors, he added.

John Hagerty, an analyst at AMR Research Inc. in Boston, estimates that Fortune 1,000 companies on average will spend about $2.5 million on Sarbanes-Oxley work this year. Technology costs represent just 5% to 10% of the overall tab, Hagerty said, although that doesn't reflect the cost of IT-related staff time being dedicated to compliance efforts.

Hagerty added that it's tough to pinpoint an average IT spending figure for Sarbanes-Oxley "because it's influenced by organizational and systems complexity." For instance, a company with $5 billion in annual revenue and highly centralized business units and IT operations might spend $3 million on compliance, while a similar-sized company that's decentralized could end up spending $10 million, he said.

[Feb 12, 2004] NYT/European Companies Seek New Ways to Avoid Compliance With U.S. Laws

EUROPEAN companies, worried about the costs and restrictions of complying with the Sarbanes-Oxley Act, are mounting a drive to make it easier for them to stop complying with United States securities laws.

In a letter to William H. Donaldson, the chairman of the Securities and Exchange Commission, 11 organizations saying they represented 100,000 European companies, including more than 100 whose securities are traded in the United States, asked for changes that would make it easier for them to stop being registered with the S.E.C.

The letter was made public Wednesday.

While some European companies are "quite satisfied with their experience in the U.S. market," others have concluded that the costs are not worth the benefits, said the letter, which was signed by business leaders including Alain Joly, the president of the European Association for Listed Companies and the chairman of the supervisory board of Air Liquide, a company that has chosen not to list on a United States exchange.

Edward F. Greene, a partner in the London office of Cleary, Gottlieb, Steen & Hamilton, who prepared a proposal for changes in United States rules for the European companies, said, "There is a feeling of, 'Why do you want to have a U.S. listing?' "

"The costs of Sarbanes-Oxley have been substantial," he said. "The hidden sleeper has been the upcoming attestation of internal controls. It really is a substantial effect on costs and audit fees."

The rule he referred to, which will affect foreign companies starting in 2005, requires corporate executives to certify that internal financial controls are adequate and requires outside auditors to certify that the management's conclusions are accurate. Companies have complained that this will raise audit fees substantially.

Mr. Greene, a former S.E.C. general counsel, said that many companies were also concerned about a ban on company loans to executives. That provision was included in Sarbanes-Oxley when it was passed in 2002 in the aftermath of the Enron and WorldCom scandals, each of which involved loans to executives.

Under current law, a company that wants to sell securities to the public in the United States, or to list securities on a market there, such as the New York Stock Exchange or the Nasdaq, must reconcile its financial statements to United States accounting rules and comply with American securities laws, including Sarbanes-Oxley.

A company that no longer values a United States listing can easily delist from the exchange, Mr. Greene said. But it remains subject to the securities laws unless it can show that it has fewer than 300 American investors. To do that, it must conduct research to determine who its actual shareholders are, regardless of whether those holders bought the shares in America or overseas. That is a difficult standard to meet, and even if it is met, the company might have to resume complying with the American rules in a later year if the number goes back above 300.

So the European company associations have proposed that European concerns be able to drop their registration if they delist and show that less than 5% of their total share volume is in the United States. That would cover many prominent European companies, including some that trade in substantial volume in New York. For example, hundreds of thousands of shares of Deutsche Telekom, the German telephone company, are traded each day on the Big Board. But that volume is dwarfed by its volume in Germany.

The proposal by the European companies would not apply to Japanese or other overseas companies because it assumes the European companies would follow new international accounting standards, as they are expected to do beginning in 2005, although some European companies are resisting the international rule on accounting for derivatives. The companies would have to provide English translations of the financial statements they filed at home, but would not need to adjust them when American rules would produce different numbers.

An S.E.C. spokesman in Washington declined to comment on the letter. But the proposal is likely to run into some opposition in America, since it would be seen as a step on the road to acceptance of international standards as being equivalent to American ones.

European companies that have listed in the United States have done so in some cases to be able to use stock to acquire American companies, or to gain access to American capital markets. But many have found that American institutional investors are willing to buy shares overseas, wherever the most liquidity is. And companies that are not listed in the United States can sell securities there in private offerings, under an S.E.C. rule known as 144A, so long as the buyers are institutional investors.

"As a result," the letter said, "many of our member companies with U.S. listed securities find that they have no greater access to the U.S. market than other companies whose securities are listed only in Europe."

[Nov 24, 2003]  Panel Beware of Sarbanes-Oxley barriers, pitfalls - Computerworld By THOMAS HOFFMAN

CEOs and CFOs may be the ones on the hook to certify their organizations’ financial controls and procedures under the Sarbanes-Oxley Act, but IT executives had better be paying attention, too.

