SMBs may not have the IT staff to handle the requirements of an IT audit. Have you noticed them struggling?
Yes, there's a lot of struggling, but it can be fixed. It's more controllable because there are fewer systems and fewer people.
SMBs are also getting auditors not long out of college -- they're not getting people who've done IT operations or who know where the controls are to make sure that critical issues are not being missed. So right now, the scariest thing [for an SMB] is inexperienced auditors reporting material weaknesses to managers, and the SMB not being able to negotiate with the auditing company reporting the weakness. SMB managers don't' understand they have the ability to force the issue. It's their job to force auditors to tell them what the risk is so they can't write up something. SMBs may not have the IT staff to handle the requirements of an IT audit. Have you noticed them struggling?
Some SMBs are freaking out because the auditors they're getting are low-level talent and are in a hurry. The chances are extremely high that an SMB could get an inexperienced auditor -- a lot higher than for a bigger business. Do you think auditors might have a little more patience with SMBs?
The SOX framework was directly driven at large organizations. Iit does not work well with smaller organizations and doesn't apply well to distributed, smaller IT organizations. The initial interpretation created a caveat for SMBs, where if there are high levels of communication and very small teams -- and you can demonstrate there's a decent control atmosphere -- you don't have to have formal controls. But PCAOB struck that language out and left it up to the audit companies to interpret and decide when and how to treat firms as an SMB or a large organization. Now they're auditing from a theoretical standpoint rather than a reality standpoint, which is causing grief for SMBS. Procedurally, they should be same. At the detail level, SOX is requesting from SMBs a more expensive outlay of controls in relation to risk as it is to large companies. Is there something SMBs should do that large enterprises aren't doing?
It's the same things as larger companies, just smaller in scale and harder to delegate because there's no one to delegate to. [Compliance] is doable but requires a significant amount of personal attention. No one else is there to do it for you – you're the only one in position to document things. Is there something SMBs should do that large enterprises aren't doing?
As far as what they're doing, the models are the same, and the way of doing things is pretty much same at the procedural level. PCAOB says you have to pick a control framework and apply it across the group, then base controls along that framework.
The problem is, SOX compliance is based very subjectively on who audits you. Auditors don't have expected results, so even if you get two different firms using the same software, you could get conflicting opinions, which forces SMBs to do maximum control because they don't know what the expectations are. CIOs, who should be defining a set of procedural standards, have not done so. The government has not really done so. There just aren't any commonly accepted standards -- someone needs to come up with them. I'd prefer CIOS form an organization to create standards and not necessarily frameworks. What are some common mistakes SMBs make when it comes to SOX compliance?
The most common mistake is the non-realization that this is quarterly from now on. Just passing isn't good enough this time. This is going to be repeated and done incrementally all year long.
Also, I think this is a cultural issue. A lot of [Silicon Valley] CIOS seem to be in constant firefighting mode instead of strategic mode. 'Get up this tool and get it ready for the client.' They're treating SOX in the same way -- 'make this pass.'
I think we're past panic and into resignation. These SMBs say it is what it is, and auditors have to deal with it. Do you agree that some compliance is better than none?
Definitely. A lot of auditors are giving credit for companies doing remediation. Working with auditors is negotiating and discussing the reality of risk. It's much more favorable doing that than throwing up your hands and giving up.
The idea you're ever going to get a perfect score is meaningless. You want to design a compliance program that expects to fail but fail within a set of parameters -- where the risk is so low that it's meaningless. Do you think SOX ultimately is good for SMBs?
If approached properly? Yes. If it helps CIOs and people below them understand there are procedures and standards, it will lead to higher quality of work, better security, and cost savings because it streamlines out processes and helps individuals learn things the company is trying to get them to do.