Enterprise Applications - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Enterprise Applications


The Security Side of Sarbanes-Oxley



 By: Larry Loeb
2005-10-03
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Enterprise Applications story.


  Table of Contents:
  1. The Security Side of Sarbanes-Oxley
  2. ' Control of Multiple Locations '
  3. ' Making Documents More Reliable '

Rate This Article:
Poor Best
The Security Side of Sarbanes-Oxley
( Page 1 of 3 )

Many executives believed some extra regulation was needed, but few are enthusiastic about Sarbanes-Oxley; some have delisted their companies to get out from under. But what is it and how does it affect you? What is SarbOx anyway?

The Sarbanes-Oxley Act of 2002 is a set of rules passed by Congress in order to force American public corporations to document every sale and financial exchange that could have a material effect on the business.

SarbOx also requires top executives to review and sign off on financial results so CEOs hauled up on charges related to creative bookkeeping cant claim to have been unaware of number-shuffling that may have misled investors and regulators.

The implementation of SarbOx, however, is more than just a change in some accounting and accountability rules. It amounts to an overhaul in the way America will do business in the future.

Compliance with SarbOx is a big deal to senior management, because a violation of the act—in this case, failure to comply—can bring them up to 20 years of jail time and fines up to $5 million. That sort of penalty tends to concentrate a CEOs focus beautifully.

The Cost of SarbOx

While many executives agree that some law was necessary, many have also become disillusioned with the drain on time and resources that it requires.

Resource Library:
These requirements can fall disproportionately hard on smaller public companies, many of which have less formal financial-reporting processes than larger older companies, and fewer staffers to create or execute any newly required processes.

USA Today reported in October 2003 that one such publicly traded company—hardware wholesaler Moore-Handley, which had 2002 sales of $151 million—was going so far to avoid falling under SarbOx rules that it was delisting itself from the Nasdaq exchange.

Company executives estimated compliance would cost the company $250,000, but Moore-Handley had only made a net profit of $300,000 in the last fiscal year. So it made economic sense for Moore-Handley to react the way it did.

This kind of cost consequence may spread to other companies as well.

It may be that in the future only companies worth $100 million or more may be able to afford being publicly traded, and thus fall under SarbOx regulations.

A Foley & Lardner survey of 32 midsize public companies found that they predicted an average of 105 percent increase in accounting costs, a 90 percent increase in legal costs, an increase in costs due to lost productivity of 102 percent, and an increase of 266 percent in compliance personnel cost.

Overall, the companies surveyed expected an increase of 90 percent over their 2002 accounting costs just to comply with SarbOx.

While a cost increase is to be expected when first complying with any regulatory change, the total cost over time may not be as high as an initial cost outlay might indicate.

Once a coping mechanism is in place, the business only has to maintain a new process instead of developing and installing it.

Maintenance is usually cheaper than development, so it would be reasonable to expect compliance costs (aside from the direct labor costs necessary) to decrease over the long term.

So, there will undoubtedly be increased costs of doing business due to SarbOx, but they should settle down somewhat once an appropriate solution has been devised.

Section 404

One of the most critical sections of SarbOx carries the identifier of section 404.

It requires the management of a public company to assess the effectiveness of the companys internal control over financial reporting (as of the end of the companys most recent fiscal year).

Section 404(a) of the Act also requires management to include in the companys annual report to shareholders managements conclusion (made as a direct result of the assessment previously mentioned) about whether the companys internal control is effective.

SarbOx forces individual managers to legally commit to the veracity of the internal controls in use, something that had never before occurred in the United States.

Section 404 of the Act (as well as Section 103), directs the Public Company Accounting Oversight Board (PCAOB, which is the private-sector, nonprofit corporation set up by SarbOx to oversee implementation that answers to the Securities and Exchange Commission which, in turn, has the ultimate responsibility to see that SARBOX is carried out) to establish professional accounting standards governing the independent auditors attestation, as well as reporting on managements assessment of the effectiveness of internal control.

