For more than five years, companies have struggled to meet the requirements imposed on them by Section 404 of the Sarbanes-Oxley Act (SOX). Under this legislation, documenting and testing financial controls requires an almost Herculean effort. Companies find themselves feeding countless man hours and vast resources into meeting these requirements with little noticeable positive outcome.

While SOX was necessary, especially in the face of some of the significant scandals such as Enron or WorldCom, the mounting strain caused other difficulties. The cost for this compliance was borne across all publicly traded companies and with it the subsequent exhaustive bureaucracy of control activities and documentation. While the legislation did not intend to create such arduous regulations, that nonetheless occurred.

In a recent news release, SEC Chairman Christopher Cox said, “Congress never intended that the 404 process should become inflexible, burdensome and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems without creating unnecessary compliance burdens or wasting shareholder resources.”

Clearly, the SEC noticed the issues created with SOX legislation and set about amending the requirements under 404 to accomplish the original goal while lessening the burden on complying companies. To this end, the SEC announced its revised guidance at the end of June.

“With the commission’s new interpretive guidance for management on the evaluation and assessment of its internal controls over financial reporting, companies of all sizes will be able to scale and tailor their evaluation procedures according to the facts and circumstances.” Cox said. “And investors will benefit from reduced compliance costs.”

Shifting to Audit Standard 5

When SOX was first implemented, auditors used Audit Standard 2 (AS2) as the guide for their audits under the new legislation. Companies were not given explicit direction, so everyone adopted AS 2 as the default. With the introduction of Audit Standard 5 (AS 5), management and auditors now have practical guidance on how to meet SOX compliance.

A major factor in making the changes in AS 5 involved continued problems with fraud. Despite the noble efforts to comply with SOX, companies did not seem to reap the benefits originally anticipated.

Oversight Systems recently published its annual survey of fraud examiners that illustrates the persistent problem fraud has become, despite the best efforts of the exhaustive controls in the first SOX implementations. The survey, which tracks the financial trends, risks and major fraud concerns businesses face today, showed that more than three-quarters of respondents felt fraud is more prevalent today than it was five years ago, nearly a double-digit increase from the previous survey.

More and more of these individuals feel fraud is alive and well, but how is this possible with such comprehensive requirements imposed on American companies? The underlying problem is the allocation of finite time and resources. In the early days of the Internet, companies thought they could configure a firewall to protect their computers from every type of security risk. However, any time an application needed to pass through the firewall, there was a need to create a new set of permissions for the application in the firewall. The new permission sets created potential holes or vulnerabilities. As the Internet applications evolved from simplistic to useful and complex, more privileges were required that introduced greater risk. As the Internet became more prevalent, IT managers had to punch more and more of these holes in their defenses. Network administrators tried in frustration to design ever more intricate rules to plug each new hole, but they were caught in an escalating spiral of richer applications and advanced threats.

IT managers adopted an approach similar to that used in many homes. Locks prevent many threats from criminals. Although steel plates over the windows would prevent more burglars, most homeowners opt for a home alarm systems with motion detectors to manage the extreme risks. In network security intrusion detection systems emerged that provided a second layer of defense. These systems monitored for inappropriate activities and allowed IT managers to prevent the risks where practical and cover the remaining risks through monitoring.

This experience mirrors the events surrounding SOX. Legislators have realized it is nearly impossible to comprehensively prevent each potential scenario in which employees can commit fraud. Effective prevention involves finding the greatest risks. Just as network security involves applications with special rights, financial transactions in a company require privileged users to manage unique situations that inevitably arise. With these user override capabilities, companies have had to poke holes in their “firewalls,” which requires a shift in tactics for preventing fraudulent practices. As a result, the SEC is adopting a more risk-based approach as highlighted in AS 5.

Consequences for Corporations

Under the new guidelines, companies could assess their risks and prioritize the actions they take based on the prevalence of those risks, rather than trying to account for every possible loophole.

For example, a large amount of financial fraud occurs in the general ledger (GL). Every transaction is ultimately reflected in the GL. Manually sorting through each of these transactions can be daunting, especially when trying to assess the integrity of each journal voucher made by a privileged user. In these instances, someone with privileged access simply needs to enter a transaction and approve it under his or her authority.

Contrast this scenario with attempted fraud using the backup system. Technically, it is possible to make changes to the information on the backup tapes, crash the system and restore the new fraudulent data from those tapes. However, to commit financial fraud through a backup system, someone would have to gain access to the backup data and have the knowledge and ability to alter it. Then, they would have to cause the system to crash somehow so that the IT department would have to restore it from the backups. For anyone who has tried to restore a system from backup tapes, it can be like trying to beat a Royal Flush, especially when compared to simply making changes in the GL.

Under AS 2, the second example was included in the compliance checklist, and there was no provision in place to weigh it differently than the first example. Under AS 5, companies will be able to eliminate compliance in the second example to give more time and resources to preventing fraud in the much more likely first example.

Benefiting from Audit Standard 5

To maximize the benefits from the shift to AS 5, companies need to evaluate their current compliance efforts to remove some of the dead weight. This will allow the company to prioritize their risks and respond accordingly. With these changes in place, the company will have more resources to devote to the most likely causes of fraud.

In addition, companies should consider employing a continuous transaction monitoring solution. In order to combat some of the highest risk areas, companies should not depend on the audit of a random sample of transactions. With automated continuous monitoring, companies can automatically check every single financial transaction for fraud. This kind of automation can also reduce the amount of user error that comes with inaccurate data entry. Implementing this kind of a system not only improves the chances of catching fraudulent activities but also saves overhead by eliminating duplicate payments and other errors in the billing process.

Patrick Taylor is CEO and founder of Oversight Systems