The Security Side of Sarbanes-Oxley

By Larry Loeb  |  Posted 2005-10-03

The Security Side of Sarbanes-Oxley

What is SarbOx anyway?

The Sarbanes-Oxley Act of 2002 is a set of rules passed by Congress in order to force American public corporations to document every sale and financial exchange that could have a material effect on the business.

SarbOx also requires top executives to review and sign off on financial results so CEOs hauled up on charges related to creative bookkeeping cant claim to have been unaware of number-shuffling that may have misled investors and regulators.

The implementation of SarbOx, however, is more than just a change in some accounting and accountability rules. It amounts to an overhaul in the way America will do business in the future.

Compliance with SarbOx is a big deal to senior management, because a violation of the act—in this case, failure to comply—can bring them up to 20 years of jail time and fines up to $5 million. That sort of penalty tends to concentrate a CEOs focus beautifully.

The Cost of SarbOx

While many executives agree that some law was necessary, many have also become disillusioned with the drain on time and resources that it requires.

These requirements can fall disproportionately hard on smaller public companies, many of which have less formal financial-reporting processes than larger older companies, and fewer staffers to create or execute any newly required processes.

USA Today reported in October 2003 that one such publicly traded company—hardware wholesaler Moore-Handley, which had 2002 sales of $151 million—was going so far to avoid falling under SarbOx rules that it was delisting itself from the Nasdaq exchange.

Company executives estimated compliance would cost the company $250,000, but Moore-Handley had only made a net profit of $300,000 in the last fiscal year. So it made economic sense for Moore-Handley to react the way it did.

This kind of cost consequence may spread to other companies as well.

It may be that in the future only companies worth $100 million or more may be able to afford being publicly traded, and thus fall under SarbOx regulations.

A Foley & Lardner survey of 32 midsize public companies found that they predicted an average of 105 percent increase in accounting costs, a 90 percent increase in legal costs, an increase in costs due to lost productivity of 102 percent, and an increase of 266 percent in compliance personnel cost.

Overall, the companies surveyed expected an increase of 90 percent over their 2002 accounting costs just to comply with SarbOx.

While a cost increase is to be expected when first complying with any regulatory change, the total cost over time may not be as high as an initial cost outlay might indicate.

Once a coping mechanism is in place, the business only has to maintain a new process instead of developing and installing it.

Maintenance is usually cheaper than development, so it would be reasonable to expect compliance costs (aside from the direct labor costs necessary) to decrease over the long term.

So, there will undoubtedly be increased costs of doing business due to SarbOx, but they should settle down somewhat once an appropriate solution has been devised.

Section 404

One of the most critical sections of SarbOx carries the identifier of section 404.

It requires the management of a public company to assess the effectiveness of the companys internal control over financial reporting (as of the end of the companys most recent fiscal year).

Section 404(a) of the Act also requires management to include in the companys annual report to shareholders managements conclusion (made as a direct result of the assessment previously mentioned) about whether the companys internal control is effective.

SarbOx forces individual managers to legally commit to the veracity of the internal controls in use, something that had never before occurred in the United States.

Section 404 of the Act (as well as Section 103), directs the Public Company Accounting Oversight Board (PCAOB, which is the private-sector, nonprofit corporation set up by SarbOx to oversee implementation that answers to the Securities and Exchange Commission which, in turn, has the ultimate responsibility to see that SARBOX is carried out) to establish professional accounting standards governing the independent auditors attestation, as well as reporting on managements assessment of the effectiveness of internal control.

That means whatever internal control system is in place for the audit is graded on criteria set down by the PCAOB.

The PCAOB has considered the possible effects of the proposed standard on small and medium-sized companies, noting that internal control is not "one-size-fits-all."

So, the board has defined examples of what not to do.

It has identified circumstances that would be a very strong indicator that there exists a material weakness in the internal controls.

Next page: Control of multiple locations.

Control of Multiple Locations

Control of Multiple Locations

But what about those companies with multiple locations? How can they best handle the internal controls in a centralized manner?

The Auditing Standards Board has developed a draft of a decision tree that can aid in handling these situations.

Each locations controls must be evaluated within the overall organizations context.

If there are location or entity-specific risks, the specific controls that deal with that specific risk must be evaluated.

It is not going to be acceptable under SarbOx to paper location-specific problems over with top-level policies.

Management will have to institute and test controls at the location or entity that generates the risk.

Avoiding material weaknesses

The first circumstance that would most likely to be considered by the SEC as an actionable material weakness under SarbOx is ineffective oversight by the companys audit committee of both a companys external financial reporting and its internal control over financial reporting.

Effective oversight by the companys board of directors, including its audit committee, is considered by the PCAOB to be an integral part of a companys monitoring of internal control.

The second circumstance is a material misstatement of an audited financial report, which was not detected by existing internal controls.

If a problem with a report is first discovered by an auditor, it points out that the internal controls that are in use are not effective.

If they were (according to SarbOx), then the material misstatement should not have occurred.

The third circumstance used by the PCAOB as a negative indicator is when significant deficiencies that have been communicated to management and the audit committee but remain uncorrected after a reasonable period of time.

Not all deficiencies will lead to material weaknesses in the internal controls.