That means whatever internal control system is in place for the audit is graded on criteria set down by the PCAOB.

The PCAOB has considered the possible effects of the proposed standard on small and medium-sized companies, noting that internal control is not "one-size-fits-all."

So, the board has defined examples of what not to do.

It has identified circumstances that would be a very strong indicator that there exists a material weakness in the internal controls.

Next page: Control of multiple locations.





  Reader Comments: The Security Side of Sarbanes-Oxley
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Enterprise Applications Articles          >>> More By Larry Loeb
 


x}r㶲s\@♵MHS%Zc[^ffT(S$I~u~|.dLb["h4y$sG3L{L.cfQ;uOuޙ%w6{&(ˑԫѩe軫F]̱]kkHNშ :#:@.Ps< ;s:&wes/cߨ`&`1Zm8lR j9a?xh='@IR(áh] ( )w,8$a}#$aT|+PPe*G -;WжD^ > EeSs^/;YHM~gDrV*4D>-ĆP u.kzQҏZ-pX(*.C=-bv=ӧ0CF_8ri[򳹥}o__]wzmo]w'>ߙecfy3jPAf(`W:K㝩S9i<_st.[ݛ9^VSCVJAͼ94o ߦA@w[@ K:YK70Sh_g]=w a4z@L4&:h)5?&Țb.L2o<|SPJ{mR—U/(_. jF|*(If(;΀/3A.r)i  6=aL+^9/-j\Gaw9Q] \M޼G\zc'fuEzW^?]{i8^%g 5F8 ie4%!8WG5MBfvX}U95|Qnl 2XjXvR7HYA^݇`: ivڔzhSOaΦfۉ9~4$AC66^lzK 4}b>'ݨä 7X(<cOgv/|\aPn=W=H]6(Zχ`jc˦M@B9{ǻޚB<QС4|aqjQ]*~h3-w= | wA,߃9#z[LKx GN }p (~9-R;C1tKtn '[aHz{>cTf he82-0*Ÿz;Hy& үgJY)jL$P/#Y% /9-0cY}6eDm6'k# Q^-L.L{ mpb\ FZ.~~i~02y6/g>:F} `+\s.KtāhͰh8`]zq8cJrEmX)*J%)` L` T<5&{[# A#Ez .2 ZA `АBrQa TU\S.sKU1SKnʻhAz-X]>L,'~?DNQ} G=ܸ~?CÜU^ٯf8OZV,֪19(TT\=,j8+|fwwq)4Ku@rFg}qs`ޝo>0zxYJot >tȕ|`x䣋 ,` |/"ylė ,ӕtfb)&}tleA{kJAUm~4V8f|< O?a⢉!h{3E&hӜNH@%5-JIA G6q~e@Lsz0b^/(T?uU׊*~e::joB64F@2( Cs]QYbC_A܏.n<1/Ԟ?3>(/M3$J1N*,7؄ATK3yxjC(5uzK)+J,P_AҰg.3_5u_f&קny, 2ỵV1# e 46-.wEЋҶ7ui&!l؞MGe"7";pdX0٩* ~s kRS+zWH=YT\SG~=͠1pS F xkc6}ZZRnTRXUJBЛgQ!V@p]FmEmR…3%!VRӛuN@!m|KOT0%BGqza/;Cn7") ^ؔ:Zik.