http://news.com.com/Hidden+fraud+risk+in+Sarbanes-Oxley/2100-1002_3-5602776.html By Will Sturgeon Special to CNET News.com March 7, 2005 The complex and copious amounts of data stored on corporate networks post-Sarbanes-Oxley may be creating greater opportunities for fraud, analysts said. That's even though the law was a reaction to the corporate misdeeds that rocked Enron and WorldCom. Peter Dorrington, head of fraud solutions at SAS, said that companies are storing vast amounts of data but giving little thought to what is being stored. "There is just a lot of storage going on," Dorrington said. "But there is no interpretation of that data." That situation could make the occasional instances of fraud or anomalous data far more difficult to spot, he said. "Fraudsters are reliant upon their transaction being a tree hidden a forest," Dorrington said. The vast amounts of data being stored as part of efforts to comply with the Sarbanes-Oxley Act are simply increasing the size and density of that forest, he said. "The more data there is, the easier it is to hide," Dorrington said. "There is little thought being given to whether companies should look to understand what is going on within that data." Dorrington believes many companies believe they are playing it safe by simply keeping everything, seeing it as the easiest way to ensure they keep the right things. James Governor, an analyst at Red Monk, said: "Any company which simply stores everything is creating problems for themselves further down the line. Storing everything is just abdicating responsibility, rather than following policy and understanding what they should be storing." Governor added that it may also be in breach of corporate policies which dictate certain data may only be kept on record for six or nine months. While such policies must be adhered to, they create a no-win situation, in which they also conflict with the retention requirements of other regulation such as Sarbane-Oxley, he said. "This is going to break a lot of corporate policy," he said. Even if a fraud comes to light, the sheer volume of unnecessary data being stored in order to cover all bases means that companies are faced with the near-impossible task of wading through it all. Governor said: "If we think of finding fraud as being a hunt for a needle in a haystack then what many, many companies are now doing is comparable to pouring on a lot more hay." "This is a very significant problem," Governor added. "Rather than just spending more and more money on storage, it would make sense to invest a lot more money in working out exactly what companies need to store." Shaun Fothergill, security strategist and compliance expert at Computer Associates, believes despite problems settling in, Sarbanes-Oxley will improve matters for businesses when implemented effectively. However, he warned that compliance may start to throw up even more instances of fraud. Fothergill said: "Compliance and regulation is forcing the business of IT to do things right. So organizations will begin to measure and monitor more than they did before." "This may actually give the impression that more fraud is occurring, when in fact organizations are just monitoring what they should have monitored in the first place," he said. "As the anomalies and fraud issues are corrected, the indicators of problems will be moved from red to amber then to green." "These new indicators will initially highlight greater deficiency, when in fact the business and IT are just getting it right," Fothergill said. Such confusion may be one reason why the Sarbanes-Oxley deadline for companies based in European countries has been put back a further year this week. Originally the controversial Section 404, which outlines the requirement to archive data, was to come into effect on July 15 this year. However, Mark Strauch, chief operating officer of business alignment company Business Engine, warned: "The extension of the 404 deadline should not in any way be viewed by U.K. companies as a reason to postpone or sideline compliance projects in favor of other projects." "The long-term potential for companies to credibly improve transparency within their organizations in line with section 404 should be seen as an opportunity to produce benefits in other areas, such as reducing risk by being able to see early on where problems lie, (and) thus deal with issues more effectively," he said. Will Sturgeon of Silicon.com reported from London. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Tue Mar 08 2005 - 01:17:25 PST