Slashdot Mirror

← Back to Stories (view on slashdot.org)

SarBox Lawsuit Could Rewrite IT Compliance Rules

Posted by kdawson on from the sluice-gate-to-security-spending dept.

dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance. "Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."

5 of 124 comments (clear)

  1. SarBox? by omnichad · · Score: 4, Informative

    I've seen SOX, but never SarBox. If you're going to CamelCase, do it right: SarbOx.

  2. Re:Rule #1 of government.... by gandhi_2 · · Score: 3, Informative

    I'll field that one:

    Unions are irrelevant.

    --
    THL phish sticks
  3. Re:SarBox is always the excuse by IrquiM · · Score: 3, Informative

    How about rewriting the structure of the management as they clearly do not understand what 404 is all about?

    404 doesn't tell you to do anything. It only ask you to show that you have internal controls and that they are deemed sufficient for a company of the type/size you're working for, and that you actually is following your controls. The auditors only task (related to 404) is to check that you do what you are saying and make a judgment on their observations.

    --
    This is blinging
  4. Re:SOX is choking our companies, kill it. by dstar · · Score: 3, Informative

    I have worked for large companies in the past, and SOX is seriously undermining the ability to make changes, or indeed for rational process to take place in the daily operation of IT.

    It's doing no such thing. People may be using it as an excuse to build an empire or do stupid things, but that's not the fault of SOX. I worked for a *VERY* large financial company (the overall IT budget, across all branches, businesses, etc, was measured in the *billions* of dollars), and not once were we stopped from doing anything because of SOX. Not once was it even an issue, either.

    Put the blame where it belongs, on stupid people. Then fire them.

  5. Re:SarBox is always the excuse by Bigjeff5 · · Score: 3, Informative

    404 doesn't tell you to do anything. It only ask you to show that you have internal controls and that they are deemed sufficient for a company of the type/size you're working for, and that you actually is following your controls.

    That's the rub, and that's why this guy is suing. He owned a small accounting firm because, no matter what he did, the SarBox auditor's board determined what he was doing wasn't good enough, and the only changes they would accept would prevent him from turning a profit.

    The SarBox board killed a legitimate business that was operating in good-faith compliance.

    That's far, far too much power for a bunch of nameless beureaucrats.

    --
    Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller