SarbOx Revisions May Lessen Some IT Headaches

New guidelines from the SEC together with the PCAOB's Auditing Standard 5 may ease IT staffers' burden of complying with SarbOx.

The Public Company Accounting Oversight Board voted May 24 to approve Auditing Standard No. 5, complementing new guidelines given the thumbs up by the U.S. Securities and Exchange Commission that are aimed at making it easier and less expensive for public companies to comply with the auditing requirements of the Sarbanes-Oxley Act of 2002.

But with the revisions now virtually in the rearview mirror—AS 5 still needs to be approved by the SEC—the question remains as to how changes in the landmark anti-fraud legislation will affect life for the average IT staffer in the corporate world. The answer naturally depends on the types of policies a company has on the books and what the IT shops role was in the compliance process to begin with.

The Public Company Accounting Oversight Board is a nonprofit corporation created by the Sarbanes-Oxley Act of 2002, or SarbOx, to oversee the auditors of public companies in the wake of the Enron and WorldCom scandals. The boards new rules allow external auditors to focus on the riskiest areas of a companys internal controls and use more of the work already performed by internal auditors.

Axed from AS 5 are the previous standards detailed requirements to analyze managements own evaluation process, and it clarifies that an internal control audit does not require an opinion on the adequacy of managements process. The new standard also allows for adjusting control audits for the size and complexity of an enterprise.

"The internal control reporting requirements of the Sarbanes Oxley Act are a key reason why the reliability and accuracy of financial reporting has improved over the past few years," said Mark Olson, PCAOB chairman, in a statement. "The new standard is more risk-based and scalable, which will better meet the needs of investors, public companies and auditors alike."

John Wheeler, senior vice president of financial reporting risk management for SunTrust Banks, said his company started down the path laid out by the new regulations back in 2005 based on informal guidance from the PCAOB. Other larger companies did the same, he said, taking a more risk-based approach to auditing.

"It really doesnt signify much change [for our IT department]," Wheeler said.

SunTrust uses software from Waltham, Mass.-based OpenPages to analyze and monitor the controls each of its departments is using. Prior to 2005, internal audits at SunTrust meant an extremely manual process that offered no visibility into what controls were being used, Wheeler said.

/zimages/6/28571.gifClick here to read about a pair of OpenPages products that help companies manage operational risks and IT governance.

Still, eliminating the manual aspect of compliance with SarbOx for IT staffers may be the biggest result of these changes, said Patrick Taylor, CEO of Oversight Systems. For example, to safeguard against the possibility of tampering with financial records, a company might allow a database administrator to only log into a database in response to a trouble ticket and then require the DBA to keep a record of the trouble ticket being addressed and what was done, he said.

Due to the risk-based approach of AS 5, a company might decide its only worthwhile to keep track of what is actually done in the database, doing away with unnecessary procedures, Taylor said.

"I think the quick answer is its going to give them the opportunity to cut out some bureaucracy in their lives," he said.

James Sayles of change and compliance reporting tool provider Ecora Software, agreed, adding that he expects the changes to help companies better comply with the law.

"Life for IT staffers just got easier," said Sayles, chief compliance adviser for the Portsmouth, N.H., company. "The mind-boggling requirements, the ambiguities and the unrealistic audit expectations all just took a quantum leap back to reality. … In a lot of ways, I expect organizations will make more of an effort to comply because it wont seem so onerous."

The, revisions, however do not change the spirit of the law, said Brian Cleary, vice president of marketing for OpenPages.

"Its important to note that while costs certainly will come down, both agencies were careful not to reduce the basic requirements—that management must assess its internal control over financial reporting and express a conclusion, while the auditor issues an opinion," he said.

Audrey Gramling, an associate professor of accounting at Kennesaw State University in Georgia, said IT staffers will continue to be very important under the new standard as companies move the auditing process more and more into the technical realm.

"As clients implement more automated controls, IT folks are going to be critical in getting assurance about the IT general controls," she said. "I dont necessarily see this as a change under AS 5, but as a continued emphasis of the importance of IT."

The new standard may be used by auditors immediately following SEC approval and would be required for all audits of internal control for fiscal years ending on or after Nov. 15, PCOAB officials said.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.