The Death Knell For SOX IT Business?

Thomas Ptacek | May 24th, 2005 | Filed Under: Uncategorized

William Donaldson, chairman of the SEC, expresses concern over “excessive or duplicative effort” by management and outside auditors. An article in the Washington Post presages revisions to the PCAOB guidance regarding rules for auditors for compliance.

Uh-oh. Is this the beginning of the end of multi-million dollar SOX compliance contracts driven by auditors?

Before I continue: the SOX glossary, as I understand it:

SOX: Sarbanes-Oxley Act, sweeping new regulations about public company accounting, including:

Section 404: a required filing detailing what companies are doing to prevent misuse of financial data, and how they had that audited.

COSO: An accounting practices standard defined by the “Big 4” accounting firms; essentially, the “content” of a 404 filing.

COBIT: The IT standards defined by COSO.

PCAOB: The official body that tells auditors (and thus COSO) what to do.

If you’re an infosec person, COBIT is a huge weight around your shoulders right now. COBIT is huge, and has a tendency to spend a single sentence defining major new internal security requirements, such as COBIT P4.10 (“access to resources internally must be segregated by duty”). A good rule, but maybe a bit ambitious for a network that can’t even restrict web consultants from doing SQL queries against the finance server, and just one year ago finished erecting a firewall-based perimeter to keep teenagers from Bulgaria from doing same.

The new PCAOB guidance seems to say that companies don’t need to pay for entirely separate SOX audits, that auditors shouldn’t foist SOX “checklists” on their customers, that auditors should focus first on the most demonstrable risks of accounting fraud, and that audits should be “top-down” and start with company-level issues rather than the individual details of how an IT department encrypts and ACLs individual connections.

So, like I said, “uh-oh”. I got tipped off to this by a friend in infosec at a major company; these announcements were a big deal for him, and he read them as a rebuke to the big 4.

I don’t think it should be hard to motivate people to improve internal security, even without massive regulatory pressure. In fact, I think regulatory pressure has the inverse effect on infosec teams: “checklist” security and paperwork, distracting overburdened teams from doing real work and sapping the credibility of genuinely important initiatives like internal access control (nothing saps tech credibility quite like having your technical work dictated to you by an accountant). On the other hand, many security vendors and service groups count on SOX for a significant chunk of their revenue, and this could be painful for them.

Weird as it sounds (we ARE talking about accounting rules here), I can’t wait to see what happens next.