Text 18195, 80 rader
Skriven 2007-05-23 16:00:56 av Rich Gauszka (1:379/45)
Ärende: Major revision planned for Sarbanes-Oxley
=================================================
From: "Rich Gauszka" <gauszka@dontspamhotmail.com>

I never realized that it involved that much logging

"Under current Sarbanes-Oxley rules, a company must log every transaction the
DBA (database administrator) performs."

http://weblog.infoworld.com/realitycheck/archives/2007/05/major_revision.html


On May 24, the Public Company Accounting Oversight Board (PCAOB) will vote on
Auditing Standard No. 5. If approved, this new standard for audits of internal
control will bring about significant changes to Sarbanes-Oxley regulations,
which now operate under Auditing Standard No. 2.

In particular, Section 404 of the Sarbanes-Oxley Act of 2002 requires companies
to assess their internal controls over financial reporting and offer an
auditor's report on that assessment. To bring this to fruition, Auditing
Standard No. 2 was adopted by the Securities and Exchange Commission.

However, in its latest report, the PCAOB admits that although the oversight has
"produced significant benefits" with an increased focus on corporate
governance, these benefits "have come with significant cost." If approved by
the PCAOB, Audit Standard No. 5 will then be sent on to the SEC, which will
decide how long the regulation will be open for public comment before it votes
on the standard.

The SEC's goal, according to a PCAOB representative, is to finalize the new
rules in time for the next cycle of audits of internal controls for fiscal
years ending after Nov. 15, 2007.

I spoke with Patrick Taylor, president and CEO of Oversight Systems, which
provides security systems for financial business processes.

The purpose of Sarbanes-Oxley remains the same, to identify fraudulent earning
and/or fraudulent financial reports. The difference, however, between Audit
Standard No. 5 and Standard No. 2 is the approach. And that difference will
have an appreciable effect on IT, in a good way.

"From an IT perspective, [Audit Standard No. 5] will take a lot of the
bureaucracy out of compliance," Taylor told me. After four years of dealing
with the issues surrounding Section 404, the SEC is actually getting more
pragmatic.

The PCAOB admits that the current standard encourages auditors to "perform
procedures that are not necessary in order to achieve the intended benefits."

Taylor offers a simple example to explain what that means: Under current
Sarbanes-Oxley rules, a company must log every transaction the DBA (database
administrator) performs. The DBA can't log in to a database without a trouble
ticket. So, when the auditors come in, they want to see that someone at the
company verified all DBA transactions against trouble tickets, a huge waste of
time considering that no one will know whether the DBA, who may have written in
his notes that he went into the database to reindex a column, actually
performed the task.

Rather than getting lost in minutiae, the new standard will look at the bigger
picture. In a sense, the SEC will relax some nitpicky procedures in favor of a
top-down approach. Which is probably a good idea, given that the real risk lies
at the top. According to an Aberdeen study, 73 percent of all fraudulent
activity is initiated by executives and managers rather than the employees who
answer to them.

Fraudulent financial reporting most likely stems from someone manipulating the
general ledger or during revenue recognition. Because of this, the new
proposals will direct the auditor's attention to financial statements and
company-level controls rather than "process-level aspects of control."

One more example from the PCAOB proposal that put a smile on my face was the
suggested rewording of the definition of a control deficiency from one that is
"more than inconsequential" to a "significant" deficiency.

Proof once more that the pen is mightier than the sword!

If you haven't looked at the full full 131-page proposal, I suggest you do so.

http://www.pcaob.org/Rules/Docket_021/2006-12-19_Release_No._2006-007.pdf

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)