Among other things, CIOs will need to determine whether they need directors and officers insurance in case financial missteps at their companies lead to shareholder or investor lawsuits in which they could be named as defendants. Meanwhile, they will also have to figure out how to allocate staff resources between Sarbanes-Oxley efforts and other critical projects.

Those were a few of the topics discussed at a Sarbanes-Oxley panel discussion held on Thursday at a meeting in Rye Brook, N.Y., of the Fairfield County, Conn., and Westchester County, N.Y., chapter of the Society for Information Management.

The panelists were Patti Roer, associate counsel at Wiggin & Dana LLP in Stamford, Conn.; Christopher Keegan, regional practice leader for information risk at Marsh-FINPRO in New York; Mark Keeley, a partner at PricewaterhouseCoopers LLP in Hartford, Conn.; and Hank Zupnick, CIO at GE Real Estate in Stamford, Conn.

Questions were posed by Computerworld’s Thomas Hoffman, the panel moderator and by members of the audience.

Excerpts of that discussion follow.

What are the biggest stumbling blocks that companies are facing in their Sarbanes-Oxley initiatives?

Keeley: The amount of resources they think this is going to take. Companies are really struggling with how broad this needs to be. You don’t have to assign resources to do all of your procedures all over again. [Most companies] have procedure policy manuals in place.

What’s the status of GE’s compliance efforts?

Zupnick: General Electric, which GE Real Estate is a part of, has taken a very proactive and aggressive approach to Sarbanes-Oxley. The government mandates that [the deadline for] compliance is June 2004 [for publicly held companies with a market cap exceeding $75 million], but we will be fully compliant by the end of this year.

We’ve determined that good governance is good business. We believe it will build and maintain investor confidence, and customer confidence as well. So we are looking at our processes and our procedures and making sure that they are all air-tight.

One of the biggest challenges is estimating the amount [of staff time and work] that is needed. Sarbanes-Oxley has not yet been tested in the courts. And what company wants to be the test case because they haven’t done as much as they should have?

Patti, what are the legal issues you’ve been focusing on most with clients?

Roer: The biggest area we’ve been dealing with is document management, document retention and destruction policies. A lot of the work falls on in-house legal counsel, but we’re finding more and more that the role of the IT staff [in locating and isolating data] is critical.

Do middle managers need to obtain directors' and officers' (D&O) insurance in the event of shareholder or investor lawsuits? What are the D&O implications for IT executives?

Keegan: From a Sarbanes viewpoint, we’re looking at the board of directors. They’re responsible for pushing this down through the ranks.

That’s not to say that if you’re not on the board you shouldn’t have insurance. [Shareholders and investors] will sue anybody and everybody they think has responsibility for failure [over controls]. Whether you’re legally responsible for those decisions or not, you may end up with defense costs.

Because companies will have to document and certify the procedural controls they have in place, will this prevent companies from outsourcing?

Keeley: Some of my more astute clients have said, "This is not new stuff. Controls are controls." They [the SEC] are asking the same thing in this controls framework that they were asking 10, 20 years ago.

If you outsource controls, you should ask your outsourcer to prepare a report for you with a SAS 70 opinion [an IT certification approach]. That’s been around for over a decade, and that takes you a long way toward Sarbanes [compliance], because it shows that the outsourcer has had to go through that controls exercise.

What do CIOs need to concern themselves with?

Zupnick: Suddenly you’ve got a significant project that won’t add a penny to your bottom line and won’t take out a penny in costs. I have to take people out of revenue-enhancing projects or cost-cutting projects and put them on this other thing. There’s a challenge in getting management understanding in why these things are critical.

Another critical thing is engaging the right people. Consultants like PricewaterhouseCoopers can help answer questions, but you’ve got to do the job yourself with your own staff. The people who have the most detailed knowledge about your processes and your financial systems are the people in your organization, and you’ve got to involve them and you’ve got to figure out how to pull them away from their day jobs.

 

Recommended Links

Parkinson's law - Wikipedia, the free encyclopedia

Parkinson's Law, by Prof. Cyril Northcote Parkinson

Sarbanes-Oxley Act - Special Coverage

Eurekify Sage for Compliance with Sarbanes-Oxley Section 404 Regulations

Users struggle to pinpoint IT costs of Sarbanes-Oxley compliance

Bring On the Scrutiny

Data destruction: What they can't find can get you 20 years

The New Rules of Storage

"Sarbanes-Oxley Act" RSS feed

XML news feed F.A.Q.

 

Reference

Sarbanes-Oxley - Financial and Accounting Disclosure Information

Critique

[Jan 23, 2004] Floyd Norris Too Much Regulation Corporate Bosses Sing the Sarbanes-Oxley Blues

THEY'VE gone too far,'' the chief executive of a large American company complained. "Our audit bill is going to double."

