July 25, 2005
(Computerworld)
When Congress moved to craft the Sarbanes-Oxley Act of 2002, legislators assembled the bill "in record time," said Arthur Levitt, former chairman of the U.S. Securities and Exchange Commission. However, he said, the authors did little to work with company executives to determine the demands the law would place on businesses.
Still, business leaders who are pushing hard for major reforms to ease Sarbanes-Oxley prerequisites because of the high costs of compliance "are being shortsighted," said Levitt. The mandates for public companies to document financial controls "have been well worth the costs" for investors, he said.
"If you have any doubts, ask those thoughtful shareholders for any of those 586 companies that reported material weaknesses [with their internal controls] during the first four months of the year," said Levitt, now a senior adviser at The Carlyle Group in Washington.
Levitt was a panelist at a regulatory compliance conference in Washington last week that was sponsored by BindView Development Corp., a Houston-based security software provider.
Unlike the authors of Sarbanes-Oxley, the writers of the Health Insurance Portability and Accountability Act actively sought involvement from health care industry professionals in order to make the requirements scalable and practical, said John Parmigiani, co-author of the HIPAA security provisions. He is president of John C. Parmigiani and Associates LLC, an Ellicott City, Md.-based consulting firm.
"You need to get a lot of involvement from industry when crafting regulations, and you need to set realistic time frames," said Parmigiani. "If you're a two-person [medical] clinic, you can't take [the same approach to HIPAA compliance] as the Mayo Clinic."
The lack of such cooperation is one reason why certain Sarbanes-Oxley requirements can be open to interpretation, some IT executives said.
"If we were told passwords had to expire at least twice per year, we could easily meet the requirement," said Joseph Puglisi, CIO at Emcor Group Inc., a mechanical and electrical systems contractor in Norwalk, Conn. "But we and the auditors have to negotiate on what we think is acceptable."
When many large public companies had to document and test their internal controls for the first time under Section 404 of Sarbanes-Oxley last year, the exercise was a real bear for IT departments, said Everett C. Johnson, international president of the Information Systems Audit and Control Association. Since most IT departments never audited IT controls in the past, "the process turned into an Ironman event," he said. However, Johnson added, the audit requirements "helped lead to better compliance."
Dave A. Richards, president of The Institute of Internal Auditors in Altamonte Springs, Fla., said that for the hundreds of companies that met Section 404 requirements for the first time in January, 20% of their time on compliance efforts was spent documenting their controls. Between 15% to 20% of that work was devoted to remediating that documentation.
Levitt said he believes incoming SEC Commissioner Christopher Cox will work with legislators to modify requirements imposed under Sarbanes-Oxley, such as making it less expensive for smaller businesses to comply with Section 404.