ŒtH7/W1cf=e$q`U\%]-XǏ4 ZLT!뷲ZiT(֊Z{ =2fc$¾-ӧGW!g3." WSc 4ċusgCR*J r;qG;a.raQ@JڃZ#GY`I.|akR-W~8L3Az 2vBs:c-| S nhFAx)GA`?qp-<91=QUaNT++y48&ov/>B 5eabdE1 7cyJ~Zg'7>hRtt@,+w~gX`{'˾tҼ>s,L{\~x.; {Hڝӳ~t}}݇?LЇ/R)X|8~lIi q޲o {fB, 8oIŸڐ}dvjZS隿ð Oa區7ۓusѼ>\/~wϻ!9\dcxx\NCvy9<`<2aݼO=m48Z&IE2Dt_6"Bq^לY08x.>q!ɅHgk&27]?\F`6e~Y; ºUXȬy`|]L($0r(`$X)XBe:]7?Gǎ:Kyr6P^S(+RJ)"4FYM |Zu3sf} Rt4zUr:_a8kѷo%Aߐ>O1OkwtEh[(+hL:dsJ;D{dNlp jwz`ySrfFv4/%/p]Zin} zs@&aP;DZ3pu*"Ehw)~ڰO]`xRQS\GшO=}NC,8Ƴ[td>9C2kr0W$QxX>֦ldicOƘB؅b70tC}2wf (KA>ٹKCjQ˪*IœiJ^s܎m k#:i?\ DV^6";RTjD^1t}2{pbdӨLxcij9;3 6, )P,+9eyieJ_s+V?MYYUYaOgνw[& k Tr ggikJSuL։1}Q$U=zgQvH?'>,B3L2U1{Qjb{TKe2 (Yz%.`Ԃ)BZ=2gX1`wYn eIU$6y/_ /ʯ}a+7Ey J x§~@}' ml:k*l% AQ7ӹ0 X =WXx+< A0KWڣH@UX ?pv`C*s"j ;Z,C\Xx/2xK!1JQ`a?0S!m$ W 2IE /}rL*DYX0;횞l` D8 fvKV8T͒ mlZ5( 0P yvWs앉陴i<u_RUIlʨW.0+ { :u}vؤKtQBBh.""|$_e#|Kui4r2w w8-ˋj{N{N{N{N{xN = | jm:!IN/p<ŴǹYo>9$zh-> _=νE1-| $H`!֍n N?i} n40;҅y*6M0O< îLgJ1!Ț No]@k|dE-t /"Rtk z B 9&MZԣ֨GaVb cV 4)[çgNmOSܐJ/L ekyG)LKTicn+.6C$:0K*c܆6罿!_V b~W`j>F[e) *T}cX zI;&H6V``ð޷ÄL9|&/fC.|%.m̃nޝHMx0Wf-F\Tټ!H" 9a_#F9>|xyC}J]헔t >m>xm:f }El/y OaXi pg^O6|= .щ$Z@DtEyRMAm3cS;>2't;I]= L"bIF@dH!?%@w "D[›#ؼ뻣E0p<&]\+Y ~AHqu5TnU+\zu}4PŒ$^aꁮqiԃxAaB4Ɔ_1~[ z%˰]&Kkds T\[`g֩ܳ l̲2fp|c8I5[a" *}m/ǖ4> TWa-5IUފ=!Pf*}}wH, d0d&yQCliۆt llPi*̒U:\cg+^h\7۹8:G0g9P,O;'9rǮ_2 ҈φd Ykʸ9k븚e)e}K\ 7{i/㮊#ķzf7YaaY7*DyQM l߼*!۩LfDRsoCa P|F0' V3R(3X=~\U)~6bԹ fDeF!B$ϒ;Mn7-؃[y{¡YIj|ubE$486?SSD)2Jf.6Lޒh` >ۋ40,'lAv|woױw1c -pxdh'|O3د‹QR9򨶼oqo0k|W[iY@{6I3mq*!Zp6P]?zUċb2ot=5^j; S^Fʼn߳yxH ^S =T+jgϡq2xėqK̞aR9)u[>6_+f?