 |
Straight talk from the SEC - a business should be allowed to use common business sense to find and fix material weaknesses in their internal controls. |
What is this all about?
Is this about small businesses paying a lot more for compliance than big business? That is how the IT trade press is playing it.
I don't think so.
I read the notes from the open meeting on the SEC's Proposed Interpretive Guidance to Management for Section 404 of Sarbanes-Oxley Act that took place on May 23,2007.
The SEC says that a business should be allowed to use common business sense to find and fix material weaknesses in their internal controls.
As Conrad Hewitt - Chief Accountant of the SEC put it (in a few more words than I used...)
The majority of the comment letters we received on our proposing release expressed overall support for the principles-based nature of the Commission's interpretive guidance. Many commenters believed that this guidance will encourage a healthy use of judgment and common business sense in formulating the procedures companies use to evaluate whether material weaknesses exist in their internal control systems. Further, over 70% of the commenters that were smaller companies or representatives of smaller companies expressed support for the guidance, with many indicating that the guidance would allow management to focus on the areas most important to reliable financial reporting.
I'm sure a bunch of IT security vendors are going to hop on the bandwagon and tell the world how their all in 1, UTM appliances or security in the cloud services are going to help an SMB comply.
No.
The answer is that a business with less than 50 employees doesn't need enterprise risk management, business process mapping and fancy security technology. They need to put on their thinking cap, and get some coaching from an external risk and compliance consultant if they're not sure how to get started.
When Sarbanes/Oxley is a check box compliance task, then it becomes a non-value added expense for the business.
It is crucial to remember that Sarbox and PCI DSS are not regulations for the sake of compliance - the objective is to remove material weaknesses in internal controls, and improve the way a business manages and governs its activity, reducing risk to itself, its customers, suppliers and shareholders.
We've had a good deal of success with small businesses with the common sense approach - using PTA- Practical Threat Analysis to identify the key assets, their vulnerabilities, the threats that exploit the vulnerabilities and the controls that mitigate the threats. By using the PTA methodology a small business can quickly identify their key risks and fix them, reducing risk and gaining compliance - it's a slam dunk for a business and money well worth spent.
