The Sarbanes-Oxley Act was introduced in 2002 to restore confidence after shareholders lost billions of dollars because of accounting fraud at companies such as Enron, WorldCom and Tyco. In reality, SOX was an attempt to legislate quality control regarding the way publicly traded companies should be managed on a day-to-day basis. The Securities and Exchange Commission (SEC) requires all companies to document -- and an external auditor to confirm -- that adequate controls are in place to ensure that financial statements filed with the SEC paint a realistic picture for investors.
From the moment SOX was enacted, there have been heated discussions about providing relief for small to midsize businesses by relaxing requirements or exempting some of the rules. During the last three years, committees were formed, industry opinions were generated, and accounting firms requested a re-evaluation and review of the requirements. Finally, on May 17, SEC chairman Christopher Cox announced that small companies would not be exempt from a key set of new post-Enron, investor-protection rules.
This was not what many executives expected to hear.
We are in the third year of SOX for the larger publicly traded companies, the second year for the foreign publicly traded companies and the first year for every publicly traded company with a market cap of $US75 million or greater. In its May decision, the SEC extended the deadline for non-accelerated filers from July 15, 2006, to December 16, 2006. Companies that held off filing in anticipation of a favourable ruling now have only a five-month reprieve to catch up.
The shock from the costs of using external auditors for previous audits has not worn off, prompting companies to look into hiring additional internal IT auditors.
From all the activity I see in the employment marketplace, it seems the demand for IT SOX auditors has never been higher. This demand is fuelled not just by the SEC ruling, but also by a series of identity thefts at major companies and by the public's mistrust of how securely its personal information is being stored.
The credit card industry took the initiative to tighten security at companies processing credit cards through the Visa Cardholder Information Security Program (CISP)). IT security auditors need to expand their knowledge beyond the IT General Controls and Risk Analysis to understand those safeguards for identity theft and requirements for compliance with the Visa CISP. The role of the IT auditor has never been greater as companies look to those with expertise to offer guidance.
Michael Kamens has a law degree and is a certified information security manager and independent IT security/SOX auditor