( ^tI'y{HdL<̚ 㽽՘n$D;HNWD]%Fr9t)6AP;`y1~"js~ s1ʒLi ͬͱ-j5!F㬤9F Rx3}$g٦Ni?`:L#F_XEx}#rU㍸= GG%}\0] vqMh%!MFV(hdtix~5F)<1_+@jLB(eYiv' .'Uov/>VHP)o[ɺexxJ"r[L!XQ_ }D`߄>8 :{ᛢW[O8Gd>hTLґu Da< wz̥7b{@\r q,Ye!+փފ> -sF@Yj$ GP56Wτ:no9l~V =qk`5Cߑ7HGF{7f`(L`Cgn0OғݳOX>\~ ?gC7L>O >B8!i"z}+.$u2C:΀ lZ7hDIED#ThbGD#Os uǤۭpxX0!<RA~9x% vH 1шb1aں5c3bwt]oy6(||v4[/ T6CĊ1gGi>'_A!IKSET&}nA??'­!Rjs# 9oYymJ Lma`t.tѦaP/nN S3L f;. l9 :WeO g>򽉡{0u3,2usx\jHOBjcPB<_Dŕ+Ca]NLݗ>0(-ŌCZUФ)t!dW`ǪZNbWvx_5nV?N4W )WTx sR!GF쌆=xɺr>1'};1h^]&'k$'6}<_w%9jwotoWj[u|ܽ|ҹl_]w.ƉL_smi |Q);KFYyfvʌPNcͅfU,xjy^/J>M`~|J*Q^e9ĂUzu7 &69Bfu Ԋkm85g5^Lc:|jaNN^^Z+!PU9iz67anq4ħyO\#4[E9yF(Qʿd_C&pj3 ݌rР(?'@ BO3?.?gVieC:CL2^Q?.?ak\dȂȠ">Eyy(_~OgP~Q(GF_d^f%e\]f_O7CtAt3U\W_\gOe{kuG௏ ?e~2A(*h&࿛ Ku1Ay3CΚWpz~;9(/GRz UK˓}(g3VڍnV`{AJ1g_/C+@qҹ: aqʍz=Lk[M2n@ ȣ{i K{Jy@W4<< X)rnmq slžȾ0{$%Y!/ܻ Gz‰nQ"Lg~0ܬI0>ۓ{o\pmঠϻH^ژ-A/:)7.p{Z+ڎvڝGfzuieDd;w6 K췡^2<% N܁σfţu.TlZqzPgn=: yfٴ^d,1h}s&p&!H8?0H-L{HN.]SKt-oFν6"q`i@L;JRPR[TJ  A{D(.#jAVYI0_.U&K=# .M3^&ЌBCO0CX)fง}Ll["F4djY }d)049 hwLySAݡ=G}aJo)b|3S7rXv;i:+Hjb5) Qd]ŒkDQѝXOi3A ~ ;*1h_u$|r V$G1x_&05:%xbӍg-3$e~ Qކ/yPspB=fu|qK61'vu;L[Τaœj@@rĶk> KB@z_PD6?ii;"4.n_sӞ=.ǎlHπ/N&~2gi(;;ql>9+spnK!M"~p1qV@UmÈkC 1,՞1P EY/56:\.5(l$9=ASh4ϛ5yX!% i;j9.KPRJVm.Q ?`n6{ۭm@Kx^| (g\&XD=mP)@EikN?tI3ۉz Nvޒۍƾ( ;><=ر|4#eUI;.7. ?^!t#R.܋OFې)0XPy4MDlBYAloMA.e~Y/9-/p,ZftO#m<` G&J$߀)041r:Y W96~v0q=Ħ2|R2OEpvR ?93/699 3/&e@DqDgPvx566s֨Na^|˼KAўXm0w6L/#]ۚ':K$~Al=bu)Vږ+zYL1e~}=3ӲG(qo<,@zP݌6%`y @ 4{W 8ǩ mxj{ͺXg f+OTXgwz,*.v6r!*l XCڢJMQa[8~j`Pq*'\/b T*7 wb~; <^E$ghV;yv<;u{hT*ቋoڝӳy:ң˖VP)ZNN`XfչtgLp -ͱ=RZ`'l/Z6v?n X)