[ISN] Time running out for Sarbanes-Oxley compliance

From: InfoSec News (alerts@private)
Date: Wed Jul 26 2006 - 23:47:45 PDT


http://www.silicon.com/financialservices/0,3800010322,39160788,00.htm

By Vivian Yeo
26 July 2006

Like it or not, the clock is ticking for non-US companies that need to be 
compliant to one of the most talked-about elements of the Sarbanes-Oxley 
(SOX) Act established in 2002.

With the passing of the critical 15 July milestone for foreign companies 
listed in the US to be compliant to Section 404 under SOX, they now have 
anything from a few weeks to nearly a year to meet the regulations or face 
the consequences. Under Section 404, publicly traded companies must have 
internal policies and controls in place to protect, document and process 
information for financial reporting.

The law requires affected businesses to comply by the end of their 
respective financial year after 15 July, 2006. The date is an extension of 
the original deadline of 15 July, 2005, set by the US Securities and 
Exchange Commission (SEC). Public US companies were required to be 
compliant in November 2004.

For most non-US companies, the journey would have started in 2004, noted 
Philip Chong, director at Deloitte & Touche Enterprise Risk Services. 
Businesses would also have started "thinking about assessing and 
implementing internal controls" about 12 months ago, he said.

For software giant SAP, the process of becoming compliant stretched over a 
few years. Dirk Metzger, head of risk management at SAP Asia-Pacific, told 
silicon.com sister site ZDNet Asia in an email that the company began its 
SOX journey way back in 2002.

Besides involving process owners, SAP also appointed SOX champions, who 
handle SOX 404 related tasks such as effectiveness testing, said Metzger. 
Some 30 business units and 30 process groups were involved in the 
different project phases, each of which stretched "from 300 to 6,000 
man-days", he added.

The software giant, he noted, also worked towards embedding SOX-required 
internal controls elements into SAP's risk management function, which is 
based on the COSO Enterprise Risk Management Framework.

Metzger said: "SAP grew the SOX 404 risk evaluation process over internal 
controls of financial reporting into a holistic Enterprise Risk Management 
function, and is currently developing a consolidated compliance and 
governance framework for the entire corporation. A direct reporting line 
to the executive board was established and an issue evaluation committee 
was set up, dealing with findings from SOX 404 testing and audits, thus 
giving the SOX topic top management exposure and attention."

According to Metzger, SAP is now undergoing half-year SOX 404 audits by 
its external auditor KPMG, and expects to obtain the first certification 
of compliance early next year.

At Nasdaq-listed Pacific Internet (PacNet), preparations for 
SOX-compliance commenced in mid-2004. Its CEO and president Phey Teck Moh 
noted that the company, whose current financial year will end on 31 
December, 2006, will meet the requirements at the end of this year.

The Singapore-based ISP put together a leadership team to manage the 
process, and placed country managing directors and financial controllers 
in charge of their respective areas. Dedicated work teams were set up in 
some country offices to work on achieving compliance.  PacNet estimates 
that more than 30 per cent of its employees - dedicated resources or 
otherwise - have been involved in the compliance work so far.

The project has been intensive "in terms of resources and commitment"  
but it has also benefited the company, Phey added. "The compliance process 
has given us the opportunity to further enhance our financial controls, 
which has strengthened and improved our business processes,"  said Phey.

Jeffrey Hoo, services and management systems field director at Symantec's 
regional product marketing division, noted that companies which are 
affected by the SOX Act already have processes in place and are working 
toward their compliance deadlines.

Hoo said companies in the banking and finance industry are more 
experienced, as "compliance is an everyday affair", unlike businesses in 
other industries where there is more work to be done. "A lot of time is 
spent defining the policies and processes, before going into the use of 
technology and getting people to understand and co-operate to comply," he 
said.

Deloitte & Touche's Chong pointed out that there are those, however, who 
choose to wait till the last minute to get their compliance act together. 
With an "immovable deadline", those that start late need to "put in more 
commitment from management" as well as pump in more human resources, he 
said.

Symantec's Hoo agreed, saying top management needs to offer "full support 
for compliance" and view it "as a 'must have' and not [just] 'good to 
have'".

Hoo added that for late movers, a good place to start is to read up on the 
ISO 27001 and ISO 17799 standards, "which provide very comprehensive 
guidelines". Companies should also find out what tools are available in 
the market that "can automate repeatable IT related tasks to keep the 
compliance cost manageable", he said.

At the end of the day, there is simply no room to fall short of the 
requirements. Failure to comply "is not an option", said Deloitte & 
Touche's Chong. The [US] SEC "takes a serious view" of non-compliance, and 
such a situation would also "cause investors to lose faith" in the 
company, he added.

-=-

Vivian Yeo writes for ZDNet Asia


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jul 26 2006 - 23:56:03 PDT