News Stay informed about the latest enterprise technology news and product updates.

SOX and the SMB: A tale of two auditors

Nov. 15 has arrived -- are you SOX-ready? The rules are the same for SMBs (like it or not), but there are certain things SMB CIOs should -- and shouldn't -- be doing. Two experienced auditors, Lawrence Baye, a principal with Grant Thornton LLP in New York, and Jeff Camiel, a principal at Information Inc. in Morgan Hill, Calif., talk about SOX and the SMB.

SMBs may not have the IT staff to handle the requirements of an IT audit. Have you noticed them struggling?
Yes, there's a lot of struggling, but it can be fixed. It's more controllable because there are fewer systems and fewer people.

Related information

Sarbanes-Oxley: You ready yet?

SMBs brace for new regulations

Check out the CIO SOX Survival Guide 

SMBs are also getting auditors not long out of college -- they're not getting people who've done IT operations or who know where the controls are to make sure that critical issues are not being missed. So right now, the scariest thing [for an SMB] is inexperienced auditors reporting material weaknesses to managers, and the SMB not being able to negotiate with the auditing company reporting the weakness. SMB managers don't' understand they have the ability to force the issue. It's their job to force auditors to tell them what the risk is so they can't write up something. SMBs may not have the IT staff to handle the requirements of an IT audit. Have you noticed them struggling?
Some SMBs are freaking out because the auditors they're getting are low-level talent and are in a hurry. The chances are extremely high that an SMB could get an inexperienced auditor -- a lot higher than for a bigger business. Do you think auditors might have a little more patience with SMBs?

The government recognizes that SMBs have different needs, but they've done nothing to say how to water down the requirements.
Lawrence Baye
PrincipalGrant Thornton LLP
No. The government recognizes SMBs have different needs, but they've done nothing to say how to water down the requirements to accommodate SMBs. They acknowledge things are different but aren't saying how to deal with them. Auditors don't have 'lite' versions of Sarbanes. Audit work papers won't just be filed away – they will be examined by PCAOB [Public Company Accounting Oversight Board], so someone else will be making judgments about what auditors are doing. I can't imagine auditors would say 'they're little and nice and let it slide.' [Auditors] don't want to risk their professional licenses. Do you think auditors might have a little more patience with SMBs?
The SOX framework was directly driven at large organizations. Iit does not work well with smaller organizations and doesn't apply well to distributed, smaller IT organizations. The initial interpretation created a caveat for SMBs, where if there are high levels of communication and very small teams -- and you can demonstrate there's a decent control atmosphere -- you don't have to have formal controls. But PCAOB struck that language out and left it up to the audit companies to interpret and decide when and how to treat firms as an SMB or a large organization. Now they're auditing from a theoretical standpoint rather than a reality standpoint, which is causing grief for SMBS. Procedurally, they should be same. At the detail level, SOX is requesting from SMBs a more expensive outlay of controls in relation to risk as it is to large companies. Is there something SMBs should do that large enterprises aren't doing?
It's the same things as larger companies, just smaller in scale and harder to delegate because there's no one to delegate to. [Compliance] is doable but requires a significant amount of personal attention. No one else is there to do it for you – you're the only one in position to document things. Is there something SMBs should do that large enterprises aren't doing?
As far as what they're doing, the models are the same, and the way of doing things is pretty much same at the procedural level. PCAOB says you have to pick a control framework and apply it across the group, then base controls along that framework.

The problem is, SOX compliance is based very subjectively on who audits you. Auditors don't have expected results, so even if you get two different firms using the same software, you could get conflicting opinions, which forces SMBs to do maximum control because they don't know what the expectations are. CIOs, who should be defining a set of procedural standards, have not done so. The government has not really done so. There just aren't any commonly accepted standards -- someone needs to come up with them. I'd prefer CIOS form an organization to create standards and not necessarily frameworks. What are some common mistakes SMBs make when it comes to SOX compliance?
The most common mistake is the non-realization that this is quarterly from now on. Just passing isn't good enough this time. This is going to be repeated and done incrementally all year long.

Also, I think this is a cultural issue. A lot of [Silicon Valley] CIOS seem to be in constant firefighting mode instead of strategic mode. 'Get up this tool and get it ready for the client.' They're treating SOX in the same way -- 'make this pass.'

Negotiating and discussing the reality of risk [is] more favorable than throwing up your hands and giving up.
Jeff Camiel
PrincipalInformation Inc.
Are you seeing panicky SMBs that are behind and will miss the Nov. 15 deadline?
I think we're past panic and into resignation. These SMBs say it is what it is, and auditors have to deal with it. Do you agree that some compliance is better than none?
Definitely. A lot of auditors are giving credit for companies doing remediation. Working with auditors is negotiating and discussing the reality of risk. It's much more favorable doing that than throwing up your hands and giving up.

The idea you're ever going to get a perfect score is meaningless. You want to design a compliance program that expects to fail but fail within a set of parameters -- where the risk is so low that it's meaningless. Do you think SOX ultimately is good for SMBs?
If approached properly? Yes. If it helps CIOs and people below them understand there are procedures and standards, it will lead to higher quality of work, better security, and cost savings because it streamlines out processes and helps individuals learn things the company is trying to get them to do.

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.