Much of the IT industry, especially in smaller companies, is only now coming to the realization of the impact of Sarbanes-Oxley or SOX. Denis Drouin of Ernst & Young gave a very interesting and informative talk to an enthusiastic group of VANTUG members on June 21. Denis works as a SOX IT Auditor and has been 'very' busy over the past couple of years! Judging by the audience reaction and questioning a good deal of what Denis presented was something of an 'eye-opener'. For example, all publicly traded companies regardless of market cap must comply. The penalty for persistent non-compliance or refusal to comply can be a 'cease trading' order.
A number of people were under the mistaken impression that 'smaller' companies were exempt. The only concession to 'smaller' companies (defined as under $75 million market cap) is an extension to the compliance date until the end of this year. The object of SOX is to make company executives formally financially accountable to their shareholders. IT is affected in that the company's financial and business systems are usually managed via IT systems. The auditors must be satisfied that the company financials are true and correct. Typically 2 different audits are involved; one is a straight financial audit to look for 'creative' accounting and an IT audit to demonstrate that the data that is used in the company financials has been processed correctly and is not open to any form of tampering from inside or outside of the company.
The impact on some companies has been such they have had to suspend a large portion of their planned work in order to get their house in order for an audit. Well documented procedures (you all have your procedures documented, right?) go a long way towards passing the audit. However, you must, of course, 'walk the talk' and be able to demonstrate that they work and are followed. The auditor will carry out tests on your procedures. Some small companies have complained bitterly that to come into compliance could literally put them out of business because of the cost of preparing for compliance and at the same time the disruption to their business. They have also argued that in the greater scheme of things that they have little economic impact. That misses the point, which is responsibility to the shareholders whether the company is big or small! At the same time the aim of SOX is not to cripple anyone and the auditors do their best to find a way to achieve a positive result for everyone.
If you are interested in Denis Drouin's presentation it can be downloaded from http://www.vantug.com/Default.aspx?tabid=154