SOX Provides Early Warning Signs for Companies

Sunday, October 03, 2010

Infosec Island Admin


Since the enacting of the Sarbanes-Oxley (SOX) Act 2002, publically traded companies have experienced a tightening of financial reporting regulations.

Although information security is not mentioned specifically by SOX, the integrity of the data access chain is central to compliance, and thus quality infosec is a crucial element for success on multiple levels.

SOX compliance best practice requires a new level of cooperation between IT, legal, executives and risk management staff. Developing effective enterprise policies is a dynamic process that requires ongoing review and improvement efforts.

Lyle Smith, Director of Global SOX Compliance, Walmart Stores Inc. gives his insight as to how the SOX provisions are continuing to impact companies across America.

Lyle is a speaker at the 20th Edition SOX Compliance & Evolution to GRC Conference, from November 4-5, 2010 at the Doubletree Hotel in Philadelphia, PA.

Q: Have the Sarbanes-Oxley provisions introduced an overly complex regulatory environment into US financial markets?

LS: SOX definitely added to the complexity of the regulatory environment, but more than anything it really increased the cost of compliance. Certainly in the first three years the requirement for Sec. 404 of the regulation meant it was very expensive to comply and to create and maintain all the necessary documentation and testing that was required under the law.

It may have been misunderstood somewhat, but once it was understood I wouldn't refer to it as overly complex. The primary obstacle was the cost associated with it. That has led to what has been happening over the last two to three years, which is the right sizing of the regulatory effort to comply with SOX.

Q: What are the difficulties and challenges that SOX compliance presents for a company like Walmart?

LS: The challenges and difficulties that we have at Walmart are universal to all companies that have to comply with SOX. Continuing to mature and evolve our SOX compliance efforts to make sure that we're gaining the most value out of the efforts that we undertake to comply so that we aren't being too burdensome on the business or incurring too much cost has been an ongoing challenge.

Another common challenge we have is learning to connect SOX compliance with other governance and compliance activities. SOX is just another area where a company has to comply and is regulated and to the extent that we can integrate that effort with other compliance activities there is the opportunity to gain economies of scale.

We have other challenges and opportunities that are directly attributable to our size, being the largest company in the world. Walmart is experiencing tremendous growth internationally. As a result, we must continuously monitor each country to consider how their growth is impacting SOX compliance, including whether they need to be a part of our formal program.

Additionally, we have over 100 IT applications operating on multiple platforms in various geographic areas that need to be in compliance with SOX. The depth and breadth that comes with Walmart is certainly a challenge but it also creates an exciting and diverse environment where SOX compliance remains fresh and relevant.

Q: Has SOX compliance restored investor confidence in corporate governance systems?

LS: Somewhat. It has provided increased visibility into controls over financial reporting for investors as well as management within organizations. It definitely has provided early warning signs for companies that are considering going public.

This hasn't been a big deal in the US in the last couple of years as the economic environment has been so unfavorable for companies considering a public offering.

However, one recent example where SOX compliance requirements are providing that visibility in potentially restoring investor confidence was the very popular and well-publicized S-1 filing that General Motors just submitted.

In the filing they mention that their disclosure controls and procedures and their internal controls over financial reporting aren't effective. That is a good illustration of putting investors on notice for what their current control environment looks like.

Q: With its focus on transparency, did the SOX Act lessen the severity of the global financial crisis or did the meltdown point to the failure of the SOX Act?

LS: Neither. It did uncover a gross misunderstanding of what SOX compliance does for a company. I think that some folks were either explicitly or inherently relying too much on SOX compliance and the assurance that should provide. It provided an opportunity to better understand SOX - what level of assurance it provides, what level of assurance it doesn't provide.

*   *   *

The 20th Edition SOX Compliance & Evolution to GRC Conference, held from November 4-5, 2010 in Philadelphia, PA, will focus on the role that cross-application of controls will have on the continued evolution of SOX programs, drawing on the expertise of those charged with achieving the right blend of compliance and risk-based methodologies necessary to meet federal requirements.

This conference will give information security and SOX practitioners a unique opportunity to review updates on the future of SOX compliance including how to create a global and mature SOX system with integrated GRC efforts.

Attendees will gain insight into how developing various levels of control and sign off, formalizing and strengthening internal checks, ensuring financial reports exercise full disclosure and guarantee that your corporate governance is managed with precision.

Key Features of the Conference:

  • Review innovative approaches for the successful launch and maintenance of a control self-assessment initiative
  • Formulate methodologies to align senior management attention with the most pressing compliance priorities
  • Ascertain the role a cross application of controls will have for the evolution of SOX programs
  • Realize the necessity of a structured training and continuing education curriculum to ensure consistent performance of SOX controls and integrated GRC efforts

Senior executives from leading organizations will present their take on the required blend of compliance and risk-based strategies/methodologies that are necessary to meet federal mandates while developing greater efficiency across their GRC efforts.

Speakers Include:

  • Lyle Smith, Director, SOX Compliance for Wal-Mart
  • Bill Spierdowis, Director, Internal Controls for Covidien
  • Angel Caballero, Assistant Vice President, Compliance Officer for Daiwa Capital Markets
  • Denis Gorgemans, Director, Global SOX Compliance for First Data Corporation
  • Rob Moonen, Global SOX Compliance Manager for Ericsson
  • Jason Holler, Senior Manager Integrated Assurance US IS SOX Lead for AstraZeneca
  • Jason Hopkins. IT Manager Enterprise Compliance for Medtronic
  • Paul Obenshain, Internal Audit, Sarbanes-Oxley for 21st Century
  • Jason Leon, Senior Audit Manager for Ryder
  • Doug Roswold, Principal and Enterprise SOX Compliance for Medtronic
  • Andrew Levy, Director of Continuous Assurance Audit for Becton Dickinson
  • Anne Knapper, Director of SOX Compliance for Wilmington Trust
  • Tammy Marquis, SOX Compliance Manager for Mohawk Industries
  • Yasemin Agatan, Director of SOX and IFRS Compliance for Unisys
  • Hadley Evans, Jr., M.S., Director of Internal Audits for TIAA-CREF

This is not a trade show! The SOX Compliance conference series is targeted at a focused group of senior level executives to maintain an intimate atmosphere for the delegates and speakers.

Since this is not a vendor driven conference, the higher level focus allows the delegates to network with their industry peers and speakers.

For more information on this conference, please visit: marcus evans

Or Contact Michele Westergaard, 312-540-3000 ext. 6625, 20

Possibly Related Articles:
Information Security
Compliance Sarbanes-Oxley
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.