Major revision planned for Sarbanes-Oxley

By taking a top-down approach to ferreting out fraud, Auditing Standard No. 5 will ease up on IT oversight On May 24, the Public Company Accounting Oversight Board (PCAOB) will vote on Auditing Standard No. 5. If approved, this new standard for audits of internal control will bring about significant changes to Sarbanes-Oxley regulations, which now operate under Auditing Standard No. 2. In particular, Section 404

By taking a top-down approach to ferreting out fraud, Auditing Standard No. 5 will ease up on IT oversight

On May 24, the Public Company Accounting Oversight Board (PCAOB) will vote on Auditing Standard No. 5. If approved, this new standard for audits of internal control will bring about significant changes to Sarbanes-Oxley regulations, which now operate under Auditing Standard No. 2.

In particular, Section 404 of the Sarbanes-Oxley Act of 2002 requires companies to assess their internal controls over financial reporting and offer an auditor's report on that assessment. To bring this to fruition, Auditing Standard No. 2 was adopted by the Securities and Exchange Commission.

However, in its latest report, the PCAOB admits that although the oversight has "produced significant benefits" with an increased focus on corporate governance, these benefits "have come with significant cost." If approved by the PCAOB, Audit Standard No. 5 will then be sent on to the SEC, which will decide how long the regulation will be open for public comment before it votes on the standard.

The SEC's goal, according to a PCAOB representative, is to finalize the new rules in time for the next cycle of audits of internal controls for fiscal years ending after Nov. 15, 2007.

I spoke with Patrick Taylor, president and CEO of Oversight Systems, which provides security systems for financial business processes.

The purpose of Sarbanes-Oxley remains the same, to identify fraudulent earning and/or fraudulent financial reports. The difference, however, between Audit Standard No. 5 and Standard No. 2 is the approach. And that difference will have an appreciable effect on IT, in a good way.

"From an IT perspective, [Audit Standard No. 5] will take a lot of the bureaucracy out of compliance," Taylor told me. After four years of dealing with the issues surrounding Section 404, the SEC is actually getting more pragmatic.

The PCAOB admits that the current standard encourages auditors to "perform procedures that are not necessary in order to achieve the intended benefits."