But if they exist uncorrected after an appropriate time period, the control environment promulgated by those at the top of the management chain is deemed by the PCAOB to be sloppy and unresponsive.

The significance of a deficiency can change over time, and must not be ignored simply because it is not currently serious enough under SarbOx to cause the company CFO to be thrown into jail.

The SEC has a few words for you

Final Rule 17 CFR Part 210 of the SEC also makes some interesting reading for an IT department, when combined with the effects of part 802 of SarbOx.

The rule states that it "require accountants who audit or review an issuers financial statements to retain certain records relevant to that audit or review. These records include workpapers and other documents that form the basis of the audit or review, and memoranda, correspondence, communications, other documents, and records (including electronic records), which are created, sent or received in connection with the audit or review, and contain conclusions, opinions, analyses, or financial data related to the audit or review. To coordinate with forthcoming auditing standards concerning the retention of audit documentation, the rule requires that these records be retained for seven years after the auditor concludes the audit or review of the financial statements, rather than the proposed period of five years from the end of the fiscal period in which an audit or review was concluded. As proposed, the rule addresses the retention of records related to the audits and reviews of not only issuers financial statements but also the financial statements of registered investment companies." (Emphasis has been added to the bolded section to make their context clearer.)

The bottom line is that much of a companys e-mail will have to be preserved for seven years.

But more than preserved, mail and its contents will also have to be accessible to auditors (and any risk management counselors) in a way that allows for rapid review by these persons.

The capability to rapidly retrieve and sort text-based information (such as e-mails) will be needed to implement the control systems SARBOX wishes to see put in place.

Next page: Making documents more reliable.

Making Documents More Reliable

Chaining trust

There are some generally agreed-upon attributes that increase the trustworthiness of an electronic record through its lifecycle.

But in a practical sense, what are the features to look for in a solution that creates a chain of trust linked to a record? What will pass muster as an acceptable electronic document control?

Lets consider some specific points about what a solution should offer in order to fulfill this important requirement.

1. The solution should offer as close to real-time snap shots as possible. The tighter the window, the less opportunity there exists for someone to muck about with the message or its contents.

2. Audit Logs should be both extensive and detailed. It is also imperative that the solution have the ability to sequence together e-mail trails from multiple sources. It has become standard practice for prosecutors to do just this operation in developing their cases. An effective defense and rebuttal may well depend on being able to do the same thing. Also, the audit logs should be exportable to archival devices (like WORM optical drives) to both demonstrate and assure the authenticity of the logs.

3. What about support for instant messaging? Compliance must be shown for this messaging structure if it is used, as well as for static e-mails. It is necessary for management, under SARBOX, to show positive informational controls no matter what form the information might take.

IM compliance tools can plug a big potential leak in the organizational information flow. Since there are multiple IM formats, a solution should be able to handle whatever IM system is used. Having this sort of tool available avoids the unpopular and unproductive (though perhaps legally necessary) option of turning unmonitored IM completely off throughout the enterprise.

4. What does the solution offer in additional security for the OS that it runs on? Windows is notorious for its security lapses, yet the majority of enterprises have adopted an "information security policy" to enforce data security.

Through this policy, a set of system level security parameters for various Windows based components (such as SQL, MSNQ, Exchange) has usually been adopted.

Not only is operational security improved with a component level policy, data integrity is enhanced as well.

Management must know if the control solution to be used is able to adapt to the policies that the enterprise has set.

One example of this kind of policy would be restricted user access.

The solution should then have access control available that can be set to validate users in accordance with the policies.

An operational control should not be the weak link in security that can become an entry point for unauthorized use.

For Windows, one additional technique used to enhance security by some vendors is to turn off ports and listeners (to fend off un-authorized access) as well as turning off unwanted and unnecessary services.

Also, unused legacy networking protocols should be shut down to eliminate back door exploits.

5. What measures does the solution take about assuring message authenticity? How will you know that the message that is stored in the audit log will be a valid copy of the original? Techniques like the use of checksums, matches and individual audits can serve to validate the authenticity of the message prior to storage.

These kinds of positive assurance efforts for message authenticity can be vital (if it ever comes to that) in showing that the chain of trust evidenced by the audit logs is unbroken.

6. The solution should also be able to extend the delete date of specific records if they are necessary for some ongoing process. For example, if certain records were involved in a lawsuit, can those records be "frozen" until they are no longer needed? A small point, but one that is a major operational convenience when it becomes necessary.

7. The review mechanism of the solution should work on copies of the message data, not the actual data itself. This means that tagging or marking e-mails for review will not corrupt or affect the original record. Review activity should generate its own database, one that is separate from the main one.

This will enhance the security and accountability of the review effort. Additionally, referees should not be allowed to view their own mailbox activity, raising the integrity of the compliance officer by avoiding any perceived conflicts of interest.


SarbOx places new regulatory and archival burdens on companies that they may not be able to perform without substantial changes in the ways that they do business, especially among small to midsize public companies.

At minimum, the accounting and auditing departments, C-level executives and those negotiating financial agreements will need to have their e-mails (as well as other communications like instant messages) retained and monitored for an internal control system that meets SarbOx guidelines.

Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.

Rocket Fuel