Two years after Enron collapsed, complaints of overregulation are beginning to be heard. "Corporate America is spending an awful lot of money on internal controls that are not benefiting shareholders,'' said that chief executive, after getting assurances his identity would be protected.

A survey of global chief executives released by PricewaterhouseCoopers at the World Economic Forum found that 59 % viewed overregulation as a significant risk or, worse, one of the biggest threats to the growth of their companies - far more than viewed global terrorism or currency fluctuations as posing major risks.

What has alarmed many is Section 404 of the Sarbanes-Oxley Act, which requires chief executives and chief financial officers to certify the adequacy of their internal controls. Then outside auditors must attest to that opinion.

That provision is not in effect yet, but many companies are going through 404 audits this year to get ready. The idea is to find problems while there is still time to fix them without getting a bad audit report.

And it is working. In recent years, said Dennis M. Nally, the United States chief executive of PricewaterhouseCoopers, "internal controls were a passing thought" to many auditors. Now, "the opportunity on 404 is for companies to look at controls and systems and see if there is a more efficient, effective way."

That is especially true at companies that have made a series of acquisitions. Standardizing controls was seldom a priority. In some of the audits now being done, companies are learning that their controls do not mesh, just as their computer systems sometimes did not.

"We are finding things that need to be changed,'' said William G. Parrett, the United States chief executive of Deloitte Touche Tohmatsu. But he said it was too early to know if the benefits would justify the costs.

Even the chief executive who was so angry over rising costs conceded that his auditors had found issues in the company's treasury operations that needed fixing.

Additional spending on controls may be wasteful for some companies, but improving controls could be critical for others. Good controls can create environments in which it is much harder for crooked bosses to make the changes in financial records needed to create phony profits and in which honest bosses can be confident that the numbers they are being given are accurate.

The new audit report on controls could also provide a useful change to the pass-fail audit system of the past, when auditors never commented on the quality of a company's accounting, just on whether it met minimal requirements of complying with the rules. That is still true for the main audit: auditors are supposed to discuss quality issues with audit committees, but not tell the public.

But the attestation of controls could take a different path. No company's controls are perfect, and it would be good if auditors were able to comment on shortcomings without infuriating companies - or panicking investors over relatively minor issues.

Some chief executives are not worried. "For big, established companies that already do the right thing, it's no big thing,'' said Michael S. Dell of Dell Computer.

But he also passed along a song being circulated on the Internet about a supposed chief executive who has nightmares about being led away in handcuffs.

"I really miss the good old days, when I told my board what to do,'' he sings. "Now my audit committee is slapping me silly. Got the Sarbanes-Oxley blues."

[Jan. 7, 2005] MSNBC - Sarbanes-Oxley A sense of ‘siege’A Q&A with Treasury Secretary John Snow on corporate reform

As a former business leader, Treasury Secretary John W. Snow is well aware of difficulties that Washington policymakers can cause for Corporate America. So it's not surprising that when company chieftains complain about the costs of complying with the Sarbanes-Oxley corporate-reform laws, he listens.

In an interview with BusinessWeek Senior Writer Rich Miller on Jan. 4, Snow shared his thoughts on what should — and shouldn't — be done in response. Edited excerpts of his remarks follow: 

Q: Should Congress consider modifying Sarbanes-Oxley?

A: I don't think that's the real problem. Sarbanes-Oxley was critically important legislation that met a real need for the country at the time of those scandals ... Sarbanes-Oxley played a very important role in reaffirming the norms of good corporate behavior, and, in some ways, I think [it] was absolutely essential. Corporate capitalism depends on trust.

Q: Are the regulators enforcing the law too aggressively?

‘It's important not to criminalize innocent mistakes. The nature of business is that you aren't always going to be right ... We ought to make sure, to the extent we can, that the regulators, the litigators, the prosecutors, and so on are working in a way that isn't excessively duplicative or burdensome, creating untoward risks of multiple prosecutions and regulatory investigations.’
— John Snow
U.S. Treasury Secretary

A: The concern is with balance. The important thing is that, as fraud is dealt with, we recognize that all mistakes aren't fraud. It's important not to criminalize innocent mistakes. The nature of business is that you aren't always going to be right ... We ought to make sure, to the extent we can, that the regulators, the litigators, the prosecutors, and so on are working in a way that isn't excessively duplicative or burdensome, creating untoward risks of multiple prosecutions and regulatory investigations. 

Q: Has the balance shifted a little bit too far in that direction?

A: I think we need to look at that question. It's an important question. I get a sense — and you can't quantify this — but I get a sense that the system may have become too prosecutorial, and without enough consultation between and among the regulators and the prosecutors. The sense that many businesspeople have is that they're under siege from serial investigations, and serial regulatory prosecutions, and criminal and civil prosecu