The US Securities and Exchange Commission (SEC) last week issued new guidelines under the Sarbanes-Oxley Act (SOX) effectively changing the goal posts mid-game.
While some IT managers welcomed the revised rules claiming it will provide much needed relief for organizations struggling to comply, IDC Australia's director of IT programs Catherine Bennett said some companies "may think they have wasted money now."
"If companies were already on track, they've already spent the money to make sure they're compliant, and now some assessment controls have been rolled back; that's money that could have been saved," she said.
Throughout the week Bennett has been in discussions with local CIOs who have expressed concern that the new guidelines are a replay of changes announced at the start of the year.
She said the deadline for foreign companies to meet SOX compliance was extended early this year and while it did alleviate some pressure, most companies already had plans in place to meet the initial requirements.
"When the deadline was delayed, people took a break and looked at how they could improve what they were doing; but now companies are spending more on it than they originally planned," Bennett said.
Bennett said IT managers are feeling overwhelmed by their compliance duties, and see no end to it in the near future, despite the new SOX amendments. "One company I spoke to had two or three staff working on compliance and now they have around 30; most CIOs don't think it is going to get any easier in the near future either," she said.
The good news is that under the new guidelines, SEC has reduced the number of IT controls that must be assessed each year.
But despite the change, SEC said companies must still assess the controls that are in place for any new systems or software upgrades, particularly those that affect financial reporting.
SEC is standing by this ruling despite feedback from auditors and IT that it is stifling.
For instance, the SEC denied requests that new systems and upgrades installed late in a fiscal year be subject to year-end testing requirements.
According to the guidelines, management can plan, design and perform preliminary assessments of internal controls in advance of system implementations or upgrades, which means companies have to ensure they focus on high risk areas.
The new guidelines allow auditors to reduce the number of checks they conduct on internal controls under Section 404 of the law.