SarBox 404 Easing Soon? Don't Hold Your Breath

By Doug Bartholomew  |  Posted 11-20-2006
CIOs who are hoping the feds will provide some much-needed relief for the ongoing headache caused by compliance with the Sarbanes-Oxley Act may get quicker results by popping a couple of Extra Strength Tylenol.

Despite a news report last week that business lobbyists had successfully pressured regulators to be more flexible in interpreting the law, technology risk and audit consultants doubt whether there will be any significant easing of the regulatory burdens imposed by Section 404 of Sarbanes-Oxley. Most large companies have spent hundreds of hours and millions of dollars to comply with the law, which requires new systems to document and manage financial records.

"CIOs are hoping it will happen, but the reality depends on where an organization is in the Sarbanes lifecycle," says Karl Kispert, solutions director for technology risk management at Jefferson Wells, a global risk and compliance consulting firm. "Hopefully most larger companies are already applying the improvements in efficiency as a result of complying with Section 404."

"Our understanding is that regulators will be tweaking the (external) auditors' responsibilities," says Ed Hill, managing director of technology risk and global leader of the information technology audit practice at Protiviti Inc., a risk management consulting and internal audit firm. "My guess is that this will be much ado about nothing, and there is a question whether it will really change anything at the company level." The new guidance is expected to be released December 13.

Kispert speculates that the December guidance from regulators may give external auditors a clearer sense of the intent of the law. "Right now the problem most businesses have is that the auditors are testing a lot of controls that have nothing to do with accounting," he says. "By making the external auditor more comfortable with doing less testing, it would reduce the audit fee for a company."

But Hill doubts there will be any change in what is currently required in the way of systems to track and manage financial records. "They are not going to comment at all about anything specifically about information technology," he says.