Computerworld - In my last column, I talked about how time-consuming SOX compliance is for companies like mine. Unfortunately, it's about to get worse.
For various reasons I won't go into here, the number of Sarbanes-Oxley Act controls we must deal with and the amount of evidence we need to gather is increasing by about 30%, starting this quarter. On top of that, I'm spending a lot of time in meetings reviewing each control, both old and new.
I'm all for anything that improves security, and regulations like SOX seem to be very effective at forcing companies to do the right things. But regulations are a double-edged sword. We've definitely crossed the line of diminishing returns -- we're spending more time documenting our control activities for the benefit of the auditors, and spending more time with the internal and external auditors themselves, than we spend on performing security-enhancing activities like user account review, checking and certifying the security settings of servers, and validating backups. In fact, I would say we're spending at least twice as much time on the audits than we spend on the activities. Our internal audit department has four times the number of people that I have -- and our external auditors resemble a small army. That seems unbalanced, and inefficient. And I'm only dealing with the security-related SOX controls, which are only a fraction of all the SOX controls in my company.
There's got to be a better way. It's reaching the point where SOX compliance is almost all I'll be able to spend my time on -- displacing other, important security activities and the expansion and improvement of our security posture. As I said, I'm in favor of regulations that improve security. They can be effective in getting security the focus and priority it should have. But I'm starting to think SOX is harming us at the same time, because it's overblown and expensive, and it's consuming resources better spent elsewhere.
Part of the problem is that SOX activities tend to be very manual. There's a lot of human effort involved in performing controls, collecting evidence, inputting data into a system of record, reviewing script results and settings (and creating new scripts when new controls are added). And after all that work is done, we spend even more time sitting with the auditors going through it all. Twice. Once with the internal auditors, and again with the external auditors.
I would like to automate some of the work, to cut down on the manual effort. The production of SOX-related data has already been automated (so people don't have to run reports or pull data from systems), but it's hard to see how the rest of the work can be automated. Human review is part of the process, and so is the audit work. I don't know how we can reduce that work